Custom Resource Tags
Feature status: planned
This guide explains how to add your own tags to cloud resources managed by Entigo Platform. Custom tags are useful for cost management, compliance tracking, and organizational metadata.
How It Works
You define custom tags as Kubernetes labels or annotations on Organization, Workspace, and Zone objects using the tags.entigo.com/ prefix. The platform strips the prefix and applies the resulting key-value pair as a tag on all cloud resources within that scope.
Kubernetes label: tags.entigo.com/cost-center: CC-12345
↓ (prefix stripped)
AWS tag: cost-center: CC-12345
Adding Tags
Using Labels (Short Values)
Use labels when tag values are short (up to 63 characters) and contain only letters, numbers, dots, dashes, and underscores:
metadata:
labels:
tags.entigo.com/cost-center: "CC-12345"
tags.entigo.com/environment: production
tags.entigo.com/team: platform-eng
Using Annotations (Long or Special-Character Values)
Use annotations when tag values exceed 63 characters or contain characters not allowed in Kubernetes labels (spaces, colons, slashes, etc.):
metadata:
annotations:
tags.entigo.com/project-description: "Project Phoenix - Q2 2026 cloud migration"
tags.entigo.com/compliance-framework: "SOC2/HIPAA"
tags.entigo.com/aws-map-id: "MAP-d1234567890abcdef"
When to Use Labels vs. Annotations
| Use Labels When | Use Annotations When |
|---|---|
| Value is 63 characters or fewer | Value exceeds 63 characters |
Value contains only a-z A-Z 0-9 . - _ | Value contains spaces, /, :, or other special characters |
| You want to use Kubernetes label selectors | Length and characters matter more than selectability |
If the same tag key exists as both a label and an annotation, the annotation value wins.
Tag Inheritance
Tags propagate down the platform hierarchy. Tags defined at a lower level override the same tag from a higher level:
Organization (lowest priority)
→ Workspace
→ Zone (highest priority)
→ Cloud resources
Example
# Organization
metadata:
labels:
tags.entigo.com/company: acme-corp
tags.entigo.com/cost-center: CC-DEFAULT
# Workspace
metadata:
labels:
tags.entigo.com/environment: production
tags.entigo.com/cost-center: CC-PROD # overrides Organization
# Zone
metadata:
labels:
tags.entigo.com/cost-center: CC-TEAM-A # overrides Workspace
tags.entigo.com/team: analytics
Effective tags on cloud resources in this Zone:
| Tag Key | Value | Source |
|---|---|---|
company | acme-corp | Organization |
environment | production | Workspace |
cost-center | CC-TEAM-A | Zone (overrides) |
team | analytics | Zone |
Common Use Cases
Cost Management
# Organization level — applies to all workspaces
metadata:
labels:
tags.entigo.com/business-unit: engineering
# Zone level — per-team cost tracking
metadata:
labels:
tags.entigo.com/cost-center: "CC-12345"
tags.entigo.com/project: phoenix
After applying, activate these tag keys as cost allocation tags in the AWS Billing console for them to appear in Cost & Usage Reports. There is a 24-hour delay before activated tags appear in reports.
AWS Migration Acceleration Program (MAP)
# Organization level — all resources get MAP tags
metadata:
annotations:
tags.entigo.com/map-migrated: "d-server-01234abcdefgh"
tags.entigo.com/aws-migration-project-id: "MPE12345"
Compliance and Security
# Workspace level
metadata:
labels:
tags.entigo.com/data-classification: confidential
annotations:
tags.entigo.com/compliance-framework: "SOC2/HIPAA/ISO27001"
Limitations
Tag Budget
AWS allows a maximum of 50 tags per resource. Platform and system tags use 6 slots, leaving 44 for your custom tags. The platform validates at admission time that the total does not exceed the limit.
Character Restrictions
Tag keys (after prefix stripping) must be valid for the target cloud provider:
| Provider | Key Restrictions | Value Restrictions |
|---|---|---|
| AWS | Max 128 chars; letters, digits, spaces, + - = . _ : / @ | Max 256 chars |
| Azure | Max 512 chars; no < > % & \ ? / | Max 256 chars |
| GCP | Max 63 chars; lowercase letters, digits, - _ only | Max 63 chars; lowercase only |
The platform validates tag keys and values against the workspace's cloud provider and warns you if a tag is incompatible.
Reserved Keys
You cannot use passthrough tags that collide with platform tag keys. The following are reserved:
workspacezone
Setting tags.entigo.com/workspace will be rejected by the platform.
Removing Tags
To remove a passthrough tag from cloud resources, remove the label or annotation from the Organization, Workspace, or Zone object. On the next reconciliation cycle, the platform will remove the corresponding tag from cloud resources.
To override a parent-level tag with an empty value (effectively removing it for a specific scope), set the tag at the child level with an empty value:
# Zone level — removes the Organization-level company tag for this zone
metadata:
labels:
tags.entigo.com/company: ""
Related
- Resource Tagging — Overview of how the platform uses tags
- Platform Tags Reference — Complete list of all tags