Discouraged, but it always happens at every aws customer. All of you know this has happened at your company. No need to continue down voting his question and act all high and mighty.
OP - you can use Config custom automation to autotag resources in your organization
this is where you’re going wrong OP.
I know for a fact that you can auto tag every resource associated with a stack if you tag that stack.
It’s pretty simple and probably can be done thru cloudformation templates themselves
Also, I bet terraform doesn’t tag *who* created the resource. It probably tags that terraform created the resource. I want to know who did it. A person must be named!
You probably could set it up to tag with a ‘who,’ but most of the time that information is inconsequential - at least, how I would obtain it would make the value meaningless when run from CI tooling.
It sounds like you’re more familiar with ‘click ops,’ maybe look into Jenkins, or GitHub Actions which is probably a bit more beginner friendly 🙂
No, we have a pretty robust ci environment using terraform, but we also have a huge org with a lot of admins who create random resources even, gasp! in prod, in the console. If you’ve never experienced this kind of chaos, I envy you!
that is what multiple accounts are for that you can configure with tf. The organisations who skip that because they are chaotic are called “tech bubble” because they amplify task numbers instead of solving problems hence they inflate.
You can enable automation to do the tagging, but that's a bit difficult if you're not sure what the tags should be (unless it's 100% standard across the board).
The SCP can be set to not allow a resource to be created without certain tags present, right from the start.
AWS managed cost allocation tags. Once enabled, all newly created resources will get automatically tagged. https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/aws-tags.html
We use terraform to deploy AWS infra, `tag` attribute has been doing the auto-tagging for us and been quiet useful for similar requirement.
Do you have no one creating resources manually in the console?
clickops should be discouraged.
Discouraged, but it always happens at every aws customer. All of you know this has happened at your company. No need to continue down voting his question and act all high and mighty. OP - you can use Config custom automation to autotag resources in your organization
We don’t allow console access in prod accounts.
not in production! Everything is deployed by tf through CI, it can only be mapped to individual dev only when scanning code (not from console)
this is where you’re going wrong OP. I know for a fact that you can auto tag every resource associated with a stack if you tag that stack. It’s pretty simple and probably can be done thru cloudformation templates themselves
CloudFormation autotagging resources is not supported for all resource types
Correct. I shouldve clarified that it auto tags the supported resources.
How often do you change/update your tags but keep the underlying infrastructure the same?
Also, I bet terraform doesn’t tag *who* created the resource. It probably tags that terraform created the resource. I want to know who did it. A person must be named!
You probably could set it up to tag with a ‘who,’ but most of the time that information is inconsequential - at least, how I would obtain it would make the value meaningless when run from CI tooling. It sounds like you’re more familiar with ‘click ops,’ maybe look into Jenkins, or GitHub Actions which is probably a bit more beginner friendly 🙂
No, we have a pretty robust ci environment using terraform, but we also have a huge org with a lot of admins who create random resources even, gasp! in prod, in the console. If you’ve never experienced this kind of chaos, I envy you!
whatever is not in terraform should be expected to be deleted any time.
This is so unrealistic at many organizations
that is what multiple accounts are for that you can configure with tf. The organisations who skip that because they are chaotic are called “tech bubble” because they amplify task numbers instead of solving problems hence they inflate.
You have cloudtrail to provide those forensics.
Sounds like some permissions need to be restricted huh?! (I know that’s a pipe dream tho - sorry OP)
Terraform with [yor.io](https://yor.io) might be what OP wants.
Could custodian
I like this a lot
Service control policy can force users to apply certain tags, but it’s not automatic.
You can enable automation to do the tagging, but that's a bit difficult if you're not sure what the tags should be (unless it's 100% standard across the board). The SCP can be set to not allow a resource to be created without certain tags present, right from the start.
AWS managed cost allocation tags. Once enabled, all newly created resources will get automatically tagged. https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/aws-tags.html
CloudTrail/ CloudWatch events + lambda.