1 of 26

Tag, You’re It!

Implementing Infrastructure Tagging in Four Easy Steps

Jonathan White, Cloud FinOps Analyst

2 of 26

Survey Current State

Design Desired State

Implementation and Remediation

Governance and Documentation

3 of 26

Survey�Current State

4 of 26

Survey Current State

Identify stakeholders

Infrastructure
Service Delivery
Accounting
FinOps
Security
Application Owners

5 of 26

Survey Current State

Identify stakeholders

Define project goals�

Track & analyze costs across multiple dimensions
Associate resources with applications, services, & owners
Automate the application of tags
Standardized repository for keys & values
Naming conventions & limitations
Mandatory vs optional tags
Establish tag owners & permissions
Define tagging policies & processes (governance)

6 of 26

Survey Current State

Identify stakeholders

Define project goals

Review existing tag usage�

Cost tracking (Apptio Cloudability)
Backups (Commvault)
Owners (Who pays for the resources)
Development lifecycle (prod, dev, qa, test, poc)
Service functionality (Citrix, Azure PaaS services)

7 of 26

Survey Current State

Current sources of truth

�

Department values coming from multiple sources, not updated as names change
Application values made up by customers or engineers
No central repository for tag values

Azure tag values stored in Azure
VMware values stored on a spreadsheet

Slightly different value names refer to the same thing

8 of 26

Survey Current State

Current sources of truth

Tag administration access

�

All VMware and Storage team members given full access to VMware tag administration
All MS Infrastructure team members can set values at RG level (which flow down to resources)
Most VMware customers can add, edit, or remove tags/values
Only Azure customers with RG Contributor rights can administer tags

9 of 26

Survey Current State

Current sources of truth

Tag administration access

Use cases for tagging�

Resource Management
Access Management
Cost Management
Operations Support
Security
Automation
Governance

10 of 26

Design�Desired State

11 of 26

Design Desired State

Create tag key & value naming conventions

50 tag keys per resources maximum
All lowercase
Letters & numbers only
Underscore (_) used to designate multiple functions
63 characters maximum
Key names must start with a letter and contain no spaces

12 of 26

Design Desired State

Create tag key & value naming conventions

Define tag keys and values�

ONLY create the tags you need
Limit your mandatory tags
Application: What’s on it?
Department: Who owns it?
Environment: How important is it?
Role: What does it do?
Backup: Is it being backed up?
ExpenseID: Who is paying for it?
Team: Who manages it?

13 of 26

Design Desired State

Create tag key & value naming conventions

Define tag keys and values

Establish tag repository and sources of truth

14 of 26

Design Desired State

Create tag key & value naming conventions

Define tag keys and values

Establish tag repository and sources of truth

Key Name: The name of the tag
Status: Mandatory or something else
Definition: Provides details on why tag exists and specifies criteria for Conditional and Optional statuses
Owner: Person who can explain why the tag should exist and in charge of approving value additions, modifications, and deletions. Assists in defining many of the tag’s attributes (status, definition, category, etc)
Category: General definition of why the tag exists and how it’s being used; every tag must belong to at least one category, but may fall into several categories as well
Dependency: Identifies the applications or services that depend on the tag for some level of functionality or support; in most cases, a tag in the Operations Support category will require at least one dependency to be defined
Source of Truth: Identifies location of values and what it’s using as it’s source
Values: The list of values
Notes: General notes

15 of 26

Design Desired State

Create tag key & value naming conventions

Define tag keys and values

Establish tag repository and sources of truth

Utilize existing sources whenever possible
No Department SOT at UCF

Created my own based on phone tree database
Eventually updated to Workday cost centers

No Application SOT at UCF

Created my own based on existing values, with additional rules for increased consistency

Existing ServiceNow tables for other tags
ServiceNow Tag repository table SOT for remaining tags (usually only a few values)

16 of 26

Implementation�& Remediation

17 of 26

Implementation & Remediation

Identify existing values to update

Crosswalk old values to new values
Check for application dependencies
Document new tag values to existing infrastructure
Decision was made not to update existing VMware tag values

18 of 26

Implementation & Remediation

Identify existing values to update�
Update existing resources

Due to resource limitations, values were updated manually instead through automation
Add new tags to existing resources
Actual value updates occurred through scripting
AWS values not changed, instead using Cloudability “business dimensions” to reflect updated values

19 of 26

Implementation & Remediation

Identify existing values to update�
Update existing resources

Implement process for tagging new resources

Updates to existing ServiceNow requests and workflows
Values manually added to resources instead of through automation
Manually collecting tag value data instead of requiring requestors to provide within forms

20 of 26

Implementation & Remediation

Identify existing values to update�
Update existing resources

Implement process for tagging new resources

Updates to existing ServiceNow requests and workflows
Values manually added to resources instead of through automation
Manually collecting tag value data instead of requiring requestors to provide within forms

Cloud

GitHub

CMDB

ServiceNow

Owner

21 of 26

Governance�& Documentation

22 of 26

Governance & Documentation

Establish change management process

Allow for non-standardized tag keys?
How do new tag keys become standardized?
Who is allowed to add values to existing keys?
Who can add/edit/remove tags from resources?
Tag Governance Committee?

23 of 26

Governance & Documentation

Establish change management process�
Monitor for tag compliance

Create policies/scripts in each platform to enforce mandatory values
Report on resources not compliant with tagging policies and, if necessary, take action
Use 3^rd party tools to retroactively add or correctly tags resources (ex: CLDY BD)

24 of 26

Governance & Documentation

Establish change management process�
Monitor for tag compliance�
Document project results

Tag keys & attributes source location
Tag key & value naming conventions
Change management policies
Tag enforcement definitions
Remediation guidelines
Make sure documentation is easily accessible to those responsible for tags

25 of 26

Summary

Survey Current State

Stakeholders
Project goals
Existing tag usage
Current sources of truth
Tag administration
Tagging use cases�

Design Desired State

Naming conventions
Tag keys and values
Tag repository & sources of truth

Implementation & Remediation

Identify existing values to update
Update existing resources
Create process for new resources�

Governance & Documentation

Change management
Tag compliance
Document results

26 of 26

jonathan.white@ucf.edu

Azure – Define your tagging strategy�https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging

AWS – Tagging best practices�https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/tagging-best-practices.html

GCP – Labelling your resources�https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources

Apptio – 5 Best Practices for Building a Cloud Tagging Strategy�https://www.apptio.com/blog/cloud-tagging-best-practices/