In my previous blog post, "The Importance of a Tagging Policy: Cloud Governance using Policy-as-Code", I discussed the crucial role of tagging policies in cloud resource management and how policy-as-code mechanisms like Open Policy Agent (OPA) can help enforce these policies. Building on that foundation, today we're diving deeper into a proactive approach to tagging: the concept of "shift-left" tagging policies.

The concept of "shift-left" has gained significant traction as of late. This approach advocates for moving operations and quality control earlier in the development lifecycle, as early as the coding phase. Today, we're focusing on how this paradigm can be applied to resource tagging:, a critical aspect of cloud governance that benefits immensely from early implementation.

The Power of Shift-Left Tagging Policies

Traditionally, tagging has been treated as a post-deployment concern. However, this approach often leads to inconsistencies, missing tags, and the accumulation of technical debt. By shifting tagging policies to the left—that is, implementing them during the Infrastructure-as-Code (IaC) phase—we can preemptively address these issues and reap numerous benefits.

Why Implement Tagging Policies in IaC?

  1. Consistency from the Start: When tags are defined in IaC, every deployed resource automatically adheres to your tagging convention.
  2. Reduced Errors: Manual tagging post-deployment is prone to human error. IaC-based tagging eliminates this risk.
  3. Better Compliance: Many organizations have strict tagging requirements for regulatory purposes. IaC ensures compliance from day one.
  4. Improved Cost Management: Accurate tagging from the outset enables more precise cost allocation and FinOps practices.
  5. Enhanced Automation: Well-tagged resources from the start facilitate better automation in areas like scaling, backups, and security policies.

Implementing Shift-Left Tagging with Firefly

While the benefits of shift-left tagging are clear, implementation can be challenging. This is where tools like Terraform for IaC and Firefly for governance come into play.

Terraform: The Foundation of IaC Tagging

Terraform allows you to define tags directly in your infrastructure code. For example:

resource "aws_instance" "example" { ami = "ami-0c55b159cbfafe1f0" instance_type = "t2.micro" tags = { Name = "ExampleInstance" Environment = "Production" Owner = "DevOps" Project = "CloudMigration" } }


This approach ensures that every time this resource is created or updated, it will have the correct tags. Easy, right? Learn more about terraform resource tagging. 

Firefly: Enforcing Tagging Policies in Your CI/CD Pipeline

While Terraform provides the mechanism to define tags, Firefly offers the means to enforce tagging policies during the IaC CI/CD process. Here's how Firefly enhances your shift-left tagging strategy:

  1. Workflow Integration: Firefly integrates seamlessly into your existing CI/CD pipelines (like GitHub Actions or Jenkins), becoming an integral part of your IaC provisioning process.
  2. Policy Violation Checks: Before resources are provisioned, Firefly checks your IaC code against predefined tagging policies. This ensures that all resources have the required tags before they're deployed.
  3. Tagging Coverage Insights: Firefly provides detailed insights into your tagging coverage for each build. This allows you to track improvements over time and identify areas that need attention.
  4. Customizable Enforcement: You have full control over how strictly you enforce tagging policies. Firefly can be configured to simply notify you of policy violations via Slack or to block the IaC apply phase entirely, preventing non-compliant resources from being deployed to the cloud.
  5. Automated Remediation: One of Firefly's standout features is its ability to not just identify missing tags, but to help you fix them. When a missing tag is detected, Firefly can highlight the exact location in your Terraform code where the tag should be added. Further more, it can automatically generate a Pull Request with the necessary changes, streamlining the remediation process.

The Importance of Build-Time Tag Verification

While post-deployment tag verification has its place, build-time verification offers several key advantages:

  1. Prevent Non-Compliant Resources: By catching tagging issues before deployment, you ensure that non-compliant resources never make it to your cloud environment.
  2. Reduce Technical Debt: Addressing tagging issues immediately prevents the accumulation of untagged or incorrectly tagged resources, which can be time-consuming to fix later.
  3. Educate Developers: Immediate feedback on tagging helps developers learn and internalize proper tagging practices more quickly.
  4. Support FinOps and CMDB Systems: Proper tagging from the start ensures that your financial operations and Configuration Management Database systems have accurate data from the moment resources are deployed.


Getting Started: Implementing Shift-Left Tagging with Firefly

Shift-left tagging policies, implemented through IaC tools like Terraform and enforced by platforms like Firefly, offer a proactive approach to cloud governance. By addressing tagging at the earliest stages of the development process, organizations can ensure consistency, improve compliance, and set the stage for better cost management and automation.

Firefly's workflows capability, coupled with its unique remediation, makes it an invaluable tool in implementing and maintaining a robust shift-left tagging strategy. By providing immediate feedback, automated fixes, and the ability to block non-compliant deployments, Firefly helps organizations maintain clean, well-tagged cloud environments from day one.

Remember, in the chaotic world of cloud infrastructure, great governance starts with proper tagging. And proper tagging starts at the very beginning of your development process.

‍