Skip to main content
ClaudeWave
Skill374 repo starsupdated 6mo ago

resource-tagging

The resource-tagging Claude Code skill provides templates and guidance for implementing cloud resource tagging strategies across AWS, Azure, GCP, and Kubernetes environments. Use it when establishing cloud governance frameworks, implementing FinOps practices for cost allocation, enforcing compliance policies, automating resource lifecycle management, or tracking ownership and accountability across multi-cloud infrastructure deployments.

View sourceRepository: ai-design-components
Install in Claude Code
Copy
git clone --depth 1 https://github.com/ancoleman/ai-design-components /tmp/resource-tagging && cp -r /tmp/resource-tagging/skills/resource-tagging ~/.claude/skills/resource-tagging
Then start a new Claude Code session; the skill loads automatically.
Definition

SKILL.md

# Resource Tagging

Apply comprehensive cloud resource tagging strategies to enable cost allocation, ownership tracking, compliance enforcement, and infrastructure automation across multi-cloud environments.

## Purpose

Resource tagging provides the foundational metadata layer for cloud governance. Tags enable precise cost allocation (reducing unallocated spend by up to 80%), rapid ownership identification, compliance scope definition, and automated lifecycle management. Without proper tagging, cloud costs become untrackable, security incidents lack context, and automation policies fail to target resources effectively.

## When to Use

Use resource tagging when:

- Implementing cloud governance frameworks for cost allocation and accountability
- Building FinOps practices requiring spend visibility by team, project, or department
- Enforcing compliance requirements (PCI, HIPAA, SOC2) through automated policies
- Setting up automated resource lifecycle management (backup, monitoring, shutdown)
- Managing multi-tenant or multi-project cloud environments
- Implementing disaster recovery and backup policies based on criticality
- Tracking resource ownership for security incident response
- Optimizing cloud costs through spend analysis and showback/chargeback

## Minimum Viable Tagging Strategy

Start with the **"Big Six"** required tags for all cloud resources:

| Tag | Purpose | Example Value |
|-----|---------|---------------|
| **Name** | Human-readable identifier | `prod-api-server-01` |
| **Environment** | Lifecycle stage | `prod` \| `staging` \| `dev` |
| **Owner** | Responsible team contact | `platform-team@company.com` |
| **CostCenter** | Finance code for billing | `CC-1234` |
| **Project** | Business initiative | `ecommerce-platform` |
| **ManagedBy** | Resource creation method | `terraform` \| `pulumi` \| `manual` |

**Optional tags** to add based on specific needs:

- **Application**: Multi-app projects requiring app-level isolation
- **Component**: Resource role (`web`, `api`, `database`, `cache`)
- **Backup**: Backup policy (`daily`, `weekly`, `none`)
- **Compliance**: Regulatory scope (`PCI`, `HIPAA`, `SOC2`)
- **SLA**: Service level (`critical`, `high`, `medium`, `low`)

## Tag Naming Conventions

Choose ONE naming convention organization-wide and enforce consistently:

| Convention | Format | Example | Best For |
|------------|--------|---------|----------|
| **PascalCase** | `CostCenter`, `ProjectName` | AWS standard | AWS-first orgs |
| **lowercase** | `costcenter`, `project` | GCP labels (required) | GCP-first orgs |
| **kebab-case** | `cost-center`, `project-name` | Azure (case-insensitive) | Azure-first orgs |
| **Namespaced** | `company:environment`, `team:owner` | Multi-org tag policies | Large enterprises |

**Critical:** Case sensitivity varies by provider:
- **AWS**: Case-sensitive (`Environment` ≠ `environment`)
- **Azure**: Case-insensitive (`Environment` = `environment`)
- **GCP**: Lowercase required (`environment` only)
- **Kubernetes**: Case-sensitive (`environment` ≠ `Environment`)

## Tag Categories

For detailed taxonomy of all tag categories, see `references/tag-taxonomy.md`.

### Technical Tags
Operations-focused metadata: Name, Environment, Version, ManagedBy

### Business Tags
Cost allocation metadata: Owner, CostCenter, Project, Department

### Security Tags
Compliance metadata: Confidentiality, Compliance, DataClassification, SecurityZone

### Automation Tags
Lifecycle metadata: Backup, Monitoring, Schedule, AutoShutdown

### Operational Tags
Support metadata: SLA, ChangeManagement, CreatedBy, CreatedDate

### Custom Tags
Organization-specific metadata: Customer, Application, Component, Stack

## Cloud Provider Tag Limits

| Provider | Tag Limit | Key Length | Value Length | Case Sensitive | Inheritance |
|----------|-----------|------------|--------------|----------------|-------------|
| **AWS** | 50 user-defined | 128 chars | 256 chars | Yes | Via tag policies |
| **Azure** | 50 pairs | 512 chars | 256 chars | No | Via Azure Policy |
| **GCP** | 64 labels | 63 chars | 63 chars | No | Via org policies |
| **Kubernetes** | Unlimited | 253 prefix + 63 name | 63 chars | Yes | Via namespace |

## Tag Enforcement Patterns

### Infrastructure as Code (Recommended)

Apply tags automatically via Terraform/Pulumi to reduce manual errors by 95%:

```hcl
# Terraform: Provider-level default tags
provider "aws" {
  default_tags {
    tags = {
      Environment = var.environment
      Owner       = var.owner
      CostCenter  = var.cost_center
      Project     = var.project
      ManagedBy   = "terraform"
    }
  }
}
```

All resources automatically inherit these tags. Resource-specific tags merge with defaults.

For complete Terraform, Pulumi, and CloudFormation examples, see `examples/terraform/`, `examples/pulumi/`, and `examples/cloudformation/`.

### Policy-Based Enforcement

Enforce tagging at resource creation time:

**AWS**: Use AWS Config rules to check tag compliance (alert or deny)
**Azure**: Use Azure Policy for tag inheritance and enforcement
**GCP**: Use Organization Policies to restrict label values
**Kubernetes**: Use OPA Gatekeeper or Kyverno for admission control

For enforcement implementation patterns, see `references/enforcement-patterns.md`.

### Tag Compliance Auditing

Run regular audits (weekly recommended) to identify untagged resources:

**AWS Config Query** (SQL):
```sql
SELECT resourceId, resourceType, configuration.tags
WHERE resourceType IN ('AWS::EC2::Instance', 'AWS::RDS::DBInstance')
  AND (configuration.tags IS NULL OR NOT configuration.tags.Environment EXISTS)
```

**Azure Resource Graph Query** (KQL):
```kusto
Resources
| where type in~ ('microsoft.compute/virtualmachines')
| where isnull(tags.Environment) or isnull(tags.Owner)
| project name, type, resourceGroup, tags
```

**GCP Cloud Asset Inventory**:
```bash
gcloud asset search-all-resources \
  --query="NOT labels:environment OR NOT labels:owner" \
  --format="table(nam
More from this repository
administering-linuxSkill

Manage Linux systems covering systemd services, process management, filesystems, networking, performance tuning, and troubleshooting. Use when deploying applications, optimizing server performance, diagnosing production issues, or managing users and security on Linux servers.

ai-data-engineeringSkill

Data pipelines, feature stores, and embedding generation for AI/ML systems. Use when building RAG pipelines, ML feature serving, or data transformations. Covers feature stores (Feast, Tecton), embedding pipelines, chunking strategies, orchestration (Dagster, Prefect, Airflow), dbt transformations, data versioning (LakeFS), and experiment tracking (MLflow, W&B).

architecting-dataSkill

Strategic guidance for designing modern data platforms, covering storage paradigms (data lake, warehouse, lakehouse), modeling approaches (dimensional, normalized, data vault, wide tables), data mesh principles, and medallion architecture patterns. Use when architecting data platforms, choosing between centralized vs decentralized patterns, selecting table formats (Iceberg, Delta Lake), or designing data governance frameworks.

architecting-networksSkill

Design cloud network architectures with VPC patterns, subnet strategies, zero trust principles, and hybrid connectivity. Use when planning VPC topology, implementing multi-cloud networking, or establishing secure network segmentation for cloud workloads.

architecting-securitySkill

Design comprehensive security architectures using defense-in-depth, zero trust principles, threat modeling (STRIDE, PASTA), and control frameworks (NIST CSF, CIS Controls, ISO 27001). Use when designing security for new systems, auditing existing architectures, or establishing security governance programs.

assembling-componentsSkill

Assembles component outputs from AI Design Components skills into unified, production-ready component systems with validated token integration, proper import chains, and framework-specific scaffolding. Use as the capstone skill after running theming, layout, dashboard, data-viz, or feedback skills to wire components into working React/Next.js, Python, or Rust projects.

building-ai-chatSkill

Builds AI chat interfaces and conversational UI with streaming responses, context management, and multi-modal support. Use when creating ChatGPT-style interfaces, AI assistants, code copilots, or conversational agents. Handles streaming text, token limits, regeneration, feedback loops, tool usage visualization, and AI-specific error patterns. Provides battle-tested components from leading AI products with accessibility and performance built in.

building-ci-pipelinesSkill

Constructs secure, efficient CI/CD pipelines with supply chain security (SLSA), monorepo optimization, caching strategies, and parallelization patterns for GitHub Actions, GitLab CI, and Argo Workflows. Use when setting up automated testing, building, or deployment workflows.