This standard is being implemented to facilitate visibility, predictability and accountability for Azure and other cloud services.
The goals for this standard are to:
- Identity the experts and those accountable for usage and cost of cloud services
- Who is accountable for understanding the technical details of the service.
- Who is accountable for the costs incurred by the service and ensuring that the service is being used and not incurring waste.
- Who is accountable for reviewing the lifecycle of the resource to identify if the service should persist or be turned down.
- Who is accountable for reviewing access controls to the service and ensuring we follow the policy for granting the least privileges necessary based on job roles.
- Why does the resource exist and what is its purpose.
- What project is the resource part of.
- What is the intended usage of the resource; what need does it fill.
- What is the lifecycle of the resource.
- Should the resource persist for a period of a year or more as part of a deployed application or is it part of a learning experiment that should be turned down after the learning exercise is over.
- When should the resource be reviewed for its purpose and expected lifecycle.
- When what the last review of the resources access control list.
- Where are other resources available to provide insight on the resource
- Is the resource related to an application and where is the source code for the application.
- Is the resource defined by an infrastructure as code project and where is the source code for that project.
- Where is the supporting documentation for the resource that describes the project(s) the resource is related to.
To meet these goals the following standard tags will be required on all cloud service resources
| Tag | Type | Automated | Description |
|---|---|---|---|
| created-by |
identifier for the identity that created the resource |
Yes |
An email address, directory object ID or other unique identifier that points to entity that created the resource that is obvious in the context of where the resource is located (Azure, AWS, etc.). |
| date-created |
A date string as "YYYY-MM-DD" |
Yes |
The date the resource was created. (Automate on creation to set as current date) |
| date-next-review |
A date string as "YYYY-MM-DD" |
Yes |
Deadline for the next review of the resources lifecycle by the person identified through the "contact-budget" tag and review the access control list by the person identified through the "contact-security" tag. (Automate for a future date based on creation date?) |
| contact-primary |
email address |
No |
Email address for the person responsible for understanding how the resource fits in the big picture of the company's infrastructure. This person need not understand the technical details and will likely have delegated the responsibility for budget monitoring to another person. However, this person's role may overlap into those other roles. |
| docs-primary |
A URL |
No |
The URL with the details for what project the resource is related to. This can be:
|
To meet these goals the following standard tags are optional on all cloud service resources:
| Tag | Type | Description |
|---|---|---|
| contact-budget | email address | Email address for person accountable for attesting to the necessity of the resources costs and the cost is justified. |
| contact-technical | email address | Email address for the person responsible for understanding the technical details of the resource's implementation. |
| contact-security | email address | Email address for the person responsible for understanding the security implications of the resource and reviewing the access control list for the resource. |
| contact-requested-by | email address | Email address for the person asking for the resource. This contact is likely to match one of the other contacts, but not necessarily. |
| date-last-review | A date string as "YYYY-MM-DD" | The last date for a review of the resources lifecycle by the person identified by the "contact-budget" tag and "contact-security" tag. |
| delete-on | A date string as "YYYY-MM-DD" | Date to delete the resource, if known (optional). |
| docs-iac | A URL | Link to a source control repository with the infrastructure as code defining the resource. |
| docs-app | A URL | Link to a source control repository with the application code related to the resource. |
| ticket-url | A URL | Link to an IT ticket associated with the creation or last update of the resource (optional). |
| security-data-class | String | [Future Use] Establish a set of data classifications and tag resources according the data classification for identification, automation, and reporting around security controls. |
| cost-project | String | [Future Use] Establish a set of project codes to tag resources with that identify where costs should be allocated. |
| component | String | [Legacy] This tag has been used as metadata for a number of CGGS resources and identifies the "component" directory for the IaC repository controlling those resources |
| environment | String | [Legacy] This tag has been used as metadata for a number of CGGS resources and identifies which "environment" the resources was created for. Generally this is either "Beta" or "Production", but could use other values in other contexts. |
| organization | String | [Legacy] This tag has been used as metadata for a number of CGGS resources and identifies which company entity the resource was created to support |
| status | String | [Legacy] This tag has been used as metadata for a number of CGGS resources and was meant to create a binary toggle for identifying unmanaged (manually created) resources as a data point to indicate the likeliness that the resource had been abandoned and is stale. |
| requested_by | Email address | [Legacy] This tag has been used as metadata for a number of CGGS resources and identifies who requested the resource. This should be replaced by the "contact-requested-by" tag. |
| ticker_url | URL | [Legacy] This tag has been used as metadata for a number of CGGS resources and identifies the ticket where the resources was requested and should be replaced by the "ticket-url" tag. |
Limitations
Azure: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources#limitations
- maximum of 50 tag name-value pairs
- The tag name has a limit of 512 characters and the tag value has a limit of 256 characters. For storage accounts, the tag name has a limit of 128 characters and the tag value has a limit of 256 characters.
- Tag names can't contain these characters: <, >, %, &, \, ?, /
- See the link above for more specific edge cases