👋 Hey everyone, how do you currently communicate and enforce required FinOps tag keys/values to engineers? is anyone using things like Open Policy Agent for this?

Looking at combination of OPA and Cloud Custodian to do that, but nothing deployed yet.

Nice! I was chatting with another Infracost user who does it this way in case it helps. How do you measure if the policy is working? by checking the total cost of un-tagged resources in Cost Explorer?

Yes, we are still in the initial phases with that work and have not yet turned on enforcement of the tagging policy, but that is an end goal. Realistically that will likely be environment specific, so only used in higher environments and not sandbox and dev accounts. Which are where most costs come from though, so it's a challenge.

We use a combination of terraform variable validation, Checkov, and AWS SCPs (service control policies). Our devs write the terraform themselves and don’t have access to create resources in the AWS console so variable validation is a good way to enforce the tags, and on PR builds they get errors if they miss tags. That is uncommon tho, as they use code gen tools we wrote to scaffold code based on the modules our cloud team manages and we have a standard folder structure that waterfalls tags in based on the directory structure so teams can just use a local value (

local.common_info[“aws”][“tags”]

) and it populates everything they need.