WAF Optimize systems - Manage cloud costs and Tag cloud resources (#1203)

Please go to the `Preview` tab and select the appropriate template:


/well-architected-framework/optimize-systems/lifecycle-management/tag-cloud-resources

/well-architected-framework/optimize-systems/manage-cost/create-cloud-budgets

Author: cjobermaier

content/well-architected-framework/data/docs-nav-data.json

@@ -462,6 +462,19 @@
           {
             "title": "Decommission resources",
             "path": "optimize-systems/lifecycle-management/decommission-infrastructure"
+          },
+          {
+            "title": "Tag cloud resources",
+            "path": "optimize-systems/lifecycle-management/tag-cloud-resources"
+          }
+        ]
+      },
+      {
+        "title": "Manage cost",
+        "routes": [
+          {
+            "title": "Create cloud budgets",
+            "path": "optimize-systems/manage-cost/create-cloud-budgets"
           }
         ]
       },

content/well-architected-framework/docs/docs/optimize-systems/lifecycle-management/tag-cloud-resources.mdx

@@ -0,0 +1,162 @@
+---
+page_title: Tag cloud resources
+description: Implement cloud resource tagging best practices with Terraform for AWS, Azure, and GCP. Learn to automate tags, enforce policies, and optimize cost allocation using infrastructure as code.
+---
+
+# Tag cloud resources
+
+Managing thousands of cloud resources across regions, environments, and teams is complex. Tags are key-value pairs that help you manage, identify, organize, locate, and filter resources. It is important to have a clear, well-defined cloud resource tagging strategy. You can also use tags to track cost allocation and usage, and automate resource management tasks.
+
+[AWS](https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/tagging-best-practices.html), [Azure](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging), and [IBM](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-shared-tagging-resources) maintain best practices and strategies for tagging your cloud resources. Follow these best practices when creating your tagging strategy. You can apply these concepts to other infrastructure providers.
+
+You can implement your tagging strategy using infrastructure as code (IaC) and enforce compliance with policy as code to prevent deploying resources that don't meet your tagging requirements.
+
+When you implement a tagging strategy, you gain the following benefits:
+
+- **Easier resource tracking:** Find resources by environment, owner, or other custom tag. For example, quickly find all servers in the 'dev' environment.
+- **Granular cost allocation:** Track costs by project, team, or application.
+- **Tag-based resource automation:** Automate resource management tasks based on tags, such as starting or stopping instances.
+- **Default resource compliance:** Enforce tagging policies to ensure all resources are tagged correctly.
+
+## Deploy tags using infrastructure as code
+
+Consistent implementation of your tagging strategy helps you track infrastructure costs, manage resources, and ensure compliance. When you use an inconsistent tagging strategy, such as manual tagging, you may end up with resources with incorrect or missing tags.
+
+When you manage your infrastructure with Terraform, you can define tags within your configuration. Terraform will automatically apply these tags to all resources it creates.
+
+The following creates an AWS EC2 instance and adds several tags to the resource:
+
+```hcl
+resource "aws_instance" "web_server" {
+  ami           = "ami-0c55b159cbfafe1f0"
+  instance_type = "t3.micro"
+  
+  tags = {
+    Name        = "web-server-prod"
+    Environment = "production"
+    Owner       = "platform-team"
+    CostCenter  = "engineering"
+    Application = "website"
+  }
+}
+
+```
+
+The AWS and GCP Terraform providers let you add default tags to all resources they create, making it easier to implement a consistent tagging strategy across the resources you manage with Terraform. Default tags ensure that all resources have the minimum required tags but you can override these default tags on a per-resource basis.
+
+The following is an example using default tags:
+
+```hcl
+
+provider "aws" {
+  profile = "default"
+  region  = "us-east-2"
+
+  default_tags {
+    tags = {
+      Environment     = "Test"
+      Service         = "Payment API"
+    }
+  }
+}
+```
+
+HashiCorp resources:
+
+- AWS provider [resource tagging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/resource-tagging)
+- [AWS default tags](/terraform/tutorials/aws/aws-default-tags)
+- [GCP default tags](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#default_labels-1)
+- Learn how to [configure default tags for AWS resources](/terraform/tutorials/aws/aws-default-tags)
+
+## Enforce tagging strategy
+
+Once you define and implement your tagging strategy using infrastructure as code, you can enforce it to prevent the deployment of resources that do not comply. 
+
+### Use the Terraform validation block
+
+You can use the [Terraform validation block](/terraform/language/values/variables#validation) to enforce tagging policies. The validation block allows you to define custom validation rules for input variables. You can use the validation block to ensure that the resources you tag follow your tagging strategy.
+
+The following is an example of a Terraform validation block that ensures the `environment` tag is set to either `dev`, `staging`, or `prod`:
+
+```hcl
+variable "environment" {
+  type        = string
+  description = "Environment name for resource tagging"
+  
+  validation {
+    condition     = contains(["dev", "staging", "prod"], var.environment)
+    error_message = "Environment must be one of: dev, staging, prod."
+  }
+}
+```
+
+If you create a resource with an invalid `environment` tag, Terraform returns an error and prevents the deployment.
+
+The following tag passes the validation:
+
+```hcl
+environment = "prod"
+```
+
+The following tag fails the validation due to not meeting the condition of being `dev`, `staging`, or `prod`:
+
+```hcl
+environment = "testing"
+```
+
+### Use policy as code
+
+For more advanced enforcement of your tagging strategy, you can use policy as code tools such as HashiCorp Sentinel or the Open Policy Agent (OPA) to create policies that enforce tagging rules. You can integrate these policies into your CI/CD pipelines or with HCP Terraform to ensure that all resources comply with your tagging strategy before deployment.
+
+The following is an example of a [`Pass` or `Fail` Sentinel policy](/terraform/tutorials/policy/sentinel-policy#review-your-policy) that ensures that all AWS EC2 instances have a `Name` tag:
+
+```script
+import "tfplan/v2" as tfplan
+
+# Get all AWS instances from all modules
+ec2_instances = filter tfplan.resource_changes as _, rc {
+    rc.type is "aws_instance" and
+        (rc.change.actions contains "create" or rc.change.actions is ["update"])
+}
+
+# Mandatory Instance Tags
+mandatory_tags = [
+    "Name",
+]
+
+# Rule to enforce "Name" tag on all instances
+mandatory_instance_tags = rule {
+    all ec2_instances as _, instance {
+        all mandatory_tags as mt {
+            instance.change.after.tags contains mt
+        }
+    }
+}
+
+main = rule {
+    mandatory_instance_tags else true
+}
+```
+
+You can write similar policies with OPA and HCP Terraform. Refer to the following resources for more information.
+
+HashiCorp resources:
+
+- Read about the [Terraform validation block](/terraform/language/values/variables#validation)
+- Write a [Sentinel policy for a Terraform deployment](/terraform/tutorials/policy/sentinel-policy) to ensure that the EC2 instance has a `Name` tag.
+- Learn how to [define Open Policy Agent policies for HCP Terraform](/terraform/enterprise/policy-enforcement/define-policies/opa)
+- [HCP Terraform policy enforcement overview](/terraform/enterprise/policy-enforcement)
+- [Get started with Sentinel](/sentinel/tutorials/get-started)
+
+External resources:
+
+- Use [OPA to write policies](https://www.openpolicyagent.org/docs/terraform) ensuring all resources have tags before you create them.
+
+## Next steps
+
+In this section of Manage cost, you learned how to tag resources using infrastructure as code and enforce tagging policies. Tag resources is part of the Optimize systems pillar.
+
+To learn more about how to manage our resources, visit the following resources:
+
+- [Implement data management policies](/well-architected-framework/optimize-systems/lifecycle-management/data-management)
+- [Decommission resources](/well-architected-framework/optimize-systems/lifecycle-management/decommission-infrastructure)

content/well-architected-framework/docs/docs/optimize-systems/manage-cost/create-cloud-budgets.mdx

@@ -0,0 +1,155 @@
+---
+page_title: Create cloud budgets
+description: Create cloud budgets and spending alerts using Terraform for AWS, Azure, and GCP. Implement cost monitoring, anomaly detection, and automated notifications with infrastructure as code.
+---
+
+# Create cloud budgets
+
+Cloud spending can quickly get out of control without proper oversight and management. According to the [2023 HashiCorp State of Cloud Strategy Survey](https://www.hashicorp.com/en/blog/hashicorp-state-of-cloud-strategy-survey-2023-maturity-drives-operational-efficiency), 94% of respondents experienced avoidable cloud costs. Proactive budget creation, automated alerts, and anomaly detection give you the visibility and control you need to maintain predictable spending and prevent cost overruns before they occur.
+
+Implementing a budget provides you with the following benefits:
+
+- **Visibility into cloud spending:** Understand where your money is going.
+- **Proactive cost management:** Take action before costs exceed budgets.
+- **Notification of spending anomalies:** Get alerts when spending patterns change.
+- **Ability to improve financial planning and forecasting:** Use historical data to make informed budget decisions.
+
+<Note>
+
+The Terraform example in this document uses the `tags` block. Refer to the [Tag cloud resources](/well-architected-framework/optimize-systems/lifecycle-management/tag-cloud-resources) document to learn about implementing a tagging strategy.
+
+</Note>
+
+## Create spending limits and notifications
+
+Most major cloud providers offer native tools to create budgets. These native tools allow you to set budget thresholds, monitor spending, and receive alerts when spending approaches or exceeds defined limits. 
+
+You can use Terraform to define and manage cloud budgets across your organization. You can create Terraform modules to create budgets for different teams, projects, or environments. These modules can automatically apply appropriate budget thresholds, alerting mechanisms, and spending limits to new or existing cloud resources.
+
+If you're tracking resources by tags, it is important to have a well-defined tagging strategy to ensure budgets are applied correctly. Terraform can help you enforce tagging policies and ensure that all resources are tagged consistently. Creating infrastructure manually can lead to incorrect or missing tags on resources and result in inaccurate budget tracking.
+
+The following is an example of a Terraform configuration that creates an AWS EC2 budget. This budget tracks EC2 instance costs and sends an alert to test@example.com when the forecasted cost exceeds 100% of the budget. You can set similar budgets and alerts for other cloud providers, such as Azure and GCP.
+
+```hcl
+resource "aws_budgets_budget" "ec2" {
+  name              = "budget-ec2-monthly"
+  budget_type       = "COST"
+  limit_amount      = "1200"
+  limit_unit        = "USD"
+  time_period_end   = "2087-06-15_00:00"
+  time_period_start = "2017-07-01_00:00"
+  time_unit         = "MONTHLY"
+
+  cost_filter {
+    name = "Service"
+    values = [
+      "Amazon Elastic Compute Cloud - Compute",
+    ]
+  }
+
+  notification {
+    comparison_operator        = "GREATER_THAN"
+    threshold                  = 100
+    threshold_type             = "PERCENTAGE"
+    notification_type          = "FORECASTED"
+    subscriber_email_addresses = ["test@example.com"]
+  }
+
+  tags = {
+    Environment = "production"
+    Team        = "engineering"
+    ManagedBy   = "terraform"
+  }
+}
+```
+
+Some of the key components in the previous example include:
+
+- **limit_amount:** Defines the monthly spend limit.
+- **notification:** Defines the notification criteria, including the recipient email.
+- **tags:** Applies tags to the budget resource, not the EC2 instance. Tags allow you to filter and organize budgets in the billing console.
+
+For AWS environments, you can use the `aws_budgets_budget` resource to create budgets that track spending by service, linked account, tag, or other dimensions. You can specify the budget amount, time period, and notification thresholds. 
+
+For Azure environments, the `azurerm_consumption_budget_subscription` resource lets you create subscription-level budgets with similar notification capabilities. You can define multiple notification rules that trigger at different spending thresholds.
+
+For Google Cloud Platform, the `google_billing_budget` resource operates at the billing account level, and you can filter by project, service, or label. GCP budgets support both actual and forecasted spending alerts.
+
+HashiCorp resources:
+
+- Learn how to [Tag cloud resources](/well-architected-framework/optimize-systems/lifecycle-management/tag-cloud-resources)
+- Terraform resource: [aws_budgets_budget](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/budgets_budget)
+- Terraform resource: [azurerm_consumption_budget_subscription](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/consumption_budget_subscription)
+- Terraform resource: [google_billing_budget](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/billing_budget)
+
+External resources:
+
+- AWS Budgets: [Getting started with AWS Budgets](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-managing-costs.html)
+- Azure Cost Management and Billing: [Create and manage budgets](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets)
+- Google Cloud Budgets and alerts: [Creating budgets](https://cloud.google.com/billing/docs/how-to/budgets)
+
+## Detect spending anomalies
+
+Anomaly detection identifies unusual spending patterns rather than absolute thresholds. For example, if your monthly EC2 spending suddenly doubles from $2,000 to $4,000 but remains under your $5,000 budget, a budget alert would not trigger. However, anomaly detection would flag this unusual increase for investigation. Anomaly detection helps you catch issues like misconfigured autoscaling, forgotten resources, or unauthorized usage before they significantly impact costs.
+
+Most cloud providers offer machine learning-based anomaly detection that learns your normal usage patterns and alerts you when spending deviates from the baseline. You can configure anomaly detection with AWS Cost Anomaly Detection and Azure Cost Management using Terraform.
+
+The following is an example Terraform configuration that sets up cost anomaly detection with email alerts in AWS. This cost anomaly detection will detect the previous EC2 scenario.
+
+```hcl
+resource "aws_ce_anomaly_monitor" "test" {
+  name              = "AWSServiceMonitor"
+  monitor_type      = "DIMENSIONAL"
+  monitor_dimension = "SERVICE"
+}
+
+resource "aws_ce_anomaly_subscription" "test" {
+  name      = "DAILYSUBSCRIPTION"
+  frequency = "DAILY"
+
+  monitor_arn_list = [
+    aws_ce_anomaly_monitor.test.arn
+  ]
+
+  subscriber {
+    type    = "EMAIL"
+    address = "abc@example.com"
+  }
+
+  threshold_expression {
+    dimension {
+      key           = "ANOMALY_TOTAL_IMPACT_ABSOLUTE"
+      match_options = ["GREATER_THAN_OR_EQUAL"]
+      values        = ["100"]
+    }
+  }
+}
+```
+
+Some of the key components in the previous example include:
+
+- **aws_ce_anomaly_monitor:** Tracks spending patterns across all AWS services including EC2, S3, and Lambda.
+- **frequency = "DAILY":** Sends a daily summary of detected anomalies.
+- **threshold_expression:** Alerts when the anomaly's financial impact meets or exceeds $100.
+
+HashiCorp resources:
+
+- Terraform resource: [aws_ce_anomaly_subscription](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ce_anomaly_subscription)
+- Terraform resource: [azurerm_cost_anomaly_alert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cost_anomaly_alert)
+
+External resources:
+
+- [AWS getting started with AWS Cost Anomaly Detection](https://docs.aws.amazon.com/cost-anomaly/latest/userguide/what-is-cost-anomaly.html)
+- [Azure identify anomalies and unexpected changes in cost](https://learn.microsoft.com/en-us/azure/cost-management-billing/understand/analyze-unexpected-charges)
+- [Google cloud anomaly detection overview](https://cloud.google.com/bigquery/docs/anomaly-detection-overview)
+
+## Next steps
+
+In this section of Manage cost, you learned about creating budgets and alerts to manage and control cloud spending, including creating spending limits with cloud provider budgets and detecting spending anomalies automatically. Create cloud budgets is part of the [Optimize systems](/well-architected-framework/optimize-systems).
+
+To learn more about managing resources with Terraform, view the following resources:
+
+- [Create reusable infrastructure modules](/well-architected-framework/define-and-automate-processes/define/modules)
+- [Implement CI/CD](/well-architected-framework/define-and-automate-processes/automate/cicd)
+- [Reduce costs with Terraform Cloud ephemeral workspaces](https://www.youtube.com/watch?v=-woCmG8yGdA)
+- [Tag cloud resources](/well-architected-framework/optimize-systems/lifecycle-management/tag-cloud-resources)