AWS Cloud Operations Blog
Leveraging existing tagging strategies for Application Operations
Customers often spend time finding and managing individual resources within their applications. They need to find various applications, manage and perform application tasks, and monitor resources during different stages of the application lifecycle. Customers usually have hundreds to thousands of resources within even a single AWS account. This requires navigating across multiple AWS services pages and searching for the resources that belong to the application. Being able to quickly identify those resources and understand how they relate to an application is critical to having a holistic view of all resources tied to an application.
myApplications offers a centralized catalog where customers can easily discover and access their applications and related AWS resources. myApplications dashboard provides a view of key application metrics such as cost, performance, and security findings. This improves user productivity by providing a single, unified access point for and accessing configuring the automation to update your application as you add and remove the selected tag from resources over time.
Previously, to add your resources into an application you had to select individual resources in the AWS Console or use APIs to add specific resources. With this new feature, myApplications supports automatic addition of resources using existing tags. You can use your existing tags to automatically add resources and configure the automation to update your application as you add and remove the selected tag from resources over time.
In this post, we’ll demonstrate how to use the automatic AWS Resource Groups tag-synchronization (tag-sync) through the myApplications console experience and how to leverage APIs to onboard an application that uses the tag-sync.
Prerequisites
For this walkthrough, you should have the following prerequisites:
- An AWS Identity and Access Management (IAM) role with appropriate permissions for AWS Resource Groups
- An existing tag key/value pair that identifies the resources in each application. For further details, please review the AWS whitepaper on Building your tagging strategy
- (Optional) Enabling AWS Resource Explorer across accounts and Regions to discover your AWS resources
- (Optional) Setting up AWS Command Line Interface (AWS CLI)
Solution Walkthrough
Step 1: Having the right permissions
Before you can use tag-sync to automatically tag resources to your myApplications application, you need to create an IAM role that has the permissions required for AWS Resource Groups to tag your resources.
- Creating Trusted policy for IAM role: IAM role needs to have a trusted policy for AWS Resource Groups so it can perform tasks on your behalf.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"Service": "resource-groups.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
2. The principal who is setting up the tag-sync needs to support actions to tag and permissions that the role needs to do the tagging. The role needs to have the following permissions:
- assume role
- group/ungroup
- service-specific tagging permissions
AWS offers a managed policy (`ResourceGroupsTaggingAPITagUntagSupportedResources`) that you can add to Resource Groups IAM role. This policy provides permissions to tag and untagged all the resources supported by Resource Groups Tagging API. It also grants the permissions required to retrieve all tagged or previously tagged resources through the Resource Groups Tagging API.
Note: Always consider least privilege best practices and adjust the policy to meet your company’s policies. For more information on required permissions, visit Tag-sync required permissions.
3. Adding Additional permissions beyond the service trust policy and service-specific resource permissions:
- `GroupResources` adds resources to a specific group.
- `UngroupResources` removes resources from a specific group.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"resource-groups:GroupResources",
"resource-groups:UngroupResources",
],
"Resource": "*"
}
]
}
Once you have created the IAM role and permissions for AWS Resource Groups, you can start using the tag-sync with myApplications. For more details about Tag-sync required permissions.
Step 2: Using tag-sync through the AWS Management Console
In this scenario, we’re using an application that has a specific tag key-value pair of Key = ecommerce and Value = search.
- When creating an application with myApplications, you start by defining an application and the resources that make up that application.
- In the Role select dropdown, you’ll see all the IAM roles available in your AWS account. Select the IAM role you created. In our example, we created an IAM role named `AWSServiceForResourceGroups`.
- Select Tag Key from the dropdown. Select your Key-Value pair for your application.
- To use tag-sync, you need to enable Group Lifecycle Events. Group Lifecycle Events notifies you about the lifecycle changes of your resources.
- After creating the application, click on the “Preview resources”, or click the “Next” button to review your application configuration.
- Navigate to the “Manage Resources” button on the myApplications dashboard to view the active tag-sync you created.
This allows Resource Groups to identify resources with the specified tag and add the awsApplication
tag to those resources, including them in the myApplications application.
awsApplication
tag key to the resources to be part of the application even after the creation of the myApplications application.
You can also onboard tag-sync through AWS CLI. In the next section, we demonstrate how to use the AWS CLI to onboard an application with myApplications, create a tag-sync, and validate the tag-sync.
(Optional) Using tag-sync through AWS CLI
In this scenario, we’ll create an application, enable resource group lifecycle events, automate tag-synchronization (tag-sync), and stop the tag-sync for application resources using AWS CLI.
In this scenario, we will be using the same example used in the preceding step of an application with a tag key-value pair of Key = ecommerce and Value = search.
Note: For the purpose of this section, the region us-east-1 is configured as the default region in the user profile. To use a profile in AWS CLI, you need to configure a profile.
- To create an application named ‘ecommerce’ with a brief description, use the following command (replace ‘ecommerce’ with the name of the application you want to create):
aws servicecatalog-appregistry create-application --name ecommerce --description "App created using CLI"
{
"application": {
"id": "07m8akl51w19wtirfx8zdo5jau",
"arn": "arn:aws:servicecatalog:us-east-1:XXXXXXXXXXX:/applications/07m8akl51w19wtirfx8zdo5jau",
"name": "ecommerce",
"description": "App created using CLI",
"creationTime": "2024-10-10T17:10:42.319000+00:00",
"lastUpdateTime": "2024-10-10T17:10:42.319000+00:00",
"tags": {},
"applicationTag": { "awsApplication": "arn:aws:resource-groups:us-east-1:XXXXXXXXXXX:group/ecommerce/07m8akl51w19wtirfx8zdo5jau"
}
}
}
Before proceeding to the next steps, capture the Amazon Resource Name (ARN) of the App Group, which is returned in the applicationTag value in the above create application call. This ARN will be useful while running the tag-sync.
2. To enable Group Lifecycle Events using the AWS CLI, use the following command:
aws resource-groups update-account-settings --group-lifecycle-events-desired-status ACTIVE
When you create tag-sync for the application “ecommerce”, you specify a tag key-value pair to sync to the application. The tag-sync then adds any resources tagged with `ecommerce:search ` to the application by applying the `awsApplication` tag to those resources. After configuring tag-sync, it continuously manages the application resources, adding or removing resources as they are tagged or untagged with the specified key-value pair.
During the execution of the tag-sync task, the ‘AWSServiceRoleForResourceGroups’ role, which was previously created, is now being repurposed.
aws resource-groups start-tag-sync-task --group ecommerce/07m8akl51w19wtirfx8zdo5jau --tag-key ecommerce --tag-value search --role-arn arn:aws:iam::XXXXXXXXXXX:role/AWSServiceRoleForResourceGroups
{
"GroupArn": "arn:aws:resource-groups:us-east-1:XXXXXXXXXXX:group/ecommerce/07m8akl51w19wtirfx8zdo5jau",
"GroupName": "ecommerce/07m8akl51w19wtirfx8zdo5jau",
"TaskArn": "arn:aws:resource-groups:us-east-1:XXXXXXXXXXX:group/ecommerce /07m8akl51w19wtirfx8zdo5jau/tag-sync-task/0c7a1pdulygpwujm3gdya93v79",
"TagKey": "ecommerce",
"TagValue": "search",
"RoleArn": "arn:aws:iam::XXXXXXXXXXX:role/AWSServiceRoleForResourceGroups "
}
When tag-sync is active, if you tag a resource with the `ecommerce:search` tag, tag-sync adds that resource to the applications by adding `awsApplication` tag to it. Additionally, if you remove `ecommerce:search` tag from a resource, the tag-sync removes the resource from the application by removing the `awsApplication` tag.
Let’s review the existing resources that have been added to the ecommerce application after the tag-sync started.
aws resource-groups list-group-resources --group-name ecommerce/07m8akl51w19wtirfx8zdo5jau
{
"ResourceIdentifiers": [
{
"ResourceArn": "arn:aws:ec2:us-east-1:XXXXXXXXXXX:instance/i-0b837a3fcc6d27de3",
"ResourceType": "AWS::EC2::Instance"
},
{
"ResourceArn": "arn:aws:ec2:us-east-1:XXXXXXXXXXX:instance/i-0e23909e98c676a0a",
"ResourceType": "AWS::EC2::Instance"
}
],
"Resources": [
{
"Identifier": {
"ResourceArn": "arn:aws:ec2:us-east-1:XXXXXXXXXXX:instance/i-0b837a3fcc6d27de3",
"ResourceType": "AWS::EC2::Instance"
}
},
{
"Identifier": {
"ResourceArn": "arn:aws:ec2:us-east-1:XXXXXXXXXXX:instance/i-0e23909e98c676a0a",
"ResourceType": "AWS::EC2::Instance"
}
}
]
}
3. Next, we will create an Amazon Simple Storage Service (Amazon S3) bucket named “ecommerce” and add “ecommerce:search” tag to the bucket.
aws s3api create-bucket --bucket ecommerce && aws s3api put-bucket-tagging --bucket ecommerce --tagging "TagSet=[{Key=ecommerce,Value=search}]"
Once the bucket creation is complete, we will observe the latest resources to confirm that the tag-sync has automatically added the new Amazon S3 bucket to the ecommerce application.
aws resource-groups list-group-resources --group-name ecommerce/07m8akl51w19wtirfx8zdo5jau
{
"ResourceIdentifiers": [
{
"ResourceArn": "arn:aws:ec2:us-east-1:XXXXXXXXXXX:instance/i-0b837a3fcc6d27de3",
"ResourceType": "AWS::EC2::Instance"
},
{
"ResourceArn": "arn:aws:s3:::ecommerce",
"ResourceType": "AWS::S3::Bucket"
},
{
"ResourceArn": "arn:aws:ec2:us-east-1:XXXXXXXXXXX:instance/i-0e23909e98c676a0a",
"ResourceType": "AWS::EC2::Instance"
}
],
"Resources": [
{
"Identifier": {
"ResourceArn": "arn:aws:ec2:us-east-1:XXXXXXXXXXX:instance/i-0b837a3fcc6d27de3",
"ResourceType": "AWS::EC2::Instance"
}
},
{
"Identifier": {
"ResourceArn": "arn:aws:s3:::ecommerce",
"ResourceType": "AWS::S3::Bucket"
}
},
{
"Identifier": {
"ResourceArn": "arn:aws:ec2:us-east-1: XXXXXXXXXXX:instance/i-0e23909e98c676a0a",
"ResourceType": "AWS::EC2::Instance"
}
}
]
4. Check the status of the tag-sync, follow the below instructions.
aws resource-groups get-tag-sync-task —task-arn arn:aws:resource-groups:us-east-1:XXXXXXXXXXX:group/ecommerce/07m8akl51w19wtirfx8zdo5jau/tag-sync-task/06pih38ze1aqhx3x1syjw75kpv
{
"GroupArn": "arn:aws:resource-groups:us-east-1: XXXXXXXXXXX:group/ecommerce/07m8akl51w19wtirfx8zdo5jau",
"GroupName": "ecommerce/07m8akl51w19wtirfx8zdo5jau",
"TaskArn": "arn:aws:resource-groups:us-east-1: XXXXXXXXXXX:group/ecommerce/07m8akl51w19wtirfx8zdo5jau/tag-sync-task/06pih38ze1aqhx3x1syjw75kpv",
"TagKey": "ecommerce",
"TagValue": "search",
"RoleArn": "arn:aws:iam:: XXXXXXXXXXX:role/AWSServiceRoleForResourceGroups ",
"Status": "ACTIVE",
"CreatedAt": "2024-10-10T15:22:49.024000-04:00"
}
If you decide to stop using the tags referenced in the tag sync task, remember to cancel the tag-sync before removing those old tags. If you remove the tags before cancelling the tag-sync, the resources will be removed from the application. To cancel the tag-sync, follow the below instructions.
aws resource-groups cancel-tag-sync-task --task-arn arn:aws:resource-groups:us-east-1:XXXXXXXXXXX:group/ecommerce/07m8akl51w19wtirfx8zdo5jau/tag-sync-task/06pih38ze1aqhx3x1syjw75kpv
Clean Up
myApplications on AWS is offered at no additional charge. However, usage charges for the underlying resources and services summarized in the myApplications dashboard still apply at the published rates for those resources. To clean up, you need to delete the application within myApplications. If you no longer need the IAM role, we recommend that you delete the role and its associated permissions.
Conclusion
In this post, we explained how to use existing tags to create and automatically add resources to your applications in myApplications. By leveraging your existing tags to automatically add resources, you can improve application management efficiency. This feature reduces manual effort, enhances visibility, and speeds up issue resolution, ultimately leading to improved operational performance.
Further Reading