AWS Tagging Guidelines + Policies

AWS Tagging Guidelines + Policies

Note: These guidelines are specific to the Mojaloop Community’s AWS Environment for testing and validating Mojaloop installations, and are primarily for internal purposes. They may, however, be a useful reference to others wishing to implement similar tagging strategies in their own organizations.

To better manage and understand our AWS usage and spending, we are implementing the following tagging guidelines.

Contents

Proposed tags and their meanings

We propose the following 2 tag keys:

  • mojaloop/cost_center
  • mojaloop/owner

mojaloop/cost_center

mojaloop/cost_center is a breakdown of different resources in AWS by the workstream or project that is incurring the associated costs.

It loosely follows the format of <account>-<purpose>[-subpurpose], where account is something like oss, tips, or woccu.

Note: It’s likely that most of the resources will be under the oss “account”, but I managed to find some older resources that fall under the tips and woccu categories. We also want to plan for future types of resources that might be launched in the future.

The potential values for mojaloop/cost_center are:

value meaning
oss-qa Open source QA work, such as the existing dev1 and dev2 environments
oss-perf Open source performance work, such as the ongoing performance workstream
oss-lab The Mojaloop Sandbox/Lab environment (i.e. beta.moja-lab.live)
oss-hackathon Resources related to the iso-20022 hackathon
oss-cqs The environment for the Quality and Security workstream
unknown Tag resources as unknown if we explicitly don’t know what cost center they belong to. Use this only temporarily before finding the appropriate tag
oss Deprecated - use a more specific tag. General cost tag

Want to add another tag to this list? Contact Lewis or Miguel.

Some potential values for mojaloop/cost_center are:

  • oss-qa: Open source QA work, such as the existing dev1 and dev2 environments
  • oss-perf: Open source performance work, such as the ongoing performance workstream
  • oss-perf-poc: Performance/Architecture POC

We also reserve some special values:

  • unknown: This resource was evaluated (perhaps manually, or perhaps by an automated tool), and no appropriate cost_center could be determined.
    • This will allow us to easily filter for the mojaloop/cost_center:unknown tags and produce a report
  • n/a: This resource incurrs no cost, so we’re not really worried about assigning a cost_center to it
    • This can be useful for mass tagging resources that are hard to figure out where the belong, such as EC2 Security Groups

Adding Cost Allocation Tags

In order for the mojaloop/cost_center tag to appear in the cost explorer, we need to ensure the Tag is reflected in the AWS Cost Allocation Tool.

  1. Log into the AWS console, and select “My BIlling Dashboard”
  2. Select “Cost Categories” > “mojaloop_cost_center”

  1. Select “Edit” in the top right corner
  2. From this screen you can create a cost category based on a tag value. For example, this is the cost category oss-qa derived from the mojaloop/cost_center: oss-qa tag:

  1. Scroll down to the bottom of the page, and select “Add rule”

From here you can create a cost allocation tag by setting 2 dimensions: (1) Account is Mojaloop Foundation and (2) Tag mojaloop/cost_center Is <tag_value>

  1. Select “Save Changes” and wait for the cost explorer to update the cost categories.

mojaloop/owner

mojaloop/owner is a person who is responsible for the managing and shutdown of a given resource.

The goal of this tag is to prevent long running resources that everybody else thinks someone else knows about, but we no longer need. By applying this tag, we will be able to have a list of who to go to in order to ask questions about the resource.

The value can simply be a person’s name, all lowercase:

  • lewis
  • miguel
  • etc.

Once again, we will reserve the following values:

  • unknown: This resource was evaluated (perhaps manually, or perhaps by an automated tool), and no appropriate cost_center could be determined.
    • This will allow us to easily filter for the mojaloop/owner:unknown tags and see what resources are ‘orphaned’

Manual Tagging

We can use the “Tag Editor” in the AWS console to search for untagged resources.

  1. Log into the AWS Console
  2. Under Resource Groups, select “Tag Editor”
    tagging_01
  3. From the tag editor, select a Region (I typically use “All regions”), and Resource Type (I also typically use “All resource types”)
  4. Now select “Search Resources”, and wait for the resources to appear

You can also search by tags, or the absense of tags to see what resources have not been tagged yet.

  1. Once you have a list of the resources, you can select and edit tags for many resources at once!
  2. You can also export a .csv file of resources found in your search

Automated Tagging

We currently automate tagging on the following

As we have a firmer grasp of our tagging guidelines, we need to introduce them into our tooling so that all of the grunt work of manual tagging.

At the moment, this will look like introducing tags into:

  1. Rancher - which currently manages our Kubernetes clusters for both QA and Performance purposes
  2. IAC - The upcoming IAC code that will eventually be running our dev environments

AWS Tagging Policies

As of August 3, 2020, we have started introducing AWS Tagging Policies to better enforce tags and monitor our resources (especially with respect to costs).

Viewing Tag Reports + Compliance

  1. Log in to the AWS Console
  2. “Resource Groups” > “Tag Editor”
  3. On the left sidebar, select “Tag Policies”

From here you can see the tag policies “compliance report”

Editing Tag Policies

Note: This may require special admin priviledges to access these pages

  1. Log in to the AWS Console
  2. Select “username@mojaloop” in the top right > “My Organization”
  3. Select “Policies” > “Tag Policies”

  1. From here, you can view the current tag policies

  1. In the sidebar, you can click “View details” > “Edit policy” to edit the policy

Attaching/Detaching Tag Policies

  1. Go to the “My Organization” page
  2. Select the relevant account > “Tag policies” in the sidebar
  3. From here you can Attach + Detach tag policies

1 Like