Manage tag policies and compliance

Owned by MS (Unlicensed)
Feb 04, 2024
5 min read

Introduction to tag policies

Abiquo 6.0 introduces tag policies to allow or deny the creation of valid resources with (or without) the defined tags.
Abiquo does not enforce tag policies on resources, instead it creates a report of invalid resources for the administrator to manage.
Abiquo tag policies apply to both Abiquo local multicloud tags and their corresponding tags in supported cloud providers.

To work with tag policies, the user will need the additional privileges to:

  • Access tag policies view

  • Manage tag policies

The administrator can manage tag policies in the Control view in the Tag management section, on the Tag policies tab.

The Tag management → Entities tab from previous versions is now the Search tab.

Tag policies in control view
Tag policies in control view

Create a tag policy

When you create a tag policy, the Name is also the Key of the tags that the policy describes.
You can only use lowercase letters in the name and you will also need to comply with all the tagging rules of your cloud providers.
You will need to specify the action of the tag policy, which is to Allow or Deny the creation of tags and values.

Example: Tag deny policy

Create a tag policy to deny use of a tag
Create a tag policy to deny use of a tag

The tag policy can specify Key formats and Values, to allow or deny the creation of valid resources with these tag formats and values.

For polices that Allow tag formats and values, you can also define the resource types that users must tag (Required resources).

Tag policy attributes table

Field

Description

Field

Description

Name

Text of the tags that the policy describes. You can only use lowercase letters. You must comply with the tag naming rules of your cloud providers

Description

A description of the tag policy

Action

Allow or deny the creation of tags and/or values. Child policies cannot change this action

Tag key formats

Select if the tag policy applies to all formats (case insensitive) or the formats specified as Key formats

Key formats

A list of valid formats of the tag key (Name), for example, using upper-case letters

Allowed child policy
key format operations

Optionally, in tag policies with child scopes, select if users can modify the tag policy: Append or Remove tag formats from the list.
Users cannot extend the allowed operations, they can maintain the same list or limit it.

Tag values

Select if tag policy applies to all values or specific values

Values

A list of other valid values of the tag. To specify an empty value, do not enter any text and click Add

Allowed child policy
value operations

Optionally, in tag policies with child scopes, select if users can modify the tag policy: Append or Remove values from the list.
Users cannot extend the allowed operations, they can maintain the same list or limit it.

Required resources

For tag policies that allow the creation of tags and/or values, you can define a list of resource types that must have tags.

Allow these child policy
required resource
operations

Optionally, in tag policies with child scopes, select if users can modify the tag policy: Append or Remove required resources from the list.
Users cannot extend the allowed operations, they can maintain the same list or limit it.

Edit a tag policy

When you edit a tag policy, you cannot change the Name or the action (Allow or Deny).

Define tag policies for a tenant hierarchy

When you are working with a tenant hierarchy, you can define a tag policy at the reseller or key node level and it will apply to tenants at lower levels of the hierarchy. A copy of this tag policy in tenants below your tenant is called a child tag policy. You can allow administrators to modify a child tag policy, to append or remove definitions of key formats or values. This is called the tag policy override functionality.

Override parent tag policies

To override a tag policy in a child tenant, administrators select it and click the clone Override button at the bottom of the screen. They can then edit the policy and make the changes as allowed by previous administrators. For example, they may be able to append new allowed tag values. They can also define the changes that administrators in tenants below their tenant can make.

Display tag policies

On the Tag policies tab administrators can filter by whether the tag policy belongs to the current tenant (Own), belongs to a tenant above their tenant (Overridable), or a child tenant (Overridden).

Display a compliance report for resource tags

After you create a tag policy, you can check tag compliance on the Compliance report tab. The platform automatically generates the report once a day. After you have made changes to your tags and resources, to update the Compliance report, click the refresh button at the bottom of the screen.

You can filter the Compliance report by the State of the resource (invalid or valid) and search for text in any of the resource attribute columns (e.g. Resource name, Provider type). To sort the Compliance report by the data in a column, click on the column header.   

For all resources, the Compliance report displays the following compliance details:

  • Resource compliance State (which means its status), which is Valid or Invalid 

  • Tags and values

  • Keys with no compliant values

  • Missing required keys

  • Non-compliant values

You can select a resource to display details of its Compliance errors.

You can also obtain the Compliance report using the Abiquo API.

 

For examples, see Tag policy examples

Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved