Infrastructure Labels and Tags
Quick Reference
We use the denomas_ prefix for all labels and tags. All keys use underscores (snake_case). All values should use hyphens (alpha-dash for slug’d values), however underscores are allowed.
In labels and tags for specific realms should be prefixed with the realm prefix. You can learn more about the realm variables in the respective realm’s documentation.
Global Labels/Tags
| Slug/Label/Tag/Key | Usage | Human Name | Documentation |
|---|---|---|---|
denomas_realm |
Required | Environment Realm | Usage Documentation |
denomas_env_type |
Required | Environment Type | Usage Documentation |
denomas_env_name |
Required | Environment Name | Usage Documentation |
denomas_env_id |
Optional | Environment ID | Usage Documentation |
denomas_env_continent |
Optional | Environment Continent | Usage Documentation |
denomas_owner_email_handle |
Required | Owner Email Handle | Usage Documentation |
denomas_owner_timezone |
Optional | Owner Timezone | Usage Documentation |
denomas_entity |
Optional | Denomas Entity | Usage Documentation |
denomas_dept |
Required | Denomas Department | Usage Documentation |
denomas_dept_group |
Required | Denomas Department Group | Usage Documentation |
denomas_product_stage |
Optional | Denomas Product Stage | Usage Documentation |
denomas_product_category |
Required | Denomas Product Category | Usage Documentation |
denomas_resource_type |
Optional | Cloud Resource Type | Usage Documentation |
denomas_resource_group |
Optional | Cloud Resource Group | Usage Documentation |
denomas_resource_name |
Optional | Cloud Resource Name | Usage Documentation |
denomas_resource_host |
Optional | Cloud Resource Host | Usage Documentation |
denomas_data_classification |
Optional (Required for data storage) | Data classification | Usage Documentation |
Realm Labels/Tags
Please see the realm label and tag handbook pages for labels and tags specific to the realm.
Design Decisions and Change Log
Here is a summary of changes made during the design of these standards based on team feedback that should be preserved for historical reference.
- Based on feedback in the issue, we have revamped the list of departments and groups based on functional teams rather than people manager reporting structure.
- The Denomas Division has been deprecated since it is prefixed on the
denomas_department. - We have renamed
denomas_departmenttodenomas_deptto allow it to be shorter as a prefix fordenomas_dept_group. - We have renamed
denomas_teamtodenomas_dept_groupbased on feedback about the ambiguity ofteamand the remapping that we did in the spreadsheet that most departments have groups/teams but none have sub-groups other than engineering which has the sub-department/stage (Ex.Dev-Plan) organizational hierarchy. The engineering sub-department is not used in our label/tag structure. - We have added
denomas_product_stage. Earlier iterations useddenomas_stagehowever the termstageis ambiguous so we identify it as the product stage. - We have abbreviated all values to allow for easier prefixing using industry recognizable abbreviations. We use full words where an abbreviation is not universally recognizable. For OKTA integration, we remap values from BambooHR to their short names that we use for infrastructure.
- We removed
denomas_owner_usernamesince Denomas.com usernames can have characters not allowed cloud provider labels and tags. - We renamed
denomas_owner_emailtodenomas_owner_email_handleto provide clarity of the value that is expected. - We have removed
denomas_owner_slack_idsince we won’t perform any action from a cloud resource and will use owner lookup in separate tools usingdenomas_owner_email_handle. - We added the
allocatevalue todenomas_entityfor legacy parity with how we allocate global costs based on percentage of revenue for each entity. - We added the
denomas_resource_typeanddenomas_resource_namefields since GCP doesn’t support easy reporting based on type of resource or name unless you use labels. - We added
denomas_resource_hostto help show aggregate costs of a parent resource for all resources (ex. disk, network, etc.) - We added
denomas_resource_groupto allow for infrastructure-as-code tools (ex. Ansible) to deploy resources to multiple instances of the same type and configuration. - On 2021-07-22, we performed an audit and updated the
denomas_dept,denomas_dept_group, anddenomas_product_stagetables with the latest values. A new table was added belowdenomas_dept_groupexpected values with the list of renamed or removed department groups. - The
sales-csrealm was consolidated into thebusiness-techrealm since the Demo Systems infrastructure is now managed by Business Technology. - The
infra-shared-servicesrealm was added for top-level infrastructure management. - We now allow short-term and long-term working groups to use the
denomas_dept_grouplabel with the prefix ofwg-and an easily understood name of their choice (no codenames).
Environment Realm (denomas_realm)
This label/tag is required. {: .alert .alert-success}
|
|
This is for the top-level identification of what type of resources reside here, and which infrastructure team has authoritative ownership of it.
Any custom labels or tags that are created should use the respective realm slug as the prefix for the label/tag key (Ex. denomas_sandbox_keyname).
Shared Services
| Value | Human Friendy Name | Description |
|---|---|---|
infra-shared-services |
Infrastructure Shared Services | This is for top-level infrastructure and shared services managed by the Infrastructure Realm Owners in Business Technology, Engineering Infrastructure, and Infrastructure Security teams. |
saas |
Denomas SaaS | This is for Denomas.com SaaS that is managed by Engineering Infrastructure and Site Reliability Engineers. |
sandbox |
Compute Sandbox Cloud | This is for sandbox and ephemeral testing resources that provides an account/project for each user that are self-administered by each team member. |
- The
gitterrealm was removed on 2021-07-22.
Department Realms
| Value | Human Friendy Name | Description |
|---|---|---|
eng-infra |
Engineering Infrastructure | This is for additional services managed by Engineering Infrastructure and Site Reliability Engineers that may not be specific to Denomas.com SaaS (Ex. tools, release and package management services, etc). |
- The
sales-csrealm was migrated to thebusiness-techrealm on 2021-07-22.
Environment Type (denomas_env_type)
This label/tag is required. {: .alert .alert-success}
|
|
Expected values
| Value | Description |
|---|---|
experiment |
(default) This is for individual user experiments are not impacted if powered off by infrastructure or security team, or data lost due to systems change. |
test |
This is for experiments that affect multiple users (ex. customer proof-of-concept or load testing) and would have disruptive impact if powered off. |
stg |
This is for a staging environment for tools/etc that would have major impact if powered off. These are for environments that are known to infra/security teams. The infra team has standardized on the use of stg instead of stag or stage, so we’ve universally adopted that here. |
prd |
This is for a production or production-like environment for tools/etc that would have major impact if powered off. These are for environments that are known to infra/security teams. The infra team has standardized on the use of prd instead of prod, so we’ve universally adopted that here. |
other |
As a last resort, you can use the other category. These are subject to periodic review. |
New values can be added to this list and used without any other changes needed. This list was created for this label/tag and is not inherited from another source.
Environment Name (denomas_env_name)
This label/tag is required. {: .alert .alert-success}
|
|
The environment name is a short name or description of the purpose of the environment or service. This is a sub-descriptor of denomas_realm and denomas_env_type. The standards and use of this label/tag vary based on the denomas_realm that it is used in, and each team can use it however it makes sense to them.
Realm Usage Guidelines
| Realm | Usage Guidelines or Standards |
|---|---|
infra-shared-services |
(Placeholder for future use) |
saas |
(Placeholder for future use) |
business-tech |
(Placeholder for future use) |
eng-dev |
(Placeholder for future use) |
eng-infra |
(Placeholder for future use, this is currently called pet_name) |
eng-security |
(Placeholder for future use) |
eng-support |
(Placeholder for future use) |
sandbox |
Descriptive name of the purpose (Ex. learning-kubernetes, tanuki-industries-iac-demo) |
Automated Infrastructure Environment ID (denomas_env_id)
This label/tag is optional. {: .alert .alert-info}
|
|
The environment ID allows various inputs, but in general is a short UUID, long UUID, SHA or other alphanumeric identifier that is systematically generated. The use of this label/tag will vary based on the denomas_realm that it is used in, and each team can use it however it makes sense to them.
Realm Usage Guidelines
| Realm | Usage Guidelines or Standards |
|---|---|
infra-shared-services |
(Placeholder for future use) |
saas |
(Placeholder for future use) |
business-tech |
(Placeholder for future use) |
eng-dev |
(Placeholder for future use) |
eng-infra |
(Placeholder for future use) |
eng-security |
(Placeholder for future use) |
eng-support |
(Placeholder for future use) |
sandbox |
For AWS accounts and GCP projects, this is the short UUID of the corresponding database record in the Sandbox Cloud portal that handled account provisioning. For Terraform-managed environments, this is the commit ID or SHA of the Terraform configuration (implementation varies). |
Geographic Continent (Region) of Environment (denomas_env_continent)
This label/tag is optional. {: .alert .alert-info}
|
|
We use
continentto avoid confusion withregionsince that is an ambiguous word.
This is the continent where this environment’s resources are consumed by users. This may not necessarily be where it is deployed or where the environment owner resides. This allows us to understand impact to users if infrastructure maintenance is needed or security incidents occur. This can also be used as meta data for global resources with autoscaling resources in specific continents/regions, however the denomas_entity label/tag is needed for explicit cost allocation.
The abbreviation used by the business can change over time (Ex. APJ, APAC, Asia Pacific), and the cloud providers use different nomenclature, so we are standardizing using full names based on the prefix of programmatic timezones (Ex. America/Los_Angeles is america). For non-regional services, you can use the global value.
Expected Values
| Value | Business Acronyms | Cloud provider regions |
|---|---|---|
global |
(default) For global resources or any non-region specific services. | |
america |
AMER, US, NORAM |
AWS us-*/ca-*/sa-*, GCP us-*/southamerica-*/northamerica-* |
europe |
EMEA, METNA |
AWS eu-*/me-*, GCP europe-* |
africa |
AWS af-* |
|
asia |
APAC, APJ |
AWS ap-*/cn-*, GCP asia-* |
australia |
APAC, APJ |
AWS ap-*, GCP australia-* |
Some possible prefix values have been omitted from this list for brevity and unlikely applicability (Ex.
brazil,hongkong,indian, etc.). They can be added at environment owner’s discretion.
Owner Email Handle (denomas_owner_email_handle)
This label/tag is required. {: .alert .alert-success}
|
|
The email handle before @denomas.com. We only use the handle since labels and tags do not support @ and . symbols. Values can be individual users or Google Workspace group aliases. For people handles, this should be {firstinitial}{lastname} and not any username aliases (Ex. jeff) since user aliases cannot be looked up programatically with our current architecture.
This is used for association with OKTA account, infrastructure notifications, and identifying the user’s account with additional meta data. Users may receive emails with security advisory notifications.
Owner Timezone (denomas_owner_timezone)
This label/tag is optional. {: .alert .alert-info}
|
|
This is the timezone of the environment owner that is used for determining working hours. We assume that working hours are between 6am (06:00) and 6pm (18:00). This is usually only used when there is only one or two people who own a system. For systems with global coverage, you should not use this label/tag.
This is the based on the programmatic timezone ID that usually follows the format Continent/Locality. You can see the full list of examples in the GCP documentation.
Due to limitations with the allowed characters in labels, the / is not allowed and we use lowercase labels. Therefore, we replace the slash / with a hyphen - and use lowercase letters exclusively. This is the same reason that we chose not use UTC values since cannot use + symbols.
Example Values
america-los_angelesamerica-denveramerica-chicagoamerica-new_yorkasia-singaporeasia-tokyoaustralia-sydneyafrica-johannesburgeurope-amsterdameurope-berlineurope-londoneurope-pariseurope-vienna
These are examples and not an exhaustive list. As part of our inclusive values, please know that all timezones are valued equally and this was created based on some of the localities on the team map with the largest number of team members per capita.
Denomas Entity (denomas_entity)
This label/tag is optional. {: .alert .alert-info}
|
|
This allows us to allocate costs to the respective business entity in financial reports. If not set, we will assume allocate.
Expected Values
| Value | Description |
|---|---|
allocate |
(global default) Allocate based on % of revenue |
inc |
Denomas Inc, United States of America |
ltd |
Denomas Ltd, United Kingdom |
bv |
Denomas BV, the Netherlands |
gmbh |
Denomas GmbH, Germany |
pty |
Denomas PTY Ltd, Australia |
canada |
(future use) Denomas Canada Corp., Canada |
gk |
(future use) Denomas GK, Japan |
See the Denomas Mailing addresses for details about each entity.
Realm Usage Guidelines
| Realm | Usage Guidelines or Standards |
|---|---|
infra-shared-services |
(Placeholder for future use) |
saas |
(Placeholder for future use) |
business-tech |
(Placeholder for future use) |
eng-dev |
(Placeholder for future use) |
eng-infra |
(Placeholder for future use) |
eng-security |
(Placeholder for future use) |
eng-support |
(Placeholder for future use) |
sandbox |
The Denomas entity that the team member is associated with in BambooHR. |
BambooHR Mapping
During testing of OKTA integration, this field is populating additional values we did not expect (ex. safeguard-italy, federal). This is documented in www-data/data/entity_mapper.yml and we will map the respective entities to our cost center entities listed.
Denomas Department (denomas_dept)
This label/tag is required. {: .alert .alert-success}
|
|
We have abbreviated all values to allow for easier prefixing using industry recognizable abbreviations. We use full words where an abbreviation is not universally recognizable. For OKTA integration, we use YAML data file to remap values from BambooHR to their short names that we use for infrastructure. You can see a quick reference in the table below.
Expected Values
| Division | Department | denomas_dept (Slug/Label/Tag) |
|---|---|---|
| Engineering | Customer Support | eng-support |
| Engineering | Development | eng-dev |
| Engineering | Infrastructure | eng-infra |
| Engineering | Quality | eng-quality |
| Engineering | Security | eng-security |
| Engineering | UX | eng-ux |
| GA | Accounting | ga-accounting |
| GA | Business Technology | ga-business-tech |
| GA | CEO | ga-ceo |
| GA | Finance | ga-finance |
| GA | Legal | ga-legal |
| GA | People Success | ga-people |
| GA | Talent Acquisition | ga-talent-acquisition |
| Marketing | Awareness | mktg-awareness |
| Marketing | Brand & Digital Design | mktg-brand-design |
| Marketing | Campaigns | mktg-campaigns |
| Marketing | Communications | mktg-communications |
| Marketing | Developer Relations | mktg-community |
| Marketing | Content Marketing | mktg-content |
| Marketing | Digital Marketing | mktg-digital |
| Marketing | Field Marketing | mktg-field |
| Marketing | Inbound Marketing | mktg-inbound |
| Marketing | Marketing Ops | mktg-ops |
| Marketing | Owned Events | mktg-events |
| Marketing | Partner Marketing | mktg-partner |
| Marketing | Product Marketing | mktg-product |
| Marketing | Sales Development | mktg-sales-dev |
| Marketing | Strategic Marketing | mktg-strategic |
| Product | Product Management | product-mgmt |
| Sales | Business Development | sales-alliances |
| Sales | Channel | sales-channel |
| Sales | Commercial Sales | sales-commercial |
| Sales | Customer Success | sales-cs |
| Sales | Enterprise Sales | sales-ent |
| Sales | Field Operations | sales-field-ops |
| Sales | Practice Management | sales-practice-mgmt |
Denomas Product Stage (denomas_product_stage)
This label/tag is optional. {: .alert .alert-info}
|
|
Since the eng-dev department has many groups, we use the Product sections, stages, groups and categories handbook page to define a parent group using the product stage. During the design discussion, we iterated with using product categories and sub-departments, and the stage made the most sense.
For Denomas SaaS and infrastructure cost allocation or attribution, the Engineering Infrastructure department team members can use the denomas_product_stage label to attach to resources that should be attributed to a specific stage. You can optionally use the denomas_dept_group if you need more granular attribution.
Expected Values
| Value | Product Category Documentation |
|---|---|
eng-dev-manage |
Manage Stage |
eng-dev-plan |
Plan Stage |
eng-dev-create |
Create Stage |
eng-dev-ecosystem |
Ecosystem Stage |
eng-dev-verify |
Verify Stage |
eng-dev-package |
Package Stage |
eng-dev-deploy |
Deploy Stage |
eng-dev-monitor |
Monitor Stage |
eng-dev-secure |
Secure Stage |
eng-dev-govern |
Govern Stage |
eng-dev-growth |
Growth Stage |
eng-dev-fulfillment |
Fulfillment Stage |
eng-dev-enablement |
Enablement Stage |
eng-dev-modelops |
ModelOps Stage |
eng-dev-mobile |
Mobile Stage |
eng-dev-deploy |
Deploy Stage |
Denomas Product Category (denomas_product_category)
This label/tag is required. {: .alert .alert-success}
|
|
Expected Values
Product categories should match one of the categories defined in categories.yml in the handbook: https://code.denomas.com/denomas-com/www-denomas-com/-/blob/master/data/categories.yml
By providing this value, costs can be directly mapped back to a specific set of features, as well as a set of owners within both Product and Engineering.
Denomas Department Group (denomas_dept_group)
This label/tag is required. {: .alert .alert-success}
|
|
For Engineering Development (eng-dev) department groups, the product stage slug (denomas_product_stage) is used as the prefix for the denomas_dept_group value. For all other departments, the denomas_dept slug is used as the prefix.
All departments or stages have a default shared-infra label/tag/AWS account/GCP project that can be used when a separately distinguished/functional group is not needed. For groups with heavy infrastructure usage, we use the group name as a suffix and provide an isolated AWS account/GCP project for group team members to use.
For the groups that provide a shared service to other departments at Denomas, we also have a shared-services group value that can be used for shared cost attributions. We use shared-infra for our own team’s resources and shared-services for everyone else’s resources that we manage.
You can get an editable version of this table in the spreadsheet that we used to design this schema, however recent changes may not be reflected and this handbook page is the SSOT.
Expected Values
If a group listed below does not have a group documentation link, it is safe to assume that a AWS account or GCP project has not been created for that group yet. Please follow the instructions for provisioning the group (TODO). {: .alert .alert-warning}
The full list of groups was last audited and updated on 2021-07-22.
Footnotes:
- If a group was renamed or removed, it appears in the Deprecated Group Names table below. Any renamed groups have a footnote indicator.
- This was added after the initial list was created.
- This is a special group that may not directly align with a team. For
eng-dev, this usually appears under Other Functionality.
| denomas_realm | denomas_dept | denomas_product_stage | denomas_dept_group | Group Documentation |
|---|---|---|---|---|
| infra-shared-services | wg-infra-shared-services | wg-infra-shared-services 1 | ||
| eng-dev | eng-dev | eng-dev-manage | eng-dev-manage-shared-infra | |
| eng-dev | eng-dev | eng-dev-manage | eng-dev-manage-access | |
| eng-dev | eng-dev | eng-dev-manage | eng-dev-manage-import | |
| eng-dev | eng-dev | eng-dev-manage | eng-dev-manage-optimize 2 | |
| eng-dev | eng-dev | eng-dev-plan | eng-dev-plan-shared-infra | |
| eng-dev | eng-dev | eng-dev-plan | eng-dev-plan-project-mgmt | |
| eng-dev | eng-dev | eng-dev-plan | eng-dev-plan-product-planning 2 | |
| eng-dev | eng-dev | eng-dev-plan | eng-dev-plan-certify | |
| eng-dev | eng-dev | eng-dev-create | eng-dev-create-shared-infra | |
| eng-dev | eng-dev | eng-dev-create | eng-dev-create-source-code 3 | |
| eng-dev | eng-dev | eng-dev-create | eng-dev-create-code-review 1 3 | |
| eng-dev | eng-dev | eng-dev-create | eng-dev-create-editor | |
| eng-dev | eng-dev | eng-dev-create | eng-dev-create-gitaly | |
| eng-dev | eng-dev | eng-dev-ecosystem | eng-dev-ecosystem-integrations | |
| eng-dev | eng-dev | eng-dev-ecosystem | eng-dev-ecosystem-foundations | |
| eng-dev | eng-dev | eng-dev-verify | eng-dev-verify-shared-infra | |
| eng-dev | eng-dev | eng-dev-verify | eng-dev-verify-ci 3 | |
| eng-dev | eng-dev | eng-dev-verify | eng-dev-verify-pipeline-authoring 2 1 | |
| eng-dev | eng-dev | eng-dev-verify | eng-dev-verify-pipeline-execution 2 1 | |
| eng-dev | eng-dev | eng-dev-verify | eng-dev-verify-runner | |
| eng-dev | eng-dev | eng-dev-verify | eng-dev-verify-testing | |
| eng-dev | eng-dev | eng-dev-package | eng-dev-package-shared-infra | |
| eng-dev | eng-dev | eng-dev-package | eng-dev-package-package | |
| eng-dev | eng-dev | eng-dev-deploy | eng-dev-deploy-shared-infra | |
| eng-dev | eng-dev | eng-dev-deploy | eng-dev-deploy-environments | |
| eng-dev | eng-dev | eng-dev-monitor | eng-dev-monitor-shared-infra | |
| eng-dev | eng-dev | eng-dev-monitor | eng-dev-monitor-monitor 2 1 | |
| eng-dev | eng-dev | eng-dev-monitor | eng-dev-monitor-apm 3 | |
| eng-dev | eng-dev | eng-dev-monitor | eng-dev-monitor-health 3 | |
| eng-dev | eng-dev | eng-dev-secure | eng-dev-secure-shared-infra | |
| eng-dev | eng-dev | eng-dev-secure | eng-dev-secure-static-analysis | |
| eng-dev | eng-dev | eng-dev-secure | eng-dev-secure-dynamic-analysis | |
| eng-dev | eng-dev | eng-dev-secure | eng-dev-secure-composition-analysis | |
| eng-dev | eng-dev | eng-dev-secure | eng-dev-secure-fuzz-testing | |
| eng-dev | eng-dev | eng-dev-secure | eng-dev-secure-research | |
| eng-dev | eng-dev | eng-dev-govern | eng-dev-govern-shared-infra | |
| eng-dev | eng-dev | eng-dev-govern | eng-dev-govern-security-policies | |
| eng-dev | eng-dev | eng-dev-govern | eng-dev-govern-threat-insights | |
| eng-dev | eng-dev | eng-dev-govern | eng-dev-govern-compliance | |
| eng-dev | eng-dev | eng-dev-modelops | eng-dev-modelops-shared-infra 1 | |
| eng-dev | eng-dev | eng-dev-modelops | eng-dev-modelops-applied-ml 1 | |
| eng-dev | eng-dev | eng-dev-modelops | eng-dev-modelops-ml-ops 1 | |
| eng-dev | eng-dev | eng-dev-modelops | eng-dev-modelops-data-ops 1 | |
| eng-dev | eng-dev | eng-dev-growth | eng-dev-growth-shared-infra | |
| eng-dev | eng-dev | eng-dev-growth | eng-dev-growth-activation 2 1 | |
| eng-dev | eng-dev | eng-dev-growth | eng-dev-growth-adoption 2 1 | |
| eng-dev | eng-dev | eng-dev-growth | eng-dev-growth-conversion | |
| eng-dev | eng-dev | eng-dev-growth | eng-dev-growth-expansion | |
| eng-dev | eng-dev | eng-dev-growth | eng-dev-growth-retention | |
| eng-dev | eng-dev | eng-dev-growth | eng-dev-growth-product-intelligence 2 | |
| eng-dev | eng-dev | eng-dev-fulfillment | eng-dev-fulfillment-shared-infra 1 | |
| eng-dev | eng-dev | eng-dev-fulfillment | eng-dev-fulfillment-shared-services 1 | |
| eng-dev | eng-dev | eng-dev-fulfillment | eng-dev-fulfillment-purchase 2 1 | |
| eng-dev | eng-dev | eng-dev-fulfillment | eng-dev-fulfillment-license 2 1 | |
| eng-dev | eng-dev | eng-dev-fulfillment | eng-dev-fulfillment-utilization 2 1 | |
| eng-dev | eng-dev | eng-dev-enablement | eng-dev-enablement-shared-infra | |
| eng-dev | eng-dev | eng-dev-enablement | eng-dev-enablement-distribution | |
| eng-dev | eng-dev | eng-dev-enablement | eng-dev-enablement-geo | |
| eng-dev | eng-dev | eng-dev-enablement | eng-dev-enablement-search | |
| eng-dev | eng-dev | eng-dev-enablement | eng-dev-enablement-sharding 1 | |
| eng-dev | eng-dev | eng-dev-enablement | eng-dev-enablement-database | |
| eng-dev | eng-dev | eng-dev-mobile (S.E.G.) | eng-dev-mobile-devops-apps 1 | |
| eng-dev | eng-dev | eng-dev-deploy (S.E.G.) | eng-dev-deploy-five-min-app 1 | |
| eng-infra | eng-infra | eng-infra-shared-infra | ||
| eng-infra | eng-infra | eng-infra-shared-services | ||
| eng-infra | eng-infra | eng-infra-analytics | ||
| eng-infra | eng-infra | eng-infra-reliability | eng-infra-reliability-shared-infra 1 | |
| eng-infra | eng-infra | eng-infra-delivery | eng-infra-automation 1 | |
| eng-infra | eng-infra | eng-infra-scalability | eng-infra-scalability | |
| eng-infra | eng-infra | eng-infra-deliverability | ||
| eng-infra | eng-infra | eng-infra-reliability | eng-infra-reliability-database 1 | |
| eng-infra | eng-infra | eng-infra-reliability | eng-infra-reliability-foundations 1 | |
| eng-infra | eng-infra | eng-infra-reliability | eng-infra-reliability-general 1 | |
| eng-infra | eng-infra | eng-infra-reliability | eng-infra-reliability-observability 1 | |
| eng-infra | eng-infra | eng-infra-reliability | eng-infra-reliability-practices 1 | |
| eng-infra | eng-infra | eng-infra-enablement | eng-infra-cloud-connector | |
| eng-dev | eng-quality | eng-quality-shared-infra | ||
| eng-dev | eng-quality | eng-quality-env-toolkit 1 | ||
| eng-dev | eng-quality | eng-quality-ops-ci-cd | ||
| eng-dev | eng-quality | eng-quality-secure-enablement | ||
| eng-dev | eng-quality | eng-quality-productivity | ||
| eng-dev | eng-quality | eng-quality-growth-govern | ||
| eng-security | eng-security | eng-security-shared-infra | ||
| eng-security | eng-security | eng-security-shared-services | ||
| eng-security | eng-security | eng-security-ops-infra | ||
| eng-security | eng-security | eng-security-ops-red | ||
| eng-security | eng-security | eng-security-ops-incident-response | ||
| eng-security | eng-security | eng-security-ops-trust-safety | ||
| eng-security | eng-security | eng-security-risk-compliance | ||
| eng-security | eng-security | eng-security-eng-app-sec | ||
| eng-security | eng-security | eng-security-eng-automation | ||
| eng-security | eng-security | eng-security-eng-research | ||
| eng-security | eng-security | eng-security-eng-vuln-mgmt | ||
| eng-security | eng-security | eng-security-logging | ||
| eng-support | eng-support | eng-support-shared-infra | ||
| eng-support | eng-support | eng-support-saas | ||
| eng-support | eng-support | eng-support-self-managed | ||
| eng-support | eng-support | eng-support-americas | ||
| eng-support | eng-support | eng-support-emea | ||
| eng-support | eng-support | eng-support-apac | ||
| eng-dev | eng-ux | eng-ux-shared-infra | ||
| eng-dev | eng-ux | eng-ux-technical-writing | ||
| eng-dev | eng-ux | eng-ux-research | ||
| business-tech | ga-accounting | ga-accounting-shared-infra | ||
| business-tech | ga-business-tech | ga-business-tech-shared-infra | ||
| business-tech | ga-business-tech | ga-business-tech-shared-services | ||
| business-tech | ga-business-tech | ga-business-tech-engineering 1 | ||
| business-tech | ga-business-tech | ga-business-tech-integrations 1 | ||
| business-tech | ga-business-tech | ga-business-tech-operations | ||
| business-tech | ga-business-tech | ga-business-tech-data | ||
| business-tech | ga-business-tech | ga-business-tech-procurement 1 | ||
| business-tech | ga-ceo | ga-ceo-shared-infra | ||
| business-tech | ga-finance | ga-finance-shared-infra | ||
| business-tech | ga-legal | ga-legal-shared-infra | ||
| business-tech | ga-people | ga-people-shared-infra | ||
| business-tech | ga-recruiting | ga-recruiting-shared-infra | ||
| business-tech | mktg-awareness | mktg-awareness-shared-infra | ||
| business-tech | mktg-brand-design | mktg-brand-design-shared-infra | ||
| business-tech | mktg-campaigns | mktg-campaigns-shared-infra | ||
| business-tech | mktg-communications | mktg-communications-shared-infra | ||
| business-tech | mktg-community | mktg-community-shared-infra | ||
| business-tech | mktg-content | mktg-content-shared-infra | ||
| business-tech | mktg-digital | mktg-digital-shared-infra | ||
| business-tech | mktg-field | mktg-field-shared-infra | ||
| business-tech | mktg-inbound | mktg-inbound-shared-infra | ||
| business-tech | mktg-ops | mktg-ops-shared-infra | ||
| business-tech | mktg-events | mktg-events-shared-infra | ||
| business-tech | mktg-partner | mktg-partner-shared-infra | ||
| business-tech | mktg-product | mktg-product-shared-infra 1 | ||
| business-tech | mktg-sales-dev | mktg-sales-dev-shared-infra | ||
| business-tech | mktg-strategic | mktg-strategic-shared-infra | ||
| business-tech | mktg-strategic | mktg-strategic-technical-mktg | ||
| eng-dev | product-mgmt | product-mgmt-shared-infra | ||
| business-tech | sales-alliances | sales-alliances-shared-infra | ||
| business-tech 2 | sales-channel | sales-channel-shared-infra | ||
| business-tech | sales-commercial | sales-commercial-shared-infra | ||
| business-tech 2 | sales-cs | sales-cs-shared-infra | ||
| business-tech 2 | sales-cs | sales-cs-demo-cloud | ||
| business-tech 2 | sales-cs | sales-cs-training-cloud | ||
| business-tech 2 | sales-cs | sales-cs-sa-shared-infra | ||
| business-tech 2 | sales-cs | sales-cs-sa-us-west | ||
| business-tech 2 | sales-cs | sales-cs-sa-us-east | ||
| business-tech 2 | sales-cs | sales-cs-sa-pub-sec | ||
| business-tech 2 | sales-cs | sales-cs-sa-mid-market | ||
| business-tech 2 | sales-cs | sales-cs-sa-emea | ||
| business-tech 2 | sales-cs | sales-cs-sa-apac | ||
| business-tech 2 | sales-cs | sales-cs-tam-shared-infra | ||
| business-tech 2 | sales-cs | sales-cs-tam-us-west | ||
| business-tech 2 | sales-cs | sales-cs-tam-us-east | ||
| business-tech 2 | sales-cs | sales-cs-tam-pub-sec | ||
| business-tech 2 | sales-cs | sales-cs-tam-emea | ||
| business-tech 2 | sales-cs | sales-cs-tam-apac | ||
| business-tech 2 | sales-cs | sales-cs-ps-shared-infra | ||
| business-tech 2 | sales-cs | sales-cs-ps-consulting | ||
| business-tech 2 | sales-cs | sales-cs-ps-education | ||
| business-tech 2 | sales-cs | sales-cs-ps-pub-sec | ||
| business-tech | sales-ent | sales-ent-shared-infra | ||
| business-tech | sales-field-ops | sales-field-ops-shared-infra | ||
| business-tech | sales-practice-mgmt | sales-practice-mgmt-shared-infra |
Deprecated Group Names
The following group names have been renamed or removed and may still be in use with legacy infrastructure and are preserved here for reference purposes.
| Changelog Date | denomas_realm | denomas_dept | denomas_product_stage | denomas_dept_group | Replaced with |
|---|---|---|---|---|---|
| 2021-07-22 | eng-dev | eng-dev | eng-dev-manage | eng-dev-manage-analytics | eng-dev-manage-optimize |
| 2021-07-22 | eng-dev | eng-dev | eng-dev-plan | eng-dev-plan-portfolio-mgmt | eng-dev-plan-product-planning |
| 2021-07-22 | eng-dev | eng-dev | eng-dev-create | eng-dev-create-gitter | N/A |
| 2021-07-22 | eng-dev | eng-dev | eng-dev-release | eng-dev-release-progressive-delivery | N/A |
| 2021-07-22 | eng-dev | eng-dev | eng-dev-growth | eng-dev-growth-acquisition | eng-dev-growth-activation, eng-dev-growth-adoption |
| 2021-07-22 | eng-dev | eng-dev | eng-dev-growth | eng-dev-growth-telemetry | eng-dev-growth-product-intelligence |
| 2021-07-22 | eng-dev | eng-dev | eng-dev-growth | eng-dev-growth-fulfillment | eng-dev-fulfillment-purchase, eng-dev-fulfillment-license, eng-dev-fulfillment-utilization |
| 2021-07-22 | business-tech | ga-business-tech | ga-business-tech-systems | ga-business-tech-engineering, ga-business-tech-integrations | |
| 2023-03-14 | eng-dev | eng-dev | eng-dev-release | eng-dev-release-shared-infra | eng-dev-deploy-shared-infra |
| 2023-03-14 | eng-dev | eng-dev | eng-dev-release | eng-dev-release-release-mgmt | eng-dev-deploy-environments |
| 2023-03-14 | eng-dev | eng-dev | eng-dev-configure | eng-dev-configure-shared-infra | eng-dev-deploy-shared-infra |
| 2023-03-14 | eng-dev | eng-dev | eng-dev-configure | eng-dev-configure-configure | eng-dev-deploy-environments |
| 2023-10-19 | eng-dev | eng-dev | eng-dev-enablement | eng-dev-enablement-memory | eng-infra-cloud-connector |
Resource Type (denomas_resource_type)
This label/tag is optional. {: .alert .alert-info}
|
|
GCP doesn’t support easy reporting based on type of resource and name unless you use labels. This is optional, but recommended for resources that cost a significant amount of money or are part of a production service. This is not recommended for sandbox and ephemeral use cases.
Expected Values
| Value | Recommended Usage |
|---|---|
compute-cluster |
AWS EKS, GCP Kubernetes Engine (GKE) cluster |
compute-container |
AWS ECS |
compute-instance |
AWS EC2 instance, GCP Compute Engine instance |
serverless |
AWS Lambda, GCP AppEngine |
storage-disk |
Persistent Storage Disks for instances |
storage-snapshot |
(Placeholder for discretionary usage, not easy to auto label/tag) |
storage-bucket |
AWS S3, GCP Google Cloud Storage (GCS) |
network |
AWS VPC, GCP Network/VPC |
network-lb |
AWS ELB |
network-nat |
AWS NAT |
network-firewall |
Firewall rules |
network-ip |
External IP addresses |
network-bandwidth |
(Placeholder for discrentionary usage) |
database |
AWS RDS, AWS Aurora, GCP CloudSQL, etc. |
queue |
AWS ElastiCache, MQ, SQS, GCP CloudTasks, etc. |
logging |
(Placeholder for discretionary usage) |
Resource Name (denomas_resource_group)
This label/tag is optional. {: .alert .alert-info}
|
|
This is optional for using with Terraform, Ansible, and other related infrastructure-as-code or related tools.
The value of this key should match the name of the group in your infrastructure-as-code group definitions (ex. Ansible role/group naming)
Resource Name (denomas_resource_name)
This label/tag is optional. {: .alert .alert-info}
|
|
The value of this key should match the name of the resource in the cloud console.
GCP doesn’t support easy reporting based on type of resource and name unless you use labels. This is optional, but recommended for resources that cost a significant amount of money or are part of a production service. This is not recommended for sandbox and ephemeral use cases.
Resource Host (denomas_resource_host)
This label/tag is optional. {: .alert .alert-info}
|
|
This is used for associating child resources (disks, snapshots, buckets, network IPs, etc) with the parent resource (ex. compute-instance) to show the aggregate costs of the resource.
The value of this key should match the name of the parent resource in the cloud console.
GCP doesn’t support easy reporting based on type of resource and name unless you use labels. This is optional, but recommended for resources that cost a significant amount of money or are part of a production service. This is not recommended for sandbox and ephemeral use cases.
Data Classification (denomas_data_classification)
This label/tag is required for resources that store data (databases, storage buckets, etc..). {: .alert .alert-info}
|
|
Values should match the documented Data Classification Levels with all lowercase value (for cloud provider tag and label consistency).
Expected Values
| Value |
|---|
red |
orange |
yellow |
green |
Accounting and Financial Reporting
In alignment with our transparency value, financial information cannot be shared publicly. Team members can see the details of how labels and tags impact financial reporting in this issue. The cost allocation methodology for production environments that in this document.
Impact to Business Owners and Infrastructure Team
The largest impact of the label and tag schema is known owner and department identification for every resource provisioned in each cloud provider, and cross-reference to the Terraform configuration that can be referenced during infra/security review.
There are significant cost savings possible with the ability to set time limits on resources that solve the abandoned infrastructure problem. We can also save up to 65% of spending by implementing automation to power off infrastructure during non-working hours (overnight and weekends).
Impact to Users and Managers
With the label and tags, we can easily report on infrastructure and help you understand what’s running and help you self manage the costs of the resources that you provision.
Since most labels and tags will be automatically added with Terraform and automation, or at the account/project level for sandbox accounts, there is not a significant burden on users to remember to add labels/tags to resources.
With future automation, we can also create frictionless experience for users with notification of system vulnerabilities, security incidents, and friendly reminders in Denomas Talk about upcoming expiration of infrastructure since your email, Denomas username, and Denomas Talk ID are automatically associated.
Footnotes
-
This group was added after the initial list was created. ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎
-
This was renamed or removed after the initial list was created. ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎ ↩︎
-
This is a special group that may not directly align with a team. For
eng-dev, this usually appears under Other Functionality. ↩︎ ↩︎ ↩︎ ↩︎ ↩︎
3d741be9)
