Tag Enforcement Policies

Tag enforcement policies apply standard tags (AWS/Azure) or labels (GCP) to cloud resources on a schedule, ensuring consistent metadata across all providers. Consistent tagging is the foundation of accurate cost allocation.

---

Why tag enforcement matters

Cost allocation in Reply CMP relies on tag-based rules: “assign resources tagged team=frontend to the Frontend group”. If resources are inconsistently tagged, those tag-based rules fail silently — costs appear in the Unallocated bucket. Running a periodic tag enforcement policy ensures every resource that should be tagged is tagged.

---

How it works

An Enforce Tags policy reads the target tag definitions configured on the policy and applies them to all in-scope resources at the scheduled time. Resources that already have the correct tags are left unchanged — no operation is performed on them.

---

Supported resource types

Azure — all resources supported by the Azure Resource Manager tag API (VMs, storage accounts, App Services, AKS clusters, databases, and more).

AWS — EC2 instances and EBS volumes, RDS, S3 buckets, Lambda functions, EKS clusters.

GCP (labels):

Note

GCP uses labels rather than tags. Tags on GCP are network/firewall constructs; labels are metadata key-value pairs. Reply CMP enforces labels on GCP resources.

Supported GCP resource types for label enforcement:

• Compute Engine instances

• Disks

• Cloud SQL instances

• Cloud Storage buckets

• Pub/Sub topics

• Cloud Run services

• Cloud Functions

• GKE clusters

---

Creating an Enforce Tags policy

1. Navigate to Automation → Policies → “+ New Policy”

2. Set Policy type = Enforce Tags

3. Set Scope — select a Group, Environment, or Project from the Allocation hierarchy

4. Define Tag rules — for each tag: key (e.g. environment) and value (e.g. dev). Multiple tag rules can be added per policy.

5. Set the Schedule using the cron picker (see Create Automation Policies for schedule examples)

6. Click Save

---

Recommended workflow

The most effective tagging setup integrates Allocation and Automation:

1. Design your tag standard — agree on mandatory tags: environment, team, cost-center, project

2. Create allocation rules based on those tags: “Assign resources tagged team=frontend to the Frontend group”

3. Create an Enforce Tags policy that runs daily: enforces team=frontend on all resources scoped to the Frontend group

4. Verify coverage — after the first policy run, check Allocate; unallocated costs should decrease

Tip

Run Enforce Tags on a daily schedule. A weekly run allows a 7-day window where newly provisioned untagged resources generate unallocated costs.

---

Execution results

After each run, each resource shows one of:

Result	Meaning
Processed	Tag or label was applied successfully
Skipped	Resource already had the correct tag value
Failed	The enforcement failed — usually a permissions issue

Warning

Failed results usually indicate that the service principal or cloud credentials used by Reply CMP do not have Tag Contributor (Azure), tagging permissions (AWS), or label update permissions (GCP) on those resources. Review the connection permissions in Tenant → Connections.

---

Related pages

• Create Automation Policies

• Allocate — Assign Cost Ownership

• Organisation Model