AWS Cloud Operations Blog

Leveraging existing tagging strategies for Application Operations

Customers often spend time finding and managing individual resources within their applications. They need to find various applications, manage and perform application tasks, and monitor resources during different stages of the application lifecycle. Customers usually have hundreds to thousands of resources within even a single AWS account. This requires navigating across multiple AWS services pages and searching for the resources that belong to the application. Being able to quickly identify those resources and understand how they relate to an application is critical to having a holistic view of all resources tied to an application.

myApplications offers a centralized catalog where customers can easily discover and access their applications and related AWS resources. myApplications dashboard provides a view of key application metrics such as cost, performance, and security findings. This improves user productivity by providing a single, unified access point for and accessing configuring the automation to update your application as you add and remove the selected tag from resources over time.

Previously, to add your resources into an application you had to select individual resources in the AWS Console or use APIs to add specific resources. With this new feature, myApplications supports automatic addition of resources using existing tags. You can use your existing tags to automatically add resources and configure the automation to update your application as you add and remove the selected tag from resources over time.

In this post, we’ll demonstrate how to use the automatic AWS Resource Groups tag-synchronization (tag-sync) through the myApplications console experience and how to leverage APIs to onboard an application that uses the tag-sync.

Prerequisites

For this walkthrough, you should have the following prerequisites:

Solution Walkthrough

Step 1: Having the right permissions

Before you can use tag-sync to automatically tag resources to your myApplications application, you need to create an IAM role that has the permissions required for AWS Resource Groups to tag your resources.

  1. Creating Trusted policy for IAM role:  IAM role needs to have a trusted policy for AWS Resource Groups so it can perform tasks on your behalf.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Principal": {
        "Service": "resource-groups.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

2. The principal who is setting up the tag-sync needs to support actions to tag and permissions that the role needs to do the tagging. The role needs to have the following permissions:

  • assume role
  • group/ungroup
  • service-specific tagging permissions

AWS offers a managed policy (`ResourceGroupsTaggingAPITagUntagSupportedResources`) that you can add to Resource Groups IAM role. This policy provides permissions to tag and untagged all the resources supported by Resource Groups Tagging API. It also grants the permissions required to retrieve all tagged or previously tagged resources through the Resource Groups Tagging API.

Note: Always consider least privilege best practices and adjust the policy to meet your company’s policies. For more information on required permissions, visit Tag-sync required permissions.

3. Adding Additional permissions beyond the service trust policy and service-specific resource permissions:

  • `GroupResources` adds resources to a specific group.
  • `UngroupResources` removes resources from a specific group.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
               "resource-groups:GroupResources",
               "resource-groups:UngroupResources",
            ],
            "Resource": "*"
        }
    ]
}

Once you have created the IAM role and permissions for AWS Resource Groups, you can start using the tag-sync with myApplications. For more details about Tag-sync required permissions.

Step 2: Using tag-sync through the AWS Management Console

In this scenario, we’re using an application that has a specific tag key-value pair of Key = ecommerce and Value = search.

  1. When creating an application with myApplications, you start by defining an application and the resources that make up that application.

[Figure 1 myApplications create application]

[Figure 1 myApplications create application]

Previously, selecting resources required manual actions, such as selecting resources and understanding their associated tags or identifiers. Now you are able to use an existing tag strategy you have for your resources to automatically add them to the application, which will add the awsApplication tag to each resource.

[Figure 2 Adding Resources]

[Figure 2 Adding Resources]

2. With tag sync, if you create resources after creating an application in myApplications with an existing tag (in our previous scenario, `Key = ecommerce ` and `Value = search`), Resource Groups adds the `awsApplication` tag to those resources and includes them in the application. This removes the need to build a separate solution to track resources created or removed after the initial application setup. And if you remove the tag from a resource, Resource Groups tag-sync will also remove the resource from the application.

[Figure 4 tag-sync]

[Figure 4 tag-sync settings]

  • In the Role select dropdown, you’ll see all the IAM roles available in your AWS account. Select the IAM role you created. In our example, we created an IAM role named `AWSServiceForResourceGroups`.
  • Select Tag Key from the dropdown. Select your Key-Value pair for your application.
  • To use tag-sync, you need to enable Group Lifecycle Events. Group Lifecycle Events notifies you about the lifecycle changes of your resources.
  • After creating the application, click on the “Preview resources”, or click the “Next” button to review your application configuration.
  • Navigate to the “Manage Resources” button on the myApplications dashboard to view the active tag-sync you created.

This allows Resource Groups to identify resources with the specified tag and add the awsApplication tag to those resources, including them in the myApplications application.

[Figure 5 Group LifeCycle Events]

[Figure 5 Group LifeCycle Events]

Now you have onboarded an application with an existing tagging strategy and enabled AWS Resource Groups tag-synchronization to automatically add the awsApplication tag key to the resources to be part of the application even after the creation of the myApplications application.

[Figure 6 Tag-sync Final setup]

You can also onboard tag-sync through AWS CLI. In the next section, we demonstrate how to use the AWS CLI to onboard an application with myApplications, create a tag-sync, and validate the tag-sync.

(Optional) Using tag-sync through AWS CLI

In this scenario, we’ll create an application, enable resource group lifecycle events, automate tag-synchronization (tag-sync), and stop the tag-sync for application resources using AWS CLI.

In this scenario, we will be using the same example used in the preceding step of an application with a tag key-value pair of Key = ecommerce and  Value = search.

Note: For the purpose of this section, the region us-east-1 is configured as the default region in the user profile. To use a profile in AWS CLI, you need to configure a profile.

  1. To create an application named ‘ecommerce’ with a brief description, use the following command (replace ‘ecommerce’ with the name of the application you want to create):

aws servicecatalog-appregistry create-application --name ecommerce --description "App created using CLI"

{
 "application": {
 "id": "07m8akl51w19wtirfx8zdo5jau",
 "arn": "arn:aws:servicecatalog:us-east-1:XXXXXXXXXXX:/applications/07m8akl51w19wtirfx8zdo5jau",
 "name": "ecommerce",
 "description": "App created using CLI",
 "creationTime": "2024-10-10T17:10:42.319000+00:00",
 "lastUpdateTime": "2024-10-10T17:10:42.319000+00:00",
 "tags": {},
 "applicationTag": { "awsApplication": "arn:aws:resource-groups:us-east-1:XXXXXXXXXXX:group/ecommerce/07m8akl51w19wtirfx8zdo5jau"
 }
 }
}

Before proceeding to the next steps, capture the Amazon Resource Name (ARN) of the App Group, which is returned in the applicationTag value in the above create application call. This ARN will be useful while running the tag-sync.

2. To enable Group Lifecycle Events using the AWS CLI, use the following command:

aws resource-groups update-account-settings --group-lifecycle-events-desired-status ACTIVE

When you create tag-sync for the application “ecommerce”, you specify a tag key-value pair to sync to the application. The tag-sync then adds any resources tagged with `ecommerce:search ` to the application by applying the `awsApplication` tag to those resources. After configuring tag-sync, it continuously manages the application resources, adding or removing resources as they are tagged or untagged with the specified key-value pair.

During the execution of the tag-sync task, the ‘AWSServiceRoleForResourceGroups’ role, which was previously created, is now being repurposed.

aws resource-groups start-tag-sync-task --group ecommerce/07m8akl51w19wtirfx8zdo5jau --tag-key ecommerce --tag-value search --role-arn arn:aws:iam::XXXXXXXXXXX:role/AWSServiceRoleForResourceGroups

{
 "GroupArn": "arn:aws:resource-groups:us-east-1:XXXXXXXXXXX:group/ecommerce/07m8akl51w19wtirfx8zdo5jau",
 "GroupName": "ecommerce/07m8akl51w19wtirfx8zdo5jau",
 "TaskArn": "arn:aws:resource-groups:us-east-1:XXXXXXXXXXX:group/ecommerce /07m8akl51w19wtirfx8zdo5jau/tag-sync-task/0c7a1pdulygpwujm3gdya93v79",
 "TagKey": "ecommerce",
 "TagValue": "search",
 "RoleArn": "arn:aws:iam::XXXXXXXXXXX:role/AWSServiceRoleForResourceGroups "
}

When tag-sync is active, if you tag a resource with the `ecommerce:search` tag, tag-sync adds that resource to the applications by adding `awsApplication` tag to it. Additionally, if you remove `ecommerce:search` tag from a resource, the tag-sync removes the resource from the application by removing the `awsApplication` tag.

Let’s review the existing resources that have been added to the ecommerce application after the tag-sync started.

aws resource-groups list-group-resources --group-name ecommerce/07m8akl51w19wtirfx8zdo5jau

{
"ResourceIdentifiers": [
{
"ResourceArn": "arn:aws:ec2:us-east-1:XXXXXXXXXXX:instance/i-0b837a3fcc6d27de3",
"ResourceType": "AWS::EC2::Instance"
},
{
"ResourceArn": "arn:aws:ec2:us-east-1:XXXXXXXXXXX:instance/i-0e23909e98c676a0a",
"ResourceType": "AWS::EC2::Instance"
}
],
"Resources": [
{
"Identifier": {
"ResourceArn": "arn:aws:ec2:us-east-1:XXXXXXXXXXX:instance/i-0b837a3fcc6d27de3",
"ResourceType": "AWS::EC2::Instance"
}
},
{
"Identifier": {
"ResourceArn": "arn:aws:ec2:us-east-1:XXXXXXXXXXX:instance/i-0e23909e98c676a0a",
"ResourceType": "AWS::EC2::Instance"
}
}
]
}

3. Next, we will create an Amazon Simple Storage Service (Amazon S3) bucket named “ecommerce” and add “ecommerce:search” tag to the bucket.

aws s3api create-bucket --bucket ecommerce && aws s3api put-bucket-tagging --bucket ecommerce --tagging "TagSet=[{Key=ecommerce,Value=search}]"

Once the bucket creation is complete, we will observe the latest resources to confirm that the tag-sync has automatically added the new Amazon S3 bucket to the ecommerce application.

aws resource-groups list-group-resources --group-name ecommerce/07m8akl51w19wtirfx8zdo5jau

{
"ResourceIdentifiers": [
{
"ResourceArn": "arn:aws:ec2:us-east-1:XXXXXXXXXXX:instance/i-0b837a3fcc6d27de3",
"ResourceType": "AWS::EC2::Instance"
},
{
"ResourceArn": "arn:aws:s3:::ecommerce",
"ResourceType": "AWS::S3::Bucket"
},
{
"ResourceArn": "arn:aws:ec2:us-east-1:XXXXXXXXXXX:instance/i-0e23909e98c676a0a",
"ResourceType": "AWS::EC2::Instance"
}
],
"Resources": [
{
"Identifier": {
"ResourceArn": "arn:aws:ec2:us-east-1:XXXXXXXXXXX:instance/i-0b837a3fcc6d27de3",
"ResourceType": "AWS::EC2::Instance"
}
},
{
"Identifier": {
"ResourceArn": "arn:aws:s3:::ecommerce",
"ResourceType": "AWS::S3::Bucket"
}
},
{
"Identifier": {
"ResourceArn": "arn:aws:ec2:us-east-1: XXXXXXXXXXX:instance/i-0e23909e98c676a0a",
"ResourceType": "AWS::EC2::Instance"
}
}
]

4. Check the status of the tag-sync, follow the below instructions.

aws resource-groups get-tag-sync-task —task-arn arn:aws:resource-groups:us-east-1:XXXXXXXXXXX:group/ecommerce/07m8akl51w19wtirfx8zdo5jau/tag-sync-task/06pih38ze1aqhx3x1syjw75kpv

{
 "GroupArn": "arn:aws:resource-groups:us-east-1: XXXXXXXXXXX:group/ecommerce/07m8akl51w19wtirfx8zdo5jau",
 "GroupName": "ecommerce/07m8akl51w19wtirfx8zdo5jau",
 "TaskArn": "arn:aws:resource-groups:us-east-1: XXXXXXXXXXX:group/ecommerce/07m8akl51w19wtirfx8zdo5jau/tag-sync-task/06pih38ze1aqhx3x1syjw75kpv",
 "TagKey": "ecommerce", 
 "TagValue": "search",
 "RoleArn": "arn:aws:iam:: XXXXXXXXXXX:role/AWSServiceRoleForResourceGroups ",
 "Status": "ACTIVE",
 "CreatedAt": "2024-10-10T15:22:49.024000-04:00"
}

If you decide to stop using the tags referenced in the tag sync task, remember to cancel the tag-sync before removing those old tags. If you remove the tags before cancelling the tag-sync, the resources will be removed from the application. To cancel the tag-sync, follow the below instructions.

aws resource-groups cancel-tag-sync-task --task-arn arn:aws:resource-groups:us-east-1:XXXXXXXXXXX:group/ecommerce/07m8akl51w19wtirfx8zdo5jau/tag-sync-task/06pih38ze1aqhx3x1syjw75kpv

Clean Up

myApplications on AWS is offered at no additional charge. However, usage charges for the underlying resources and services summarized in the myApplications dashboard still apply at the published rates for those resources. To clean up, you need to delete the application within myApplications. If you no longer need the IAM role, we recommend that you delete the role and its associated permissions.

Conclusion

In this post, we explained how to use existing tags to create and automatically add resources to your applications in myApplications. By leveraging your existing tags to automatically add resources, you can improve application management efficiency. This feature reduces manual effort, enhances visibility, and speeds up issue resolution, ultimately leading to improved operational performance.

Further Reading

 

 

 

Nereida Woo

Nereida is a WW Specialist Solutions Architect in Cloud Operations focusing on Centralized Operations Management and Application operations on AWS. When she isn’t working, she enjoys traveling to attend music concerts.

Kalyan Madicharla

Kalyan Madicharla is a Senior Technical Account Manager in Media and Entertainment space focusing on Resiliency and Application operations on AWS. When he isn’t working, he enjoys being in the nature.

Mohamed Othman

Mohamed joined AWS in 2020 as a Technical Account Manager, bringing with him 7 years of hands-on AWS DevOps experience and 6 years as a systems operation admin. He is a member of two Technical Field Communities in AWS (Cloud Operation and Builder Experience), focusing on supporting customers with centralized operations management, CI/CD pipelines, and AI for DevSecOps.