GOVERNANCE · Playbook

Tag Enforcement at Provisioning Time

A policy-as-code gate that blocks any non-compliant provisioning across all production accounts.

Time
10h
Difficulty
Advanced
Practice Level
Elite
Steps
7
Score V2 lift
+49
Fellow points
2

IFO

Playbook

The Problem

The problem

Tag policies exist on paper. Coverage hovers between sixty and eighty percent. A weekly report names the worst offenders, but the cleanup is forever after the fact. Resources are created without tags, run for days or weeks, and are reattributed only when somebody notices a bill spike. Every other capital domain depends on attribution, and attribution depends on tagging, so the absence of an at-provisioning gate is the foundational control gap.

The Detection

How you know it is happening

If any production-account resource can be created today without the institution’s required tag set, the institution is below Best on this capability. If the institutional answer to a tag violation is a Slack reminder, the institution is below Reactive.

Practice Spectrum

Resource Tagging and Attribution

You are here at Anti-Pattern

Anti-Pattern

Reactive

Best

Elite

Autonomous

Resources are provisioned with no tags. Cost cannot be attributed to a team, product, or environment. Every monthly review devolves into archaeology.

Tag policies exist on paper. Coverage is below seventy percent. Manual sweeps re-tag noisy offenders after the fact, often weeks later.

Tags are required at provisioning time for the top three resource types. Coverage is above ninety percent. A weekly report names tag-violation owners.

Policy-as-code blocks any non-compliant provisioning at the gate. Coverage is above ninety-eight percent. Reconciliation runs hourly against the institutional ownership graph.

No untagged resource can exist. Tag schema is published in UFMS, signed daily, and the institutional ownership graph is the canonical source of truth for every other domain.

III

The Outcome

What success looks like

A policy-as-code gate that blocks any non-compliant provisioning across all production accounts. Coverage above ninety-eight percent, with continuous reconciliation. Tag schema published in UFMS, signed daily, and treated as the canonical input for Score V2, Maturity, and the ownership graph.

Cost delta

Enables every other cost playbook (foundational)

Efficiency

+15 efficiency points (Score V2)

Value lift

+8 value points (Score V2)

Risk reduction

-26 risk points (Score V2)

Ship It

The steps, in order.

Step 01

Publish the institutional tag schema

Document the required tag set: cost_center, product_id, environment, owner_id, data_classification, and any institution-specific additions. Publish under UFMS as a versioned schema. Treat the schema as a controlled object with a change log.

json

{
  "schema_version": "1.0.0",
  "required_tags": [
    "cost_center",
    "product_id",
    "environment",
    "owner_id",
    "data_classification"
  ],
  "valid_environments": ["prod", "stage", "dev", "sandbox"],
  "valid_data_classifications": ["public", "internal", "confidential", "restricted"]
}

Step 02

Stand up the policy-as-code gate

Implement the tag policy in the institution’s preferred policy engine (OPA, Sentinel, or the cloud-native equivalent). The gate runs at provisioning time and rejects any non-compliant request. Treat the gate itself as code under review.

terraform

package ifo4.tags

required := {"cost_center", "product_id", "environment", "owner_id", "data_classification"}

deny[msg] {
  some r
  resource := input.resource_changes[r]
  tag_keys := { k | resource.change.after.tags[k] }
  missing := required - tag_keys
  count(missing) > 0
  msg := sprintf("resource %v missing required tags: %v", [resource.address, missing])
}

III
Step 03
Wire the gate into every provisioning path
Identify every path that can create a resource: Terraform pipelines, gcloud or aws-cli commands run from a controlled bastion, console clicks, and SDK calls. Each path must traverse the gate. Where a path cannot be gated (legacy console clicks), fence it off behind a break-glass procedure.
IV
Step 04
Reconcile against the ownership graph
For every resource, reconcile the owner_id tag against the institutional directory of record. Stale, missing, or invalid owner_id values trigger automatic reassignment to the resource creator and a paging event to the team lead.
V
Step 05
Publish a weekly coverage report
Each week, publish a one-page coverage report: tag coverage by account, top non-compliant teams, top non-compliant resource types, and the trend. The report is the input to the FinOps lead’s weekly review.
VI
Step 06
Sign the tag schema daily
At the close of each day, hash the active tag schema and the coverage roll-up, and sign with the institution’s Sigstore key. The aim is that any external verifier can independently confirm both the policy and the operating state of the policy on any given day.
VII
Step 07
Document a break-glass procedure
For genuine emergencies (incident response, regulatory audit access), document a break-glass procedure that allows an authorised actor to bypass the gate with a recorded justification, a recorded approver, and a forty-eight-hour cleanup deadline. Treat each invocation as a control event.

The Templates

Templates and starter code

json

Template

ufms-tag-schema.json

UFMS Tag Schema

Reference JSON schema for the institutional tag set, with version metadata and validation rules.

Download ↓

Template

opa-tag-policy.tar.gz

OPA Policy Bundle

Open Policy Agent rego bundle implementing the tag enforcement policy, suitable for Terraform validation pipelines.

Download ↓

Template

break-glass-procedure.md

Break-Glass Procedure

Markdown template documenting the break-glass procedure, with named approver roles and cleanup deadlines.

Download ↓

The Evidence

Prove it.

I
Published UFMS tag schema
Schema document committed to a versioned repository with named schema owner.
Sigstore
II
Policy-as-code repository
Repository containing the active policy with a recent green CI run and change history.
Recorded
III
Four consecutive weekly coverage reports
Coverage trend showing above-ninety-percent coverage across all production accounts.
Sigstore
IV
Daily signature trail
Thirty consecutive days of signed schema and coverage snapshots.
Sigstore

VII

The Impact

What this earns you.

Score V2 lift

+49

across the four Score V2 vectors. Sustained practice raises the institutional trajectory.

Distinguished Fellow

contribution points toward the Fellow lineage when published with signed evidence.

Maturity Pillars

Governance · Automation · Visibility

Adopters

Be among the first to publish your completion.

The cohort sample is below the publish threshold (N<5). When we have at least five completions, this panel will surface the median score lift, median cost savings, and median time to complete from the IFO4 impact API.

View impact →

VIII

Pair this with

Related playbooks.

AI Compute · Best

AI Cost-per-Inference Governance

AI inference invoices arrive as a single consolidated charge per provider per month.

Open →

SaaS · Best

SaaS Sprawl Detection and Remediation

SaaS subscriptions accumulate quietly through expense cards, individual purchase orders, and shadow IT.

Open →

Technology · Elite

Reserved Instance Portfolio Optimisation

Reservations and savings plans are purchased once a year, on a calendar reminder, by whoever has the access at the time.

Open →

Begin the playbook

Ship it. With evidence.

Start the playbook, simulate the impact first, or take it to the community. Every move is logged.

Start this playbook Simulate the impact first Discuss in the community →

IFO4

Best PracticesAn IFO4 Platform

GOVERNANCE · Playbook

Tag Enforcement at Provisioning Time

A policy-as-code gate that blocks any non-compliant provisioning across all production accounts.

Time
10h
Difficulty
Advanced
Practice Level
Elite
Steps
7
Score V2 lift
+49
Fellow points
2

IFO

Playbook

The Problem

The problem

The Detection

How you know it is happening

Practice Spectrum

Resource Tagging and Attribution

You are here at Anti-Pattern

Anti-Pattern

Reactive

Best

Elite

Autonomous

Resources are provisioned with no tags. Cost cannot be attributed to a team, product, or environment. Every monthly review devolves into archaeology.

Tag policies exist on paper. Coverage is below seventy percent. Manual sweeps re-tag noisy offenders after the fact, often weeks later.

Tags are required at provisioning time for the top three resource types. Coverage is above ninety percent. A weekly report names tag-violation owners.

Policy-as-code blocks any non-compliant provisioning at the gate. Coverage is above ninety-eight percent. Reconciliation runs hourly against the institutional ownership graph.

No untagged resource can exist. Tag schema is published in UFMS, signed daily, and the institutional ownership graph is the canonical source of truth for every other domain.

III

The Outcome

What success looks like

Cost delta

Enables every other cost playbook (foundational)

Efficiency

+15 efficiency points (Score V2)

Value lift

+8 value points (Score V2)

Risk reduction

-26 risk points (Score V2)

Ship It

The steps, in order.

Step 01

Publish the institutional tag schema

json

{
  "schema_version": "1.0.0",
  "required_tags": [
    "cost_center",
    "product_id",
    "environment",
    "owner_id",
    "data_classification"
  ],
  "valid_environments": ["prod", "stage", "dev", "sandbox"],
  "valid_data_classifications": ["public", "internal", "confidential", "restricted"]
}

Step 02

Stand up the policy-as-code gate

terraform

package ifo4.tags

required := {"cost_center", "product_id", "environment", "owner_id", "data_classification"}

deny[msg] {
  some r
  resource := input.resource_changes[r]
  tag_keys := { k | resource.change.after.tags[k] }
  missing := required - tag_keys
  count(missing) > 0
  msg := sprintf("resource %v missing required tags: %v", [resource.address, missing])
}

III
Step 03
Wire the gate into every provisioning path
Identify every path that can create a resource: Terraform pipelines, gcloud or aws-cli commands run from a controlled bastion, console clicks, and SDK calls. Each path must traverse the gate. Where a path cannot be gated (legacy console clicks), fence it off behind a break-glass procedure.
IV
Step 04
Reconcile against the ownership graph
For every resource, reconcile the owner_id tag against the institutional directory of record. Stale, missing, or invalid owner_id values trigger automatic reassignment to the resource creator and a paging event to the team lead.
V
Step 05
Publish a weekly coverage report
Each week, publish a one-page coverage report: tag coverage by account, top non-compliant teams, top non-compliant resource types, and the trend. The report is the input to the FinOps lead’s weekly review.
VI
Step 06
Sign the tag schema daily
At the close of each day, hash the active tag schema and the coverage roll-up, and sign with the institution’s Sigstore key. The aim is that any external verifier can independently confirm both the policy and the operating state of the policy on any given day.
VII
Step 07
Document a break-glass procedure
For genuine emergencies (incident response, regulatory audit access), document a break-glass procedure that allows an authorised actor to bypass the gate with a recorded justification, a recorded approver, and a forty-eight-hour cleanup deadline. Treat each invocation as a control event.

The Templates

Templates and starter code

json

Template

ufms-tag-schema.json

UFMS Tag Schema

Reference JSON schema for the institutional tag set, with version metadata and validation rules.

Download ↓

Template

opa-tag-policy.tar.gz

OPA Policy Bundle

Open Policy Agent rego bundle implementing the tag enforcement policy, suitable for Terraform validation pipelines.

Download ↓

Template

break-glass-procedure.md

Break-Glass Procedure

Markdown template documenting the break-glass procedure, with named approver roles and cleanup deadlines.

Download ↓

The Evidence

Prove it.

I
Published UFMS tag schema
Schema document committed to a versioned repository with named schema owner.
Sigstore
II
Policy-as-code repository
Repository containing the active policy with a recent green CI run and change history.
Recorded
III
Four consecutive weekly coverage reports
Coverage trend showing above-ninety-percent coverage across all production accounts.
Sigstore
IV
Daily signature trail
Thirty consecutive days of signed schema and coverage snapshots.
Sigstore

VII

The Impact

What this earns you.

Score V2 lift

+49

across the four Score V2 vectors. Sustained practice raises the institutional trajectory.

Distinguished Fellow

contribution points toward the Fellow lineage when published with signed evidence.

Maturity Pillars

Governance · Automation · Visibility

Adopters

Be among the first to publish your completion.

View impact →

VIII

Pair this with

Related playbooks.

AI Compute · Best

AI Cost-per-Inference Governance

AI inference invoices arrive as a single consolidated charge per provider per month.

Open →

SaaS · Best

SaaS Sprawl Detection and Remediation

SaaS subscriptions accumulate quietly through expense cards, individual purchase orders, and shadow IT.

Open →

Technology · Elite

Reserved Instance Portfolio Optimisation

Reservations and savings plans are purchased once a year, on a calendar reminder, by whoever has the access at the time.

Open →

Begin the playbook

Ship it. With evidence.

Start the playbook, simulate the impact first, or take it to the community. Every move is logged.

Start this playbook Simulate the impact first Discuss in the community →