Tagging AWS resources
We use AWS for hosting. Most AWS resources support tagging.
This manual documents our efforts with tagging. In time, it may be upgraded to a standard.
The main reasons for tagging are:
- to be able to understand costs (by assisting queries in Cost Explorer)
- to understand the provenance of resources (by tagging with metadata about source code)
- security and assurance
Currently, we care most about understanding costs.
It’s not always clear to a developer what impact their work has on AWS costs.
If resources are consistently tagged as part of a particular directorate, programme, product, component, team, and environment, it becomes much easier to understand how much money is being spent in each particular context.
AWS Cost Explorer supports using cost allocation tags to filter and group resources.
Note that using AWS Organizations to tag accounts does not help here, because account-level tags are not supported for querying in Cost Explorer.
Alerting and enforcement
Currently, we do not enforce tags.
In future, we may wish to consider mechanisms such as alerting on untagged resources, or automatically deleting untagged resources.
Tags used in GOV.UK Sign In
GOV.UK Sign In is using the following tags:
Product: should be
GOV.UK Sign In
System: the name of the software system, for example
Identity proofing and verification core. Avoid abbreviations.
Environment: should be one of
Owner: an email address for an owner for the resource. For dev environments, this will be an individual email address; elsewhere it will be a group address.
Service: used to describe the function of a particular resource (for example: account management, session storage, front end)
Name: a name for this particular resource. This should be unique within a deployment (terraform deployment, cloudformation stack, etc)
Source: the URL(s) for any source code repositories related to this resource, separated by spaces
This is based on: