We regularly speak to FinOps teams who talk about the tagging needs they have to implement FinOps. One of the common challenges faced by teams relates to the friction between DevOps and FinOps teams when they both have tagging needs.
The FinOps team wants to add tags to help make it easier to manage and allocate costs but the DevOps team want to limit who can modify tags and also their infrastructure as code solutions will often overwrite the tags.
This friction point makes it difficult for both teams to achieve their objectives without getting in each others way.
In this article we will look at an approach for implementing an approach to solve this problem within the context of using Terraform for your IaC solution.
There are two ways you can achieve this with Terraform.
Option 1 – Ignore Changes
Option 1 is really simple but does take a little work to implement. In Terraform you have an option in the section of a resource when you can manage its lifecycle. In the below image you can see an example of how I can choose to ignore any changes made to the Finops-Team tag.
Each time I run my Terraform deployment if the resource is updated it will ignore any changes to the tag called Finops-Team.
This means that if the FinOps team adds or changes this tag then Terraform will leave it alone.
This ticks the box that the FinOps team needs, but there is some overhead here for the DevOps team.
The DevOps team will need to modify every resource definition within Terraform to add the tag to ignore. Also if the FinOps team adds another tag then they will need to add that tag to every resource also.
This will work even though it can be a maintenance overhead for the Terraform developer. One of the challenges might also be highlighted by the below image where the FinOps team added a new tag but you can see my Terraform will remove it because no one told the DevOps engineer to update Terraform to ignore this tag.
Option 2 – Extend with Backup and Restore of Tags
Following on from a similar article I wrote about solving this problem with Bicep, we can take a similar approach with Terraform. In this case we would backup specific tag values before we run Terraform and then restore them afterwards.
The process would look like this:
This process would also fit well into a DevOps pipeline. One of the differences in this approach to what I did in the previous article with Bicep, is this time ill separate the back up and restore scripts completely and back up to a file so that the steps can all be separate so they fit in a pipeline better.
Walk Thru
At the start of the process we will have resources as shown below where there are some tags deployed via Terraform such as CreatedBy and Environment.
The FinOps team have then added additional tags such as:
- FinOps-Department
- FinOps-Team
Backup Tags
When the DevOps team do a deployment, before running the Terraform Apply command they would execute the powershell script to backup any tags used by the FinOps team.
The command would look like this:
.\Deploy-TerraformWithTagPreservation.ps1 -ResourceGroupName "Demo_IaC_Tags" -TagPrefixesToPreserve @("FinOps")
This will back up all tags which start with the prefix FinOps to a file. Note the file path can be overridden in the parameters and there are some other options such as filtering and a what if scenario.
The script will produce an output as shown below.
I now have a file with the backed up tags for resources within my resource group.
Run Terraform
Now id run commands like:
- Terraform Plan
- Terraform Apply
This would complete my deployment and update my resources.
Its likely in this part of the process that we have removed some of the tags the FinOps team had setup. We now need to fix that.
Restore Backed Up Tags
Next we run the below command:
.\Deploy-TerraformWithTagPreservation.ps1 -ResourceGroupName "Demo_IaC_Tags" -RestoreTags
This will use the file we archived tag values to earlier and restore them back on the appropriate resources.
The output for this command looks like the below.
You can see where the arrow is pointing that there are 2 tags which were restored by the script on a storage resource. The other resource was not updated by Terraform in this scenario.
Conclusion
I hope that this article is interesting and helps to address some of those FinOps / DevOps friction points.
In this case the script that I used is available in Github at the below location and I hope it can help you to implement a similar process in your DevOps processes.
