Tag Management


Turbot tag management allows teams to configure centralized tagging and enforce specific key/value pairs across their Turbot and AWS resources. Tags are defined in templates which provide flexible naming schemes for keys and values. These templates can be set for an account, AWS service, or for a particular AWS resource, like an EC2 instance.

If a tag is modified and is differs from the definition in the template, Turbot will update this tag in real-time to match the template definition.

Supported Resources

Currently Turbot can manage tags for the following resources:

  • AWS
    • EC2 instances
    • EC2 volumes
    • ELB application load balancers
    • ELB classic load balancers
    • RDS instances
    • Redshift clusters
    • Route 53 hosted zones
    • S3 buckets
    • VPC dhcp options
    • VPC internet gateway
    • VPC peering connections
    • VPC route tables
    • VPC security groups
    • VPC subnets
    • VPC virtual private gateway
    • VPCs
  • Turbot
    • Accounts

Getting Started

Each resource has 2 options for managing tags:

  • > Tags Template - Define the key/value pairs for tags.
  • > Tags - Set whether Turbot checks or enforces the tags defined in the tags template.

For instance, for EC2 there are 2 options:

  • EC2 > Instance Tags Template
  • EC2 > Instance Tags

The Tags option must be set to Enforce in order for Turbot to manage tags, which includes creating, updating, and deleting tags according to the tags template option.

By default, the Tags Template options for AWS resources inherits values from Tags > AWS Account Tags Template.

Note: Any AWS Tags Template option, e.g., EC2 > Instance Tags Template, that includes tags from Tags > AWS Account Tags Template may take up to 24 hours to update. To force an update sooner for a particular resource, please run the Tags guardrail manually.

Deleting Tags

Turbot will not delete any tags not included in the template, i.e., added through the AWS console. This ensures that users can continue using the AWS console or the SDK for tags that are not enforced or controlled.

To force Turbot to delete a tag, include the tag in the template and set its value to undefined:

- Delete Me: undefined

Setting Tags Templates

Each resource’s tag template is a YAML list of key/value pairs and by default will include the tags defined in Turbot > AWS Account Tags Template.

It is recommended to wrap all values in the template in double quotation marks to ensure they can render successfully.

S3 bucket and ELB load balancer tags have certain restrictions on which characters can be included in keys and values. If these characters are present in either the tag keys or values, Turbot will be unable to update the tags. It is recommended to use the awsTagSafeName filter to remove invalid characters for S3 bucket and ELB load balancer tags. For a list of valid characters, please see Cost Allocation Tagging.

The templates are in Nunjucks / Jinja2 format with these variables:

  • account
    • id
    • clusterId
    • title
  • region

and these filters:

  • built-in filters
  • alphanum
  • awsAccountIdString
  • awsTagSafeName - Remove invalid characters for AWS tag keys and values.
  • dnsSafeName - Convert to lowercase and remove all characters except alphanumerics, periods, and hyphens.
  • hex
  • ipOctet
  • ipOctetBase36Dec
  • isString
  • json
  • padLeft
  • region3
  • region5

In addition to the variables listed above, each service also has additional data types available depending on the service. More information for each service can be found below (all field names are capitalized in Turbot):

Tags Template Examples

Use Account, Region, and EC2 Instance Data

- Account: "{{ account.id }} - {{ account.title }}"

- Location: "{{ region }}"

- Instance ID: "{{ InstanceId }}"

Sanitize Invalid Characters for S3 Bucket Tag Value

- Application: "{{ 'Sample Application!' | awsTagSafeName }}"

Copy Existing Tag Values

- Copy Name: "{{ TagsMap.Name }}"

Use Conditional Statements

Examples of configuring tag templates for cloud resources, such as an AWS EC2 instance:

- Environment: "{% if TagsMap['Environment'] in ['Dev', 'QA', 'Prod'] %}{{ TagsMap['Environment'] }}{% else %}Non-Compliant Environment{% endif %}"

- Application: "{% if TagsMap['Application'] %}{{ TagsMap['Application'] }}{% else %}N/A{% endif %}"

Example of configuring tag template for a Turbot account:

- Application: "{% if account.tags['Application'] %}{{ account.tags['Application'] }}{% else %}N/A{% endif %}"

Include Tags From Account Tags

- Turbot::Include: Tags:AccountTagsTemplate

Turbot Managed Tags

If tagging is set to enforce, certain services also have Turbot tags set that provide additional details about the resource, such as the creation timestamp and detached timestamp. All Turbot tags will begin with “turbot:” and should not be modified by users.

The following resources have Turbot tags today:

  • EC2 Instances, S3 Buckets, VPC Peering Connections
    • turbot:CreatedBy - Friendly name of the user who created the instance, e.g., “John Bell - jbell@example.com”.
    • turbot:CreatedByUrn - The Turbot URN of the user who created the instance.
    • turbot:CreatedTimestamp: Date and time the instance was created.
  • EC2 Volumes
    • turbot:DetachedTimestamp - Date and time of when the volume was last detached. If the time is unknown, it will be set to when the guardrail is run next. This tag will be removed if the volume is attached.
    • turbot:LastInstanceId - Instance ID of the last known attached instance. This tag will be removed if the volume is attached.
Was this article helpful?
0 out of 0 found this helpful