build preview

cjobermaier · cjobermaier · commit f04225b07784 · 2025-10-29T15:17:11.000-05:00
diff --git a/content/well-architected-framework/data/docs-nav-data.json b/content/well-architected-framework/data/docs-nav-data.json
@@ -425,6 +425,19 @@
           {
             "title": "Decommission resources",
             "path": "optimize-systems/lifecycle-management/decommission-infrastructure"
+          },
+          {
+            "title": "Tag cloud resources",
+            "path": "optimize-systems/lifecycle-management/tag-cloud-resources"
+          }
+        ]
+      },
+      {
+        "title": "Manage cost",
+        "routes": [
+          {
+            "title": "Create cloud budgets",
+            "path": "optimize-systems/manage-cost/create-cloud-budgets"
           }
         ]
       },
diff --git a/content/well-architected-framework/docs/docs/optimize-systems/lifecycle-management/tag-cloud-resources.mdx b/content/well-architected-framework/docs/docs/optimize-systems/lifecycle-management/tag-cloud-resources.mdx
@@ -0,0 +1,158 @@
+---
+page_title: Tag cloud resources
+description: Implement cloud resource tagging best practices with Terraform for AWS, Azure, and GCP. Learn to automate tags, enforce policies, and optimize cost allocation using infrastructure as code.
+---
+
+# Tag cloud resources
+
+Managing thousands of cloud resources across regions, environments, and teams is complex without a systematic approach. Tags are key-value pairs that help you manage, identify, organize, locate, and filter resources. It is important to have a clear, well-defined cloud resource tagging strategy. You can also use tags to track cost allocation and usage, and automate resource management tasks.
+[AWS](https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/tagging-best-practices.html), [Azure](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging), and [IBM](https://cloud.ibm.com/docs/framework-financial-services?topic=framework-financial-services-shared-tagging-resources) maintain best practices and strategies for tagging your cloud resources. Follow these best practices when creating your tagging strategy. You can apply these concepts to other infrastructure providers.
+
+You can implement your tagging strategy using infrastructure as code (IaC) and enforce compliance with policy as code, preventing the deployment of resources that don't meet your tagging requirements.
+
+When you implement a tagging strategy, you gain the following benefits:
+- **Easier resource tracking:** Find resources by environment, owner, or other custom tag. For example, quickly find all servers in the 'dev' environment.
+- **Granular cost allocation:** Track costs by project, team, or application.
+- **Tag-based resource automation:** Automate resource management tasks based on tags, such as starting or stopping instances.
+- **Default resource compliance:** Enforce tagging policies to ensure all resources are tagged correctly.
+
+## Deploy tags using infrastructure as code
+
+Consistent implementation of your tagging strategy helps you track infrastructure costs, manage resources, and ensure compliance. When you use an inconsistent tagging strategy, such as manual tagging, you may end up with resources with incorrect or missing tags.
+
+When you manage your infrastructure with Terraform, you can define tags within your modules. Terraform will automatically apply these tags to all resources it creates.
+
+The following is an example of tags defined in a Terraform module:
+
+```hcl
+resource "aws_instance" "web_server" {
+  ami           = "ami-0c55b159cbfafe1f0"
+  instance_type = "t3.micro"
+  
+  tags = {
+    Name        = "web-server-prod"
+    Environment = "production"
+    Owner       = "platform-team"
+    CostCenter  = "engineering"
+    Application = "website"
+  }
+}
+
+```
+
+The AWS and GCP Terraform providers let you add default tags to all resources they create, making it easier to implement a consistent tagging strategy across all the resources you manage with Terraform. You can then override these default tags on a per-resource basis. Default tags ensure that all resources have the minimum required tags.
+
+The following is an example of default tags:
+
+```hcl
+
+provider "aws" {
+  profile = "default"
+  region  = "us-east-2"
+
+  default_tags {
+    tags = {
+      Environment     = "Test"
+      Service         = "Payment API"
+    }
+  }
+}
+```
+
+HashiCorp resources:
+
+- AWS provider [resource tagging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/resource-tagging)
+- [AWS default tags](https://developer.hashicorp.com/terraform/tutorials/aws/aws-default-tags)
+- [GCP default tags](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#default_labels-1)
+- Learn how to [configure default tags for AWS resources](/terraform/tutorials/aws/aws-default-tags)
+
+## Enforce tagging strategy
+
+Once you define and implement your tagging strategy using infrastructure as code, you can enforce it to prevent the deployment of resources that do not comply. 
+
+### Use the Terraform validation block
+
+You can use the [Terraform validation block](/terraform/language/values/variables#validation) to enforce tagging policies. The validation block allows you to define custom validation rules for input variables. You can use this feature to ensure that the resources you tag follow your tagging strategy.
+
+The following is an example of a Terraform validation block that ensures the `environment` tag is set to either `dev`, `staging`, or `prod`:
+
+```hcl
+variable "environment" {
+  type        = string
+  description = "Environment name for resource tagging"
+  
+  validation {
+    condition     = contains(["dev", "staging", "prod"], var.environment)
+    error_message = "Environment must be one of: dev, staging, prod."
+  }
+}
+```
+
+If you create a resource with an invalid `environment` tag, Terraform returns an error and prevents the deployment.
+
+The following tag passes the validation:
+
+```hcl
+environment = "prod"
+```
+
+The following tag fails the validation due to not meeting the condition of being `dev`, `staging`, or `prod`:
+
+```hcl
+environment = "testing"
+```
+
+### Use policy as code
+
+For more advanced enforcement of your tagging strategy, you can use policy as code tools such as HashiCorp Sentinel or the Open Policy Agent (OPA) to create policies that enforce tagging rules. You can integrate these policies into your CI/CD pipelines to ensure that all resources comply with your tagging strategy before deployment.
+
+The following is an example of a [`Pass` or `Fail` Sentinel policy](/terraform/tutorials/policy/sentinel-policy#review-your-policy) that ensures that all AWS EC2 instances have a `Name` tag:
+
+```script
+import "tfplan/v2" as tfplan
+
+# Get all AWS instances from all modules
+ec2_instances = filter tfplan.resource_changes as _, rc {
+    rc.type is "aws_instance" and
+        (rc.change.actions contains "create" or rc.change.actions is ["update"])
+}
+
+# Mandatory Instance Tags
+mandatory_tags = [
+    "Name",
+]
+
+# Rule to enforce "Name" tag on all instances
+mandatory_instance_tags = rule {
+    all ec2_instances as _, instance {
+        all mandatory_tags as mt {
+            instance.change.after.tags contains mt
+        }
+    }
+}
+
+main = rule {
+    mandatory_instance_tags else true
+}
+```
+
+You can write similar policies with OPA and HCP Terraform. Refer to the following external resources for more information.
+
+HashiCorp resources:
+
+- Read about the [Terraform validation block](/terraform/language/values/variables#validation)
+- Write a [Sentinel policy for a Terraform deployment](/terraform/tutorials/policy/sentinel-policy) to ensure that the EC2 instance has a `Name` tag.
+- [Get started with Sentinel](/sentinel/tutorials/get-started)
+- Learn how to [define Open Policy Agent policies for HCP Terraform](/terraform/enterprise/policy-enforcement/define-policies/opa)
+- [HCP Terraform policy enforcement overview](/terraform/enterprise/policy-enforcement)
+
+External resources:
+- Use [OPA to write policies](https://www.openpolicyagent.org/docs/terraform) ensuring all resources have tags before you create them.
+
+## Next steps
+
+In this section of Manage cost, you learned how to tag resources using infrastructure as code and enforce tagging policies. Tag resources is part of the Optimize systems pillar.
+
+To learn more about how to manage our resources, visit the following resources:
+- [Implement data management policies](/well-architected-framework/optimize-systems/lifecycle-management/data-management)
+- [Decommission resources](/well-architected-framework/optimize-systems/lifecycle-management/decommission-infrastructure)
diff --git a/content/well-architected-framework/docs/docs/optimize-systems/manage-cost/create-cloud-budgets.mdx b/content/well-architected-framework/docs/docs/optimize-systems/manage-cost/create-cloud-budgets.mdx
@@ -0,0 +1,152 @@
+---
+page_title: Create cloud budgets
+description: 
+---
+
+# Create cloud budgets
+
+Cloud spending can quickly get out of control without proper oversight and controls. According to the [2023 HashiCorp State of Cloud Strategy Survey](https://www.hashicorp.com/en/blog/hashicorp-state-of-cloud-strategy-survey-2023-maturity-drives-operational-efficiency), 94% of respondents experienced avoidable cloud costs. Proactive budget creation, automated alerts, and anomaly detection gives you the visibility and control you need to maintain predictable spending and prevent cost overruns before they occur.
+
+Implementing a budget provides you with the following benefits:
+
+- **Visibility into cloud spending:** Understand where your money is going.
+- **Proactive cost management:** Take action before costs exceed budgets.
+- **Notification of spending anomalies:** Get alerts when spending patterns change.
+- **Ability to improve financial planning and forecasting:** Use historical data to make informed budget decisions.
+
+<Note>
+
+The Terraform example in this document has a `tags` block. Refer to the [Tag cloud resources](/well-architected-framework/docs/docs/optimize-systems/lifecycle-management/tag-cloud-resources) document to learn about implementing a tagging strategy.
+
+</Note>
+
+## Create spending limits and notifications
+
+Most major cloud providers offer native tools to create budgets. These tools allow you to set budget thresholds, monitor spending, and receive alerts when spending approaches or exceeds defined limits. 
+
+You can use Terraform to define and manage cloud budgets across your organization. You can create Terraform modules to create budgets for different teams, projects, or environments. These modules can automatically apply appropriate budget thresholds, alerting mechanisms, and spending limits to new or existing cloud resources.
+
+If you're tracking resources by tags, it is important to have a well-defined tagging strategy to ensure budgets are applied correctly. Terraform can help you enforce tagging policies and ensure that all resources are tagged consistently. Creating infrastructure manually can lead to incorrect or missed tags on resources, resulting in inaccurate budget tracking.
+
+The following is an example of a Terraform configuration that creates an AWS EC2 budget. This budget tracks EC2 instance costs and sends an alert to test@example.com when the forecasted cost exceeds 100% of the budget. You can set similar budgets and alerts for other cloud providers, such as Azure and GCP.
+
+```hcl
+resource "aws_budgets_budget" "ec2" {
+  name              = "budget-ec2-monthly"
+  budget_type       = "COST"
+  limit_amount      = "1200"
+  limit_unit        = "USD"
+  time_period_end   = "2087-06-15_00:00"
+  time_period_start = "2017-07-01_00:00"
+  time_unit         = "MONTHLY"
+
+  cost_filter {
+    name = "Service"
+    values = [
+      "Amazon Elastic Compute Cloud - Compute",
+    ]
+  }
+
+  notification {
+    comparison_operator        = "GREATER_THAN"
+    threshold                  = 100
+    threshold_type             = "PERCENTAGE"
+    notification_type          = "FORECASTED"
+    subscriber_email_addresses = ["test@example.com"]
+  }
+
+  tags = {
+    Environment = "production"
+    Team        = "engineering"
+    ManagedBy   = "terraform"
+  }
+}
+```
+
+In the previous example
+- **limit_amount:** Defines the monthly spend limit.
+- **notification:** Defines the notification criteria and sends an email to test@example.com.
+- **tags:** The tag is applied to the budget resource, not the EC2 instance. The tags allow you to filter and organize budgets in the billing console.
+
+For AWS environments, you can use the `aws_budgets_budget` resource to create budgets that track spending by service, linked account, tag, or other dimensions. You can specify the budget amount, time period, and notification thresholds. 
+
+For Azure environments, the `azurerm_consumption_budget_subscription` resource lets you create subscription-level budgets with similar notification capabilities. You can define multiple notification rules that trigger at different spending thresholds.
+
+For Google Cloud Platform, the `google_billing_budget` resource operates at the billing account level, and you can filter by project, service, or label. GCP budgets support both actual and forecasted spending alerts.
+
+HashiCorp resources:
+
+- Learn how to [Tag cloud resources](/well-architected-framework/docs/docs/optimize-systems/lifecycle-management/tag-cloud-resources)
+- Terraform resource: [aws_budgets_budget](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/budgets_budget)
+- Terraform resource: [azurerm_consumption_budget_subscription](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/consumption_budget_subscription)
+- Terraform resource: [google_billing_budget](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/billing_budget)
+
+External resources:
+
+- AWS Budgets: [Getting started with AWS Budgets](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-managing-costs.html)
+- Azure Cost Management and Billing: [Create and manage budgets](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets)
+- Google Cloud Budgets and alerts: [Creating budgets](https://cloud.google.com/billing/docs/how-to/budgets)
+
+## Detect spending anomalies
+
+Anomaly detection identifies unusual patterns rather than absolute thresholds. For example, if your monthly EC2 spending suddenly doubles from $2,000 to $4,000 but remains under your $5,000 budget, a budget alert would not trigger. However, anomaly detection would flag this unusual increase for investigation. Anomaly detection helps you catch issues like misconfigured autoscaling, forgotten resources, or unauthorized usage before they significantly impact costs.
+
+Most cloud providers offer machine learning-based anomaly detection that learns your normal usage patterns and alerts you when spending deviates from the baseline. You can configure anomaly detection using Terraform for AWS Cost Anomaly Detection and Azure Cost Management.
+
+The following is an example Terraform code that sets up a cost anomaly detection with email alerts in AWS. This cost anomaly detection will detect the previous EC2 scenario.
+
+```hcl
+resource "aws_ce_anomaly_monitor" "test" {
+  name              = "AWSServiceMonitor"
+  monitor_type      = "DIMENSIONAL"
+  monitor_dimension = "SERVICE"
+}
+
+resource "aws_ce_anomaly_subscription" "test" {
+  name      = "DAILYSUBSCRIPTION"
+  frequency = "DAILY"
+
+  monitor_arn_list = [
+    aws_ce_anomaly_monitor.test.arn
+  ]
+
+  subscriber {
+    type    = "EMAIL"
+    address = "abc@example.com"
+  }
+
+  threshold_expression {
+    dimension {
+      key           = "ANOMALY_TOTAL_IMPACT_ABSOLUTE"
+      match_options = ["GREATER_THAN_OR_EQUAL"]
+      values        = ["100"]
+    }
+  }
+}
+```
+
+In the previous example:
+- **aws_ce_anomaly_monitor:** Tracks spending patterns across all AWS services such as EC2, S3, and Lambda.
+- **frequency = "DAILY":** Sends a daily summary of detected anomalies.
+- **threshold_expression:** Only alerts when the anomaly's financial impact exceeds $100.
+
+HashiCorp resources:
+
+- Terraform resource: [aws_ce_anomaly_subscription](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ce_anomaly_subscription)
+- Terraform resource: [azurerm_cost_anomaly_alert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cost_anomaly_alert)
+
+External resources:
+
+- AWS Cost Anomaly Detection: [What is AWS Cost Anomaly Detection?](https://docs.aws.amazon.com/cost-anomaly/latest/userguide/what-is-cost-anomaly.html)
+- Azure Cost Management anomalies: [Detect anomalies in your cost data](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/analyze-cost-data#detect-anomalies-in-your-cost-data)
+- Google Cloud's cost anomaly detection: [Using anomaly detection](https://cloud.google.com/billing/docs/how-to/using-anomaly-detection)
+
+## Next steps
+
+In this section of Manage cost, you learned about creating budgets and alerts to manage and control cloud spending, including creating spending limits with cloud provider budgets and detecting spending anomalies automatically. Create cloud budgets is part of the [Optimize systems](/well-architected-framework/optimize-systems).
+
+To learn more about managing resources with Terraform, view the following resources:
+- [Create reusable infrastructure modules](/well-architected-framework/define-and-automate-processes/define/modules)
+- [Implement CI/CD](/well-architected-framework/define-and-automate-processes/automate/cicd)
+- [Reduce costs with Terraform Cloud ephemeral workspaces](https://www.youtube.com/watch?v=-woCmG8yGdA)
+- [Tag cloud resources](/well-architected-framework/docs/docs/optimize-systems/lifecycle-management/tag-cloud-resources)
