Tag Azul resources

[jessebrennan]

Tag all cloud resources created by Azul. This helps with cost tracking, accountability, etc.

Tags to add and their expected value source:

• Owner: config.owner
• AzulDeployment: config.deployment_stage
• Creator: https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html
• Name: config.qualified_resource_name

[natanlao]

• Manually tag manually-created resources
• Enable tagging for resources deployed by Terraform
  - [ ] Enable tagging for resources deployed by Chalice (or wait for Use Terraform for deploying lambdas #556)

[hannes-ucsc]

#556 is really close. I'd strike out the third bullet.

[hannes-ucsc]

#556 has landed.

[natanlao]

Amar pointed me to this DCP RFC on resource tagging, which defines a slightly different superset of the tags in this issue. Should I use these tags for consistency?

[natanlao]

I discussed this issue with @hannes-ucsc after standup today. After our conversation, I am taking this approach:

• Implementing both the tags specified in the issue and the tags in DCP RFC 6. (AWS tags are case-sensitive, so we can have both Owner and owner).
• The Name tag will follow the following guidelines:
  • Unique across all resources
  • Consistent with any name or ID attribute in the associated Terraform resource
  • If no name or ID attribute is present, the resource name will include the AWS service name
• The service tag is set to Azul

[natanlao]

After review of #1701, @jessebrennan, @hannes-ucsc, @amarjandu, and I spoke about tagging strategy in general. From our conversation, the approach has been revised:

• Support for the RFC is being dropped.
• A tag, component, with the service name and resource name (but not the stage name) is being added. (e.g., azul-{resource_name})
• All tag names are now lowercase so that tags are compatible on both AWS and GCP.
• On AWS, the Name tag has special meaning, so during terraform post-processing, tags associated with AWS resources will have the name key uppercased to Name. (Alternatively, maybe this step should add a Name key in addition to name.)
• The creator tag will continue to use the UserId from aws sts get-caller-identity. While imperfect, it provides enough information to trace the user that deployed a resource, and there currently is no reliable alternative.
• The scope of Tag Azul resources #1552 is being expanded to add tagging for GCP resources as well.
• The value of the name tag will follow these guidelines:
  • If the resource already has a name assigned to it, use that value. This value should already be qualified.
  • If the resource does not already have a name assigned to it, create a unique value in the qualified format (e.g., azul-foo-dev)
  • Each name should be unique.
• The AzulDeployment tag is being dropped.

This leaves us with a new set of tags:

• project, set to dcp
• service, set to azul
• component, set to azul-{resource_name}
• deployment, set to config.deployment_stage
• owner, set to config.owner
• creator, set to UserId as described above
• name, set as described above

Please let me know if I'm missing anything here.