Tagging Rules

Tagging rules define the automated logic that TagOps uses to apply tags to your AWS resources. Rules consist of conditions (when to apply) and actions (what tags to apply).

Rule Basics

What are Tagging Rules?

Tagging rules are like if-then statements that automatically tag AWS resources based on resource properties, service type, region, account, or other criteria.

Example Rule:

IF resource is EC2 instance
AND region is us-east-1
THEN apply tag Environment=Production

Rule Components

Rule Name: Unique identifier for the rule

Priority: Order in which rules are evaluated

Conditions: Criteria that must be met for rule to apply

Actions: Tags to apply when conditions match

Enabled: Whether the rule is active

Creating Rules

  1. Navigate to Rules page
  2. Click Add New Rule

  3. Configure rule settings:

    • Rule name
    • Rule category
    • Conditions
    • Actions (tags)

  4. Save rule

Rule Priority

Rules are evaluated in priority order, with lower priority numbers being evaluated first. Priority determines which tags are applied when multiple rules match the same resource.

How Priority Works

  • Rules are evaluated sequentially from priority 1, 2, 3, and so on
  • Each rule must have a unique priority number
  • Priorities must be sequential without gaps (e.g., 1, 2, 3 is valid; 1, 2, 4 is invalid)

Tag Conflict Resolution

When multiple rules match the same resource and apply tags with the same key, the tag value from the rule with the higher priority (higher number) will be used.

Example:

Rule 1 (Priority: 1)
  Condition: Resource Type = EC2 Instance
  Action: Add tag tag_key=tag_value_1

Rule 2 (Priority: 2)
  Condition: Region = us-west-2
  Action: Add tag tag_key=tag_value_2

If an EC2 instance in us-west-2 matches both rules: - Rule 1 (priority 1) applies tag_key=tag_value_1 - Rule 2 (priority 2) tries to apply tag_key=tag_value_2 - Result: tag_key=tag_value_1 (from higher priority rule 2)

Changing Rule Priority

You can change rule priority in two ways:

  1. Drag and Drop: On the Rules page, use the drag handle (⋮⋮) to reorder rules. The priority will automatically update based on the new position.

  2. Manual Edit: Edit a rule and change its priority number directly. Ensure priorities remain unique and sequential.

Priority Validation

When importing rules from a JSON file, the system validates that: - No two rules have the same priority - Priorities are sequential without gaps (e.g., 1, 2, 3 is valid; 1, 2, 4 is invalid)

Import will be blocked if priority validation fails.

Rule Categories

Rule categories allow you to understand what kind of rules has been created, and their general purpose.

Rule Conditions

Conditions determine when a rule applies:

  • Service: AWS service (e.g., ec2, s3, lambda)
  • Resource Type: Specific resource type
  • Region: AWS region
  • Account: AWS account ID
  • Resource Name: Filter by resource name (see details below)
  • Tag Key: Check if specific tag key exists
  • Tag Key-Value: Match specific tag key and value pair

Resource Name Condition

The Resource Name condition type allows you to filter resources based on their name property.

How it Works:

Resource names are extracted from either: - Native name properties - AWS API returns a name field (e.g., FunctionName, BucketName, DBInstanceIdentifier) - Name tag - Resource uses the AWS "Name" tag to store its name (common in EC2 resources)

Example Use Cases:

Match Lambda functions starting with "prod-"
Match EC2 instances named "web-server-*"
Match RDS databases containing "analytics"
Match S3 buckets ending with "-backup"

Supported Operators:

  • equal - Exact match
  • notEqual - Does not match exactly
  • startsWith - Name begins with value
  • endsWith - Name ends with value
  • contains - Name contains value
  • isIn - Name is in list of values
  • isNotIn - Name is not in list of values

Supported Resources:

Over 100 AWS resource types support name-based filtering, including:

  • EC2: Instance, VPC, Subnet, Volume, Security Group, Network Interface, and 28 more types
  • Compute: Lambda Function, ECS Cluster/Service/Task Definition/Task
  • Database: RDS Instance/Cluster/Snapshot, DynamoDB Table, ElastiCache Cluster
  • Storage: S3 Bucket, S3 Control Job, EFS File System
  • Networking: Load Balancer, Target Group, CloudFront Distribution, Route53 resources
  • Security: IAM User/Role/Policy, KMS Key, Cognito User Pool, Security Hub
  • Management: CloudWatch Logs, CloudTrail Trail, EventBridge Event Bus/Rule/Pipes/Scheduler
  • Developer Tools: CodePipeline, CodeBuild, CodeDeploy, CodeArtifact, CodeConnections
  • Messaging: SQS Queue, SNS Topic, Kinesis Stream
  • Analytics: Athena Workgroup/Data Catalog
  • System Management: SSM Parameter/Document/Maintenance Window/Patch Baseline

See the Complete AWS Services Reference for the detailed list with all 100+ supported resource types.

Important: Resources without name support will not match this condition. When a resource doesn't support names, the condition will evaluate to false.

Rule Actions

Actions define which tags to apply:

  • Add Tag: Create new tag with key and value
  • Update Tag: Modify existing tag value
  • Template: Apply tag template

Tag Templates

Pre-defined tag sets for common scenarios.

Built-in Templates (22 included):

  • Cost Center
  • Environment
  • Owner
  • Project
  • Department
  • Application

And more...

Custom Templates: Create your own reusable tag sets.

Custom Templates Dynamic Tags

Unlike regular rules, templates allow the use of Dynamic tags. Dynamic tags are tags whose value is determined dynamically based on the user input in the AWS Console, and the name cant be set right away.

The supported Dynamic Tags are:

  • createdBy
  • creationDate
  • region
  • accountId

These tags will be automatically created for you when you use a template with these tags and the rule evaluates to true.

For example, if a user called "AdministratorX" created a resource that matches a rule with given template, a tag createdBy: AdministratorX will be automatically attached to the resource.

Uploading your rule configuration

You can export and import the whole json of the rule configurations (You will find the relevant buttons in the "Tagging Rules" page). You can modify your rules in an automation, or during a ci/cd pipeline and then upload the new rules and templates together as a whole without having to create the rules manually.

Import Validation

When importing a rule configuration file, the system validates:

  • JSON Structure: Valid JSON format and required fields
  • Rule Structure: All rules have required fields (name, rule type, conditions, etc.)
  • Template Structure: All templates have required fields
  • Priority Validation:
  • No duplicate priorities
  • Priorities are sequential without gaps (e.g., 1, 2, 3 is valid; 1, 2, 4 is invalid)

If validation fails, the import button will be disabled and error messages will indicate what needs to be fixed.