Introduction to tag policies
Abiquo 6.0 introduces tag policies to allow or deny the creation of valid resources with (or without) the defined tags.
Abiquo does not enforce tag policies on resources, instead it creates a report of invalid resources for the administrator to manage.
Abiquo tag policies apply to both Abiquo local multicloud tags and their corresponding tags in supported cloud providers.
To work with tag policies, the user will need the additional privileges to:
Access tag policies view
Manage tag policies
The administrator can manage tag policies in the Control view in the Tag management section, on the Tag policies tab.
The Tag management → Entities tab from previous versions is now the Search tab.
Create a tag policy
When you create a tag policy, the Name is also the Key of the tags that the policy describes.
You can only use lowercase letters in the name and you will also need to comply with all the tagging rules of your cloud providers.
You will need to specify the action of the tag policy, which is to Allow or Deny the creation of tags and values.
Example: Tag deny policy
The tag policy can specify Key formats and Values, to allow or deny the creation of valid resources with these tag formats and values.
For polices that Allow tag formats and values, you can also define the resource types that users must tag (Required resources).
Tag policy attributes table
Field | Description |
---|---|
Name | Text of the tags that the policy describes. You can only use lowercase letters. You must comply with the tag naming rules of your cloud providers |
Description | A description of the tag policy |
Action | Allow or deny the creation of tags and/or values. Child policies cannot change this action |
Tag key formats | Select if the tag policy applies to all formats (case insensitive) or the formats specified as Key formats |
Key formats | A list of valid formats of the tag key (Name), for example, using upper-case letters |
Allowed child policy | Optionally, in tag policies with child scopes, select if users can modify the tag policy: Append or Remove tag formats from the list. |
Tag values | Select if tag policy applies to all values or specific values |
Values | A list of other valid values of the tag. To specify an empty value, do not enter any text and click Add |
Allowed child policy | Optionally, in tag policies with child scopes, select if users can modify the tag policy: Append or Remove values from the list. |
Required resources | For tag policies that allow the creation of tags and/or values, you can define a list of resource types that must have tags. |
Allow these child policy | Optionally, in tag policies with child scopes, select if users can modify the tag policy: Append or Remove required resources from the list. |
Edit a tag policy
When you edit a tag policy, you cannot change the Name or the action (Allow or Deny).
Define tag policies for a tenant hierarchy
When you are working with a tenant hierarchy, you can define a tag policy at the reseller or key node level and it will apply to tenants at lower levels of the hierarchy. A copy of this tag policy in tenants below your tenant is called a child tag policy. You can allow administrators to modify a child tag policy, to append or remove definitions of key formats or values. This is called the tag policy override functionality.
Override parent tag policies
To override a tag policy in a child tenant, administrators select it and click the clone Override button at the bottom of the screen. They can then edit the policy and make the changes as allowed by previous administrators. For example, they may be able to append new allowed tag values. They can also define the changes that administrators in tenants below their tenant can make.
Display tag policies
On the Tag policies tab administrators can filter by whether the tag policy belongs to the current tenant (Own), belongs to a tenant above their tenant (Overridable), or a child tenant (Overridden).
Display a compliance report for resource tags
After you create a tag policy, you can check tag compliance on the Compliance report tab. The platform automatically generates the report once a day. You can filter the Compliance report by the State of the resource (invalid or valid) and search for text in any of the resource attribute columns (e.g. Resource name, Provider type). To sort the Compliance report by the data in a column, click on the column header.For all resources, the Compliance report displays the following compliance details:
Resource compliance State (which means its status), which is Valid or Invalid
Tags and values
Keys with no compliant values
Missing required keys
Non-compliant values
You can select a resource to display details of its Compliance errors.
You can also obtain the Compliance report using the Abiquo API.
After you have made changes to your tags and resources, to update the Compliance report, click the refresh button at the bottom of the screen.
For examples, see Tag policy examples