FinOps & DevOps: Tagging with Terraform
We frequently engage with FinOps teams discussing the tagging requirements essential for successful FinOps implementation. A prevalent issue that arises involves the friction between the DevOps and FinOps teams when each has its own tagging necessities.
The FinOps team seeks to incorporate tags for efficient cost management and allocation, while the DevOps team aims to restrict who can change these tags. Additionally, their infrastructure-as-code (IaC) solutions may often overwrite the tags.
This friction complicates the objectives for both teams, making collaboration challenging.
In this article, we will explore strategies for addressing this issue, particularly through the use of Terraform in your IaC deployments.
Terraform offers two effective methods to achieve this.
Option 1 – Ignoring Changes
The first option is straightforward but requires some effort to implement. In Terraform, you can manage a resource’s lifecycle and specify tags to ignore. The image below illustrates how to set up this feature to ignore changes made to the Finops-Team tag.
Whenever you run your Terraform deployment, it will bypass any updates to the Finops-Team tag. This means any additions or modifications from the FinOps team will remain intact.
While this allows the FinOps team to maintain their tags, it does introduce some overhead for the DevOps team. The DevOps team must modify every Terraform resource definition to include the tag exemption. Furthermore, if the FinOps team introduces new tags, those must also be added to each resource manually.
Though this method can work, it may become cumbersome for the Terraform developers. A potential issue arises when the FinOps team adds a new tag and fails to inform the DevOps engineer, leading to Terraform overwriting the new addition, as shown in the following image.
Option 2 – Backing Up and Restoring Tags
Building on a similar approach discussed in my previous article about Bicep, we can adopt a parallel strategy with Terraform. Here, we would back up the specific tag values before executing Terraform and then restore them afterward.
This process aligns well with a DevOps pipeline and consists of several straightforward steps:
Step-by-Step Guide
Initially, your resources will be structured as shown below, with tagging attributed to Terraform, including tags like CreatedBy and Environment.
The FinOps team may add extra tags such as:
- FinOps-Department
- FinOps-Team
Backing Up Tags
Prior to executing the Terraform Apply command, the DevOps team should run a PowerShell script to back up any FinOps-related tags. The command will appear as follows:
.\Deploy-TerraformWithTagPreservation.ps1 -ResourceGroupName "Demo_IaC_Tags" -TagPrefixesToPreserve @("FinOps")
This command will store all tags beginning with the prefix FinOps in a file. Note that the file path and other options like filtering can be specified in the parameters.
The script will yield an output showcasing the backed-up tags for resources within the specified resource group.
Running Terraform
Next, execute the following commands:
- Terraform Plan
- Terraform Apply
This will carry out the deployment and refresh your resources. However, some FinOps tags may have been removed in the process, prompting the need for restoration.
Restoring Backed Up Tags
To restore the backed-up tags, run the subsequent command:
.\Deploy-TerraformWithTagPreservation.ps1 -ResourceGroupName "Demo_IaC_Tags" -RestoreTags
This command will reference the previously saved file to restore the appropriate tags on the specified resources.
The output will indicate that the two tags have been restored on a storage resource, while the other resource has remained unchanged during this operation.
Conclusion
I hope this article proves insightful and assists in alleviating some of the friction points between FinOps and DevOps teams.
You can find the script used in this process on GitHub at the link below. I trust it will assist you in implementing a similar workflow within your DevOps practices.
