Tagging Strategy

In AWS/Azure, a resource without a tag is an orphan. You cannot audit it, you cannot secure it, and most importantly, you cannot attribute its cost.

The Tagging Standard

Don't let developers invent tags. Enforce a schema.

Minimum Viable Tags

1. Environment: prod, staging, dev. (Crucial for separating "Real money" from "Play money").
2. Owner: Team email or Slack channel (team-checkout, sre-core). (Who do I yell at if this breaks?).
3. CostCenter: The accounting code (CC-1024). (Who pays the bill?).
4. Application: inventory-service, frontend-web.

Showback vs. Chargeback

Once you have tags, you create a report.

• Showback (Psychological): "Hey Team A, just letting you know you spent $5,000 this month."
  • Goal: Awareness and shame.
• Chargeback (Financial): "Hey Team A, we are deducting $5,000 from your department's budget."
  • Goal: Accountability.

Enforcement

How do you ensure people actually tag things?

1. Infrastructure as Code (The Easy Way)

Use Terraform default_tags provider configuration.

provider "aws" {
  default_tags {
    tags = {
      Environment = "Prod"
      Owner       = "SRE"
    }
  }
}

This automatically applies tags to every resource created by Terraform.

2. Tag Policies (SCP)

AWS Organizations Service Control Policies (SCP).

• Rule: "Prevent RunInstances if the request is missing the CostCenter tag."
• Result: The API call fails. The developer is forced to tag it.

3. The Reaper (Tag or Terminate)

A script (Lambda) that runs nightly.

1. Scan for resources missing Owner.
2. If found, stop the instance and tag it To_Be_Deleted.
3. If still untagged after 24 hours, terminate it.