TerraAlto setup centralized and automated validation of complex tagging strategy requirements using AWS Config, Lambda and Python. Royal FrieslandCampina (RFC) is one of the world’s largest dairy companies.
About the Customer
Royal FrieslandCampina (RFC) is one of the world’s largest dairy companies with approximately $12.8 billion in annual revenue. The Dutch company produces and sells dairy-based beverages, cheeses, desserts, and infant and sports nutrition products across Europe, Asia, Africa and the Americas.
RFC have an ongoing requirement to ensure compliance of resource tagging across multiple AWS accounts with agreed global tagging strategy. To ensure compliance, they needed to be able to report on resources that did not meet these standards.
RFC as a company began their cloud journey on AWS in 2015 and it is has become their primary platform.
Why RFC Chose TerraAlto
RFC have been engaged with TerraAlto as their primary AWS partner since 2015 and work closely with on many AWS related projects included data platform initiatives.
Partner (TerraAlto) Solution
AWS Config seemed like a logical candidate for thus use case, as AWS Config has rules for checking resources have a set of mandatory tags and optionally a list of valid values for these tags.
However our requirements were more complex than this out of the box solution. We needed to be able to validate combinations of different tags and values against a predefined cross matching list provided by RFC. The existing AWS Config option would be triggered by resource changes or creation, while we need to be able to check all existing resources on demand.
Fortunately AWS Config allows you to customise rules. This allows you to define AWS Lambda functions that AWS Config can call to implement validation logic. We were able to create custom functions to validate tagging against our more complex tagging requirements.
AWS Config rules can be defined per resource type, and almost all resources are supported with some exceptions. We have different tagging requirements depending on the resource type, we were able to set up different rules for each of these cases.
Firstly AWS Config needs to be enabled in each account and region where you plan to implement rules. We wanted our rules to be triggered by resource creation, resource change and on a schedule, to do this we specify multiple event sources for the rule/s. We incorporate the input parameters for the AWS Lambda Function in the AWS Config rule.
We used AWS CloudFormation Stacksets to deploy the AWS Config Rules to the multiple accounts and regions required. We used AWS Config Aggregator in the ‘master’ AWS account and region, and AWS Config Authorizations to gather all the information into one report. In this way you can view all compliance status for all in one dashboard. Python Boto3 also provides API access to Aggregators so that you can create custom reports.
Results and Benefits
TerraAlto has been able to provide:
- Centralised and automated validation of complex tagging strategy.
- Centralised reporting and dash-boarding of compliance status.