FinOps as Code: Automating Cost Allocation Tags with Terraform

In this demo, we show how to create a set of virtual tags in Vantage. We’ll create a script that uses the Vantage Terraform provider. This script will automate the process of creating cross-provider tags for a set of teams. Organizations who use Infrastructure as Code and want to create a better culture of showback can use this script to easily set up multiple cross-provider tag keys and values via Terraform.

Virtual Tagging and Showback

According to the FinOps Foundation, showback “creates a structure in which actual consumption of IT services is shown to business units, while the spend is being charged to a different business unit.” Therefore, a team or business unit may not be the ones footing the bill, but they are given a picture of how much they contribute to overall costs. Virtual tags enhance the practice of showback by providing a consistent and accurate way to tag and track cloud costs across multiple providers. You can use a third-party tool, like Vantage, to create these virtual tags, combining costs from multiple providers into one tag. For example, if you have AWS resources tagged by a specific team and costs in Azure also tagged by the same team, you can create external virtual tags that combine both sets of costs into one. Then, you can easily group by this tag within a report to show each team’s cost share.

The Scenario: Virtual Tags for Teams

You currently tag AWS and Kubernetes resources with tags that identify owners by team. To more easily show back each team’s share of costs in reporting, you decide to create a group of virtual tags that combine the AWS and Kubernetes costs into one tag value for each team. You will use the Vantage Terraform provider to easily automate this process for hundreds of team tags.

Prerequisites: Terraform and Vantage

This tutorial assumes you have intermediate knowledge of Terraform. You should know how to create a basic configuration, have a basic understanding of for loops, and have an understanding of how to use variables.

For Vantage, you’ll need an active account and at least one provider integration. You’ll also need a Vantage API token with READ and WRITE scopes enabled.

Automate Cost Allocation Tags

All demo files are also included in the FinOps as Code demo repo.

To begin, create a new project directory and move to it.

mkdir terraform-tags && cd terraform-tags

Create a Terraform configuration file and call it tags-vantage.tf. Create providers.tf to store the provider configuration.

touch tags-vantage.tf
touch providers.tf

You’ll also need to store the Vantage API token. You can export this token as an environment variable.

export VANTAGE_API_TOKEN=<YOUR_VANTAGE_API_TOKEN>

Step 1: Initialize the Provider Configuration

Open providers.tf and add the following block that initializes the Vantage provider. You do not need to set any additional configuration options since you already exported the Vantage API token.

terraform {
  required_providers {
    vantage = {
      source = "vantage-sh/vantage"
    }
  }
}

Save and run the init command to initialize the configuration and download the latest provider for Vantage.

terraform init

Step 2: Create Local Variables for Teams

As your organization’s FinOps champion, you already know the names of each team, which are also used for tagging purposes. These names are currently stored in a single-column CSV file, which you can decode and iterate over in your configuration. For this demo, we’ll create a local variable that holds the CSV content and another that decodes it; however, this file would most likely be in an external location. We’ll include five team names, but this configuration is scalable and can easily iterate over a file with hundreds of values.

See the Terraform documentation for more information on working with CSV files.

Open tags-vantage.tf and create the following local variables.

locals {
  team_csv_content = <<-CSV
    teams
    integrations
    security
    ingestion
    analytics
    core
  CSV

  all_teams = csvdecode(local.team_csv_content)
}

Step 3: Create the Virtual Tag Resource

Next, create your virtual tags using the vantage_virtual_tag_config Terraform resource. This resource block will iterate over the local all_teams variable to create one tag key that has multiple associated tag values, with their filters.

resource "vantage_virtual_tag_config" "team_tag" {
  key            = "team_virtual_tag"
  backfill_until = "2024-01-01"
  overridable    = false

  values = [
    for t in local.all_teams : {
      name   = t.teams
      filter = <<-FILTER
        (costs.provider = 'aws' AND
          (tags.name = 'team' AND tags.value = '${t.teams}')) OR
        (costs.provider = 'kubernetes' AND
          (tags.name = 'organization/team' AND tags.value = '${t.teams}'))
      FILTER
    }
  ]
}

The above block performs the following actions:

• key: This is the tag key’s name.
• backfill_until: Specifies the date that the virtual tag should go back to. In this case, the backfill will go up to January 1, 2024.
• overridable: Indicates whether this tag overrides other existing tags with the same filter criteria. Here, we specify false.
• values: The set of tag values.
  • The for loop iterates over each element in the all_teams local variable.
  • Within the loop, name = t.teams sets the name of the tag value to the value of the teams column from the current team (t) in the loop.
  • The filter defines a cost filter, using Vantage Query Language (VQL), to specify matching costs for the virtual tag. It uses the value of t.teams to create a condition that matches costs from the AWS provider, where the tag name in AWS is team and the tag value is the current team name. Additional criteria are also defined for matching Kubernetes costs (i.e., grouping name of organization/team and the corresponding value). Costs for either condition are matched.

Step 4: Apply the Configuration

Save your configuration and deploy it with the plan and apply commands:

terraform plan
terraform apply

In Vantage, you should see a new virtual tag, with corresponding values for each team, has been created.

Virtual Tags screen with new virtual tags from the script

If you create a new Vantage Cost Report and group by this new virtual tag, costs for each team are displayed as one line item within the report.

Vantage Cost Report grouped by the new team virtual tag

These new tags can easily help you show back the total costs attributed to each team as they are combined to one line item, across providers.

Next Steps

Congratulations—you just created a set of virtual tags to help your organization streamline its showback strategy. Check out our other FinOps as Code demos for other ways to automate your FinOps practice.