resource-tagging skill

---
name: resource-tagging
description: Apply and enforce cloud resource tagging strategies across AWS, Azure, GCP, and Kubernetes for cost allocation, ownership tracking, compliance, and automation. Use when implementing cloud governance, optimizing costs, or automating infrastructure management.
---

# Resource Tagging

Apply comprehensive cloud resource tagging strategies to enable cost allocation, ownership tracking, compliance enforcement, and infrastructure automation across multi-cloud environments.

## Purpose

Resource tagging provides the foundational metadata layer for cloud governance. Tags enable precise cost allocation (reducing unallocated spend by up to 80%), rapid ownership identification, compliance scope definition, and automated lifecycle management. Without proper tagging, cloud costs become untrackable, security incidents lack context, and automation policies fail to target resources effectively.

## When to Use

Use resource tagging when:

- Implementing cloud governance frameworks for cost allocation and accountability
- Building FinOps practices requiring spend visibility by team, project, or department
- Enforcing compliance requirements (PCI, HIPAA, SOC2) through automated policies
- Setting up automated resource lifecycle management (backup, monitoring, shutdown)
- Managing multi-tenant or multi-project cloud environments
- Implementing disaster recovery and backup policies based on criticality
- Tracking resource ownership for security incident response
- Optimizing cloud costs through spend analysis and showback/chargeback

## Minimum Viable Tagging Strategy

Start with the **"Big Six"** required tags for all cloud resources:

| Tag | Purpose | Example Value |
|-----|---------|---------------|
| **Name** | Human-readable identifier | `prod-api-server-01` |
| **Environment** | Lifecycle stage | `prod` \| `staging` \| `dev` |
| **Owner** | Responsible team contact | `[email protected]` |
| **CostCenter** | Finance code for billing | `CC-1234` |
| **Project** | Business initiative | `ecommerce-platform` |
| **ManagedBy** | Resource creation method | `terraform` \| `pulumi` \| `manual` |

**Optional tags** to add based on specific needs:

- **Application**: Multi-app projects requiring app-level isolation
- **Component**: Resource role (`web`, `api`, `database`, `cache`)
- **Backup**: Backup policy (`daily`, `weekly`, `none`)
- **Compliance**: Regulatory scope (`PCI`, `HIPAA`, `SOC2`)
- **SLA**: Service level (`critical`, `high`, `medium`, `low`)

## Tag Naming Conventions

Choose ONE naming convention organization-wide and enforce consistently:

| Convention | Format | Example | Best For |
|------------|--------|---------|----------|
| **PascalCase** | `CostCenter`, `ProjectName` | AWS standard | AWS-first orgs |
| **lowercase** | `costcenter`, `project` | GCP labels (required) | GCP-first orgs |
| **kebab-case** | `cost-center`, `project-name` | Azure (case-insensitive) | Azure-first orgs |
| **Namespaced** | `company:environment`, `team:owner` | Multi-org tag policies | Large enterprises |

**Critical:** Case sensitivity varies by provider:
- **AWS**: Case-sensitive (`Environment` ≠ `environment`)
- **Azure**: Case-insensitive (`Environment` = `environment`)
- **GCP**: Lowercase required (`environment` only)
- **Kubernetes**: Case-sensitive (`environment` ≠ `Environment`)

## Tag Categories

For detailed taxonomy of all tag categories, see `references/tag-taxonomy.md`.

### Technical Tags
Operations-focused metadata: Name, Environment, Version, ManagedBy

### Business Tags
Cost allocation metadata: Owner, CostCenter, Project, Department

### Security Tags
Compliance metadata: Confidentiality, Compliance, DataClassification, SecurityZone

### Automation Tags
Lifecycle metadata: Backup, Monitoring, Schedule, AutoShutdown

### Operational Tags
Support metadata: SLA, ChangeManagement, CreatedBy, CreatedDate

### Custom Tags
Organization-specific metadata: Customer, Application, Component, Stack

## Cloud Provider Tag Limits

| Provider | Tag Limit | Key Length | Value Length | Case Sensitive | Inheritance |
|----------|-----------|------------|--------------|----------------|-------------|
| **AWS** | 50 user-defined | 128 chars | 256 chars | Yes | Via tag policies |
| **Azure** | 50 pairs | 512 chars | 256 chars | No | Via Azure Policy |
| **GCP** | 64 labels | 63 chars | 63 chars | No | Via org policies |
| **Kubernetes** | Unlimited | 253 prefix + 63 name | 63 chars | Yes | Via namespace |

## Tag Enforcement Patterns

### Infrastructure as Code (Recommended)

Apply tags automatically via Terraform/Pulumi to reduce manual errors by 95%:

```hcl
# Terraform: Provider-level default tags
provider "aws" {
  default_tags {
    tags = {
      Environment = var.environment
      Owner       = var.owner
      CostCenter  = var.cost_center
      Project     = var.project
      ManagedBy   = "terraform"
    }
  }
}
```

All resources automatically inherit these tags. Resource-specific tags merge with defaults.

For complete Terraform, Pulumi, and CloudFormation examples, see `examples/terraform/`, `examples/pulumi/`, and `examples/cloudformation/`.

### Policy-Based Enforcement

Enforce tagging at resource creation time:

**AWS**: Use AWS Config rules to check tag compliance (alert or deny)
**Azure**: Use Azure Policy for tag inheritance and enforcement
**GCP**: Use Organization Policies to restrict label values
**Kubernetes**: Use OPA Gatekeeper or Kyverno for admission control

For enforcement implementation patterns, see `references/enforcement-patterns.md`.

### Tag Compliance Auditing

Run regular audits (weekly recommended) to identify untagged resources:

**AWS Config Query** (SQL):
```sql
SELECT resourceId, resourceType, configuration.tags
WHERE resourceType IN ('AWS::EC2::Instance', 'AWS::RDS::DBInstance')
  AND (configuration.tags IS NULL OR NOT configuration.tags.Environment EXISTS)
```

**Azure Resource Graph Query** (KQL):
```kusto
Resources
| where type in~ ('microsoft.compute/virtualmachines')
| where isnull(tags.Environment) or isnull(tags.Owner)
| project name, type, resourceGroup, tags
```

**GCP Cloud Asset Inventory**:
```bash
gcloud asset search-all-resources \
  --query="NOT labels:environment OR NOT labels:owner" \
  --format="table(name,assetType,labels)"
```

For complete audit queries and scripts, see `references/compliance-auditing.md` and `scripts/audit_tags.py`.

## Cost Allocation with Tags

Enable cost allocation tags to track spending by team, project, or department:

### AWS Cost Explorer

Activate cost allocation tags (up to 24 hours for activation):

```hcl
# Enable cost allocation tags via Terraform
resource "aws_ce_cost_allocation_tag" "environment" {
  tag_key = "Environment"
  status  = "Active"
}

resource "aws_ce_cost_allocation_tag" "project" {
  tag_key = "Project"
  status  = "Active"
}
```

Set up cost anomaly detection by tag to catch unusual spending:

```hcl
resource "aws_ce_anomaly_monitor" "project_monitor" {
  name         = "project-cost-monitor"
  monitor_type = "DIMENSIONAL"

  monitor_specification = jsonencode({
    Tags = {
      Key    = "Project"
      Values = ["ecommerce", "mobile-app"]
    }
  })
}
```

### Azure Cost Management

Group costs by tags in Azure Cost Management dashboards. Export cost data with tag breakdowns:

```bash
az consumption usage list \
  --start-date 2025-12-01 \
  --query "[].{Cost:pretaxCost, Project:tags.Project, Team:tags.Owner}"
```

### GCP Cloud Billing

Export billing data to BigQuery with label breakdowns:

```sql
SELECT
  labels.key AS label_key,
  labels.value AS label_value,
  SUM(cost) AS total_cost
FROM `project.dataset.gcp_billing_export_v1_XXXXX`
CROSS JOIN UNNEST(labels) AS labels
WHERE labels.key IN ('environment', 'project', 'costcenter')
GROUP BY label_key, label_value
ORDER BY total_cost DESC
```

For cost allocation implementation details, see `references/cost-allocation.md`.

## Decision Framework: Required vs. Optional Tags

Determine which tags to enforce at creation time:

**REQUIRED (enforce with hard deny)**:
- Cost allocation: Owner, CostCenter, Project
- Lifecycle: Environment, ManagedBy
- Identification: Name

**RECOMMENDED (soft enforcement - alert only)**:
- Operational: Backup, Monitoring, Schedule
- Security: Compliance, DataClassification
- Support: SLA, ChangeManagement

**OPTIONAL (no enforcement)**:
- Custom: Application, Component, Customer
- Experimental: Any non-standard tags

**Enforcement methods**:

1. **Hard enforcement** (deny resource creation): Use for cost allocation tags
   - AWS: AWS Config rules with deny mode
   - Azure: Azure Policy with deny effect
   - GCP: Organization policies with constraints

2. **Soft enforcement** (alert only): Use for operational tags
   - AWS: AWS Config rules with notification
   - Azure: Azure Policy with audit effect
   - GCP: Cloud Asset Inventory reports

3. **No enforcement** (best-effort): Use for custom/experimental tags

## Tag Inheritance Strategies

Reduce manual tagging effort through automatic inheritance:

### AWS Tag Policies

Inherit tags from AWS Organizations account hierarchy:

```json
{
  "tags": {
    "Environment": {
      "tag_key": {
        "@@assign": "Environment"
      },
      "enforced_for": {
        "@@assign": ["ec2:instance", "s3:bucket"]
      }
    }
  }
}
```

### Azure Tag Inheritance

Use Azure Policy to inherit tags from resource groups:

```hcl
resource "azurerm_policy_assignment" "inherit_environment" {
  name                 = "inherit-environment-tag"
  policy_definition_id = azurerm_policy_definition.inherit_tags.id

  parameters = jsonencode({
    tagName = { value = "Environment" }
  })
}
```

### GCP Label Inheritance

Inherit labels from folders/projects via organization policies:

```hcl
resource "google_organization_policy" "require_labels" {
  org_id     = var.organization_id
  constraint = "constraints/gcp.resourceLabels"

  list_policy {
    allow {
      values = ["environment:prod", "environment:staging"]
    }
    inherit_from_parent = true
  }
}
```

### Kubernetes Label Propagation

Use Kyverno to auto-generate labels from namespaces:

```yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-default-labels
spec:
  rules:
  - name: add-environment-label
    match:
      resources:
        kinds: [Pod, Deployment]
    mutate:
      patchStrategicMerge:
        metadata:
          labels:
            +(environment): "{{request.namespace}}"
```

## Common Anti-Patterns

### Anti-Pattern 1: Inconsistent Tag Naming

**Problem**: Multiple variations of the same tag across resources
```yaml
# BAD: Tag sprawl
Environment: prod
environment: production
Env: prod
ENVIRONMENT: PROD
```

**Solution**: Enforce single naming convention via IaC and tag policies
```yaml
# GOOD: Consistent naming
Environment: prod  # Single standard format
```

### Anti-Pattern 2: Manual Resource Creation Without Tags

**Problem**: CLI/console-created resources missing required tags

**Solution**: Block untagged resource creation via Config/Policy rules, or use AWS Service Catalog/Azure Blueprints with pre-tagged templates

### Anti-Pattern 3: No Tag Enforcement (Voluntary Tagging)

**Problem**: Tags are optional, frequently forgotten, leading to 35% unallocated spend

**Solution**: Use provider default tags in IaC + policy enforcement at account/subscription level

### Anti-Pattern 4: Tag Sprawl (Too Many Custom Tags)

**Problem**: 30+ tags per resource, most unused, causing noise in cost reports

**Solution**: Start with "Big Six" required tags only. Add optional tags only when clear use case exists.

### Anti-Pattern 5: Static Tags Not Updated

**Problem**: Tags set at creation but never updated (e.g., `Owner` outdated after team changes)

**Solution**: Run automated tag audits (weekly), use IaC to update tags programmatically, integrate with identity provider for owner updates

## Integration with Other Skills

**infrastructure-as-code**: Tags applied automatically via Terraform/Pulumi modules with default_tags/stackTags

**cost-optimization**: Tags enable cost allocation, showback/chargeback, and budget alerts by project/team

**compliance-frameworks**: Tags prove PCI/HIPAA/SOC2 scope for audit trails and automated policy enforcement

**security-hardening**: Tags enforce security policies (e.g., public vs. internal access based on SecurityZone tag)

**disaster-recovery**: Tags identify resources for backup policies (e.g., `Backup: daily` triggers automated snapshots)

**kubernetes-operations**: Labels used for pod scheduling, resource quotas, network policies, and service selection

## Implementation Checklist

When implementing resource tagging:

- [ ] Define "Big Six" required tags with allowed values
- [ ] Choose ONE naming convention (PascalCase, lowercase, kebab-case)
- [ ] Implement tags in IaC (Terraform/Pulumi provider default_tags)
- [ ] Set up enforcement policies (AWS Config, Azure Policy, GCP org policies)
- [ ] Enable cost allocation tags in billing console (AWS Cost Explorer, Azure Cost Management)
- [ ] Create tag compliance audit process (weekly recommended)
- [ ] Document tag standards in organization wiki/runbook
- [ ] Set up automated alerts for untagged resources
- [ ] Integrate tags with monitoring/alerting for owner contact
- [ ] Create remediation playbook for non-compliant resources

## Quick Reference

### Tag Enforcement Tools by Provider

| Provider | Enforcement Tool | Purpose |
|----------|------------------|---------|
| **AWS** | AWS Config Rules | Tag compliance monitoring + remediation |
| **AWS** | Tag Policies (Organizations) | Enforce tags at account level |
| **Azure** | Azure Policy | Tag enforcement + inheritance |
| **GCP** | Organization Policies | Label restrictions + inheritance |
| **Kubernetes** | OPA Gatekeeper | Admission control for labels |
| **Kubernetes** | Kyverno | Auto-generate labels + validation |

### Cost Allocation Tools

| Tool | Purpose |
|------|---------|
| AWS Cost Explorer | Tag-based cost analysis + anomaly detection |
| Azure Cost Management | Tag grouping + budgets |
| GCP Cloud Billing | Label-based cost breakdown |
| CloudHealth | Multi-cloud cost optimization |
| Kubecost | Kubernetes cost allocation by labels |

### Validation Tools (Pre-Deployment)

| Tool | Purpose |
|------|---------|
| Checkov | IaC tag validation (pre-commit) |
| tflint | Terraform linting for tag rules |
| terraform-compliance | BDD tests for tag policies |

## Additional Resources

For detailed implementation guidance:

- **Tag taxonomy and categories**: See `references/tag-taxonomy.md`
- **Enforcement patterns (AWS, Azure, GCP, K8s)**: See `references/enforcement-patterns.md`
- **Cost allocation setup**: See `references/cost-allocation.md`
- **Compliance auditing queries**: See `references/compliance-auditing.md`
- **Terraform examples**: See `examples/terraform/`
- **Kubernetes manifests**: See `examples/kubernetes/`
- **Audit scripts**: See `scripts/audit_tags.py`, `scripts/cost_by_tag.py`

## Key Takeaways

1. **Start with "Big Six" required tags**: Name, Environment, Owner, CostCenter, Project, ManagedBy
2. **Enforce at creation time**: Use AWS Config, Azure Policy, GCP org policies to block untagged resources
3. **Automate with IaC**: Terraform/Pulumi default tags reduce manual errors by 95%
4. **Enable cost allocation**: Activate billing tags to reduce unallocated spend by 80%
5. **Choose ONE naming convention**: PascalCase, lowercase, or kebab-case - enforce consistently
6. **Inherit tags from parents**: Resource groups, folders, namespaces propagate tags automatically
7. **Audit regularly**: Weekly tag compliance checks catch drift and prevent sprawl
8. **Tag inheritance reduces effort**: Let parent resources propagate common tags to children