Skip to main content
Back to Documentation

Tagging Strategies for Azure and OCI

Your starter guide to cloud visibility without the enterprise fluff

Blaze
Blaze says:Enforce tagging at deployment time, not after. A tag-or-deny policy that blocks untagged resource creation is worth more than any retroactive tagging cleanup project. Start with just four mandatory tags: environment, owner, cost-center, and project.

Table of Contents

Introduction

Think of cloud tags as sticky notes for your cloud stuff.
No tags = no clue where your money's going.

This guide is your kitchen-tested recipe for implementing cost-aware, sanity-saving tags in Azure and Oracle Cloud Infrastructure (OCI). Whether you're a small team or flying solo — you'll get the essentials, not enterprise bloat.

Why Tagging Matters

Without tags, cloud spend is like a mystery dinner. With them, you get:

Cost Clarity

Know exactly which project or team owns what.

Governance

Apply rules, manage lifecycles, and meet compliance.

Findability

Search, filter, and group resources with ease.

Automation Ready

Tags make auto-scheduling, cleanup, and scaling possible.

Real Talk: Your billing dashboard is only as smart as your tags.

Essential Tags for Every Resource

Don't go overboard. Start with the right 3–5 tags.

Tag KeyWhy It's UsefulExample
`Project`Who owns this?`WebsiteRedesign`
`Environment`Prod, dev, test?`Production`
`Owner`Accountability`alice@yourbiz.com`
`CostCenter`Track by team or department`Marketing`
`DeleteAfter`Great for temporary resources`2025-06-30`
Pro Tip

Just `Project` and `Environment` tags cover 80% of what you need for cost tracking.

Tagging Setup Checklist

Define your required tags (`Project`, `Environment`, `Owner`)
Create a naming convention (`kebab-case` or `PascalCase`)
Use tools/scripts to auto-apply tags (Terraform, CLI, etc.)
Enforce tags at creation where possible
Review tag consistency monthly

Tagging Automation Starter Tips

You don't need a DevOps degree. Try:

  • Azure: Use Azure Policy or tag inheritance via Resource Groups
  • OCI: Use Tag Defaults to auto-tag new resources
  • PowerShell or Python: Automate tagging for missing `Owner`, `CreatedDate`, etc.
  • Terraform Modules: Set default tags for every resource

Azure Tagging Implementation

Azure: Tagging Implementation

  • Use Azure Policy to require tags like `Environment`, `CostCenter`, `Owner`
  • Use Tag Inheritance to pass tags from Resource Groups
  • Use Azure CLI or PowerShell to apply/update tags in bulk

OCI Tagging Implementation

OCI: Tagging Implementation

  • Use Tag Namespaces to organize `FinOps`, `AppOwner`, etc.
  • Set Tag Defaults per compartment to auto-apply tags
  • Prefer Defined Tags over Free-form Tags for control

Tag Governance Made Simple

Keep your tag strategy from becoming tag soup:

Tag Policy Doc

List required tags, formats, owners

Tag Audits

Schedule regular checks for missing/outdated tags

Change Reviews

Avoid random tag chaos

Training

Teach everyone to tag like a boss

Iterate

Update as teams and tools change

Tagging Automation Examples

Use tagging scripts to auto-label existing resources. Examples included:

PowerShell script to backfill Azure tags

PowerShell
# Example PowerShell script to add Owner tag to all VMs
$vms = Get-AzVM
foreach ($vm in $vms) {
 if (-not $vm.Tags.ContainsKey('Owner')) {
 $creator = Get-AzLog -ResourceId $vm.Id -MaxRecord 1 | Where-Object {$_.OperationName.Value -eq 'Microsoft.Compute/virtualMachines/write'}
 if ($creator) {
 $ownerEmail = $creator.Caller
 Update-AzTag -ResourceId $vm.Id -Tag @{'Owner'=$ownerEmail} -Operation Merge
 }
 }
}

Python script to tag OCI instances

Python
# Example Python script to tag OCI instances from audit logs
import oci

# Initialize OCI clients
config = oci.config.from_file()
audit_client = oci.audit.AuditClient(config)
compute_client = oci.core.ComputeClient(config)
identity_client = oci.identity.IdentityClient(config)

# Get compartment ID
compartment_id = config["tenancy"]

# Get instances without CreatedDate tag
instances = compute_client.list_instances(compartment_id).data
for instance in instances:
 if"CreatedDate" not in instance.defined_tags.get("FinOps", {}):
 # Get creation event from audit logs
 events = audit_client.list_events(
 compartment_id=compartment_id,
 start_time=oci.audit.models.TimeRange(
 date_time_greater_than_or_equal_to=oci.util.date_time_utils.get_past_days(30)
 ),
 end_time=oci.util.date_time_utils.now()
 ).data
 
 # Find creation event
 for event in events:
 if event.resource_id == instance.id and"Create" in event.event_name:
 # Add CreatedDate tag
 defined_tags = instance.defined_tags
 if"FinOps" not in defined_tags:
 defined_tags["FinOps"] = {}
 defined_tags["FinOps"]["CreatedDate"] = event.event_time.strftime("%Y-%m-%d")
 
 # Update instance tags
 compute_client.update_instance(
 instance_id=instance.id,
 update_instance_details=oci.core.models.UpdateInstanceDetails(
 defined_tags=defined_tags
 )
 )
 break

Best Practices

Planning

  • Start small, expand later
  • Align with finance/reporting needs
  • Involve multiple stakeholders

Implementation

  • Tag at creation
  • Use inheritance & default values
  • Automate validation

Maintenance

  • Audit regularly
  • Clean up unused or outdated tags
  • Version your schema if needed

Reporting

  • Use tags in dashboards
  • Set up compliance reports
  • Share insights across teams

Common Challenges & Fixes

ProblemSolution
Inconsistent TagsUse Policy, Defaults & naming conventions
Old Untagged ResourcesRun scripts to retro-tag; prioritize high-cost ones
Too Many Tags (Tag Sprawl)Review tags quarterly; remove duplicates or irrelevant ones
Outdated/Incorrect Tag ValuesUse `ExpirationDate` to trigger regular tag reviews

Pro Tip

Start tagging like you're labeling leftovers:Simple. Obvious. With an expiration date.That's how you stop cost rot in the cloud.

Was this documentation helpful?

Have suggestions for improving this document? Contact us.