Audit tagging of Moped resources in AWS

[mddilley]

Frank identified an opportunity to organize our AWS resources better with tags. We have implemented tags on resources in the past, but we could do a quick audit to see if we have consistent tag names and values. This will not only help us identify resources more easily, but it opens the door to organize them using AWS myApplications which supports importing by tag. This tool could help our cost, performance, and security monitoring on an app level.

In Scope

• Check tags of:
  • ECS clusters
  • Zappa resources created through CloudFormation:
    • Lambda
    • API Gateway
  • RDS instance
  • Cognito user pools
  • DynamoDB tables
  • Others
• Test importing all these by tag into myApplications
• Evaluate this as a way to check on app health & spend as part of release checklist
• Use project = atd-moped to start with for tag import and naming

Out of scope

• Coming up with a tag naming convention that fits all apps

Comments

• Do tags stick between re-deployments done by Zappa? This is small concern since we are planning to roll this into an ECS deployment like the VZ work in progress. If not, can they be set in the deployment config?
• Look out for crossover with https://github.com/cityofaustin/atd-data-tech/issues/18168?

[mddilley]

@frankhereford Here is the tagging issue!

[mddilley]

I checked all resources that I could find, and I tagged the CloudFront distributions and S3 buckets associated with Moped. There were a few other resources that I tagged but most were covered already.

I'm creating a new IAM role that gives myApplications to tag/un-tag the resources as required through the tag import workflow. I'm following this doc that the console suggested. Here is the role.

Worth noting even though our Zappa-created CloudFormation stacks do not have the project:atd-moped tag that I'm targeting:

If any CloudFormation stack has the tag key-value pair you specified, applying the awsApplication tag to the stack will trigger a stack update operation.

[mddilley]

Here is the myApplications dashboard with the new Moped app. The tag-sync worked with some errors. The tag-sync works by taking any resources with a given tag and applying a new myApplications tag. It then tracks resources with the myApplications tag.

Right off the bat, I noticed that it isn't successfully showing the cost of resources. I'm not sure if this is a permissions issue with my AWS account or if this tool isn't intended to show historical data. It could also be due to the newly-applied tag not having historical data. I'll follow up with Frank to see if I have full permissions to see all billing info.

[mddilley]

Update on the ECS cost tracking in this thread