With tag-policies, you tell the framework to apply a tag policy to a specific account, every account with a specified tag or to an organizational unit.
This tutorial will walk you through how to use the “Applying Tag Policies” feature.
We will assume you have:
We are going to perform the following steps to “Applying Tag Policies”:
Here are the steps you need to follow to “Applying Tag Policies”
When using tag-policies you will need an IAM role assumable from the account where you have installed this framework.
Within your AWS Organizations management account you should create an AWS CloudFormation stack with the following name:
puppet-organizations-service-control-policies-stack
Using the template of the URL:
https://service-catalog-tools.s3.eu-west-2.amazonaws.com/puppet/latest/servicecatalog-puppet-scp-master.template.yaml
This stack will have an output named PuppetOrgRoleForExpandsArn. Take a note of this Arn as you will need it in the next step.
Once you have created the IAM Role, you need to tell the framework which role you want to use. You do this by creating
an AWS Systems Manager Parameter Store parameter named /servicecatalog-puppet/org-scp-role-arn in the region of the
account where you will install puppet and use as your hub account. You can do this via the console or via the cli.
aws ssm put-parameter --name /servicecatalog-puppet/org-scp-role-arn --type String --value <VALUE-FROM-STEP-ABOVE>
To apply a tag policy to a specific account add the following snippet to your manifest file:
tag-policies:
force-cost-center:
description: "force cost center"
tags:
- Key: Category
Value: Foundational
content:
default: {
"tags": {
"costcenter": {
"tag_key": {
"@@assign": "CostCenter"
},
"tag_value": {
"@@assign": [
"100",
"200"
]
},
"enforced_for": {
"@@assign": [
"secretsmanager:*"
]
}
}
}
}
apply_to:
accounts:
- account_id: "338024302548"You will need to update the account_id from 000000000000 to the account_id you want to apply the tag policy to.
Please note, you do not need to specify a region in the apply_to section.
To apply a tag policy to every account with specified tag add the following snippet to your manifest file:
tag-policies:
force-cost-center:
description: "force cost center"
tags:
- Key: Category
Value: Foundational
content:
default: {
"tags": {
"costcenter": {
"tag_key": {
"@@assign": "CostCenter"
},
"tag_value": {
"@@assign": [
"100",
"200"
]
},
"enforced_for": {
"@@assign": [
"secretsmanager:*"
]
}
}
}
}
apply_to:
tags:
- tag: type:prod
You will need to update the tag from type:prod to the tag you want to apply the tag policy to.
Please note, you do not need to specify a region in the apply_to section.
To apply a tag policy to a specific organizational unit add the following snippet to your manifest file:
tag-policies:
force-cost-center:
description: "force cost center"
tags:
- Key: Category
Value: Foundational
content:
default: {
"tags": {
"costcenter": {
"tag_key": {
"@@assign": "CostCenter"
},
"tag_value": {
"@@assign": [
"100",
"200"
]
},
"enforced_for": {
"@@assign": [
"secretsmanager:*"
]
}
}
}
}
apply_to:
ous:
- ou: /workloads
You will need to update the ou from /workloads to the path you want to apply the tag policy to.
Alternatively you can use an ou id instead of a path:
tag-policies:
force-cost-center:
description: "force cost center"
tags:
- Key: Category
Value: Foundational
content:
default: {
"tags": {
"costcenter": {
"tag_key": {
"@@assign": "CostCenter"
},
"tag_value": {
"@@assign": [
"100",
"200"
]
},
"enforced_for": {
"@@assign": [
"secretsmanager:*"
]
}
}
}
}
apply_to:
ous:
- ou: ou-japk-38pz9nbt
You can choose to store you tag policies in Amazon S3 using the following syntax:
tag-policies:
force-cost-center:
description: "force cost center"
tags:
- Key: Category
Value: Foundational
content:
s3:
bucket: my-policy-store
key: force-cost-center.json
apply_to:
ous:
- ou: /workloads
You have now successfully applied a tag policy!