Project Name
100% Tagging Compliance Delivered Across 100+ Terraform Stacks for an AdTech Platform
A Series C+ AdTech and eCommerce analytics platform headquartered in North America, serving major consumer brands with data-driven commerce enablement, had scaled its AWS footprint past 100 Spacelift-managed Terraform stacks across QA, staging, and production – with no enforced tagging standard anywhere in the codebase. Teams applied tags inconsistently or not at all, leaving the FinOps team spending hours every month manually reconciling unattributed cloud spend. One missed tag on a high-compute resource could silently skew an entire quarter’s cost report. Applying its AI-First approach, Ksolves designed and deployed Spacelift-specific Rego plan policies that gate every code check-in, ensuring all new infrastructure is tagged with mandatory Environment and Owner values before it can be merged.
- No Consistent Tagging Standard Across 100+ Stacks: AWS resources created across over 100 Spacelift stacks lacked a consistent tagging convention. Teams applied tags inconsistently or not at all, making cost attribution and identification of resource ownership unreliable across all environments.
- Unreliable Cost Attribution for FinOps Reporting: Without mandatory Environment and Owner tags, the FinOps team could not accurately allocate cloud spend to individual teams, products, or environments, undermining quarterly budget reviews and making accurate forecasting structurally impossible.
- Manual Compliance Checks Did Not Scale: Any tagging review required manual inspection of Terraform plans across dozens of stacks. At 100+ stacks with frequent deployments, human review was neither practical nor sustainable as a compliance mechanism.
- Per-Stack Policy Configuration Was Operationally Infeasible: Attaching tagging policies individually to each Spacelift stack would have created a maintenance burden that grew linearly with every new stack added to the platform, making manual policy distribution unviable at scale.
- False-Positive Warnings From AWS Provider Default Tags Bug: The AWS Terraform provider's default_tags feature generated spurious warnings during plan validation, creating noise that obscured genuine tagging violations and eroded developer trust in the policy output.
- No Pre-Deployment Gate for Non-Compliant Resources: Without a policy gate at the code check-in stage, untagged or incorrectly tagged resources could be deployed to production unchecked, compounding cost attribution errors and compliance gaps with every new deployment.
Ksolves designed and deployed Spacelift-specific Rego plan policies that enforce mandatory resource tagging at code check-in, before any infrastructure change can be merged. Auto-attached to all child spaces via the autoattach:* label, the policies validate every Terraform resource for required Environment and Owner tags as part of the merge process. No tag, no merge - governance built into the development workflow, not bolted on after deployment.
- Spacelift Rules as Merge Gate: Spacelift-specific rules were configured to evaluate every Terraform plan generated from checked-in code. Resources missing mandatory Environment or Owner tags trigger a deny decision, preventing the code from being merged until the developer adds the required tags - shifting compliance enforcement entirely left into the development workflow.
- Automatic Tagging for All New Infrastructure Code: As a direct result of the Spacelift rules, all new infrastructure code entering the codebase is automatically validated for tags before merge. Developers receive immediate, actionable feedback identifying the specific resource and missing tag, enabling self-remediation without any DevOps team intervention required.
- Auto-Attach via Label-Based Policy Distribution: Spacelift's auto-attach, label mechanism was used to propagate the Rego rules to all child spaces automatically. New stacks inherit tagging enforcement on creation with zero manual attachment and zero configuration drift - the policy scales with the platform.
- AWS Provider Default Tags Bug Mitigation: The false-positive warnings caused by the AWS Terraform provider's default_tags feature were identified and resolved by adding a targeted Rego exception that filters provider-level tag entries, ensuring only genuine tagging violations block merges and restoring developer trust in policy output.
- Environment-Aware Tag Schema: A tagging schema aligned to the client's environment hierarchy - QA, STG, and PROD - was defined so that cost allocation and ownership queries map directly to existing organisational boundaries, with Rego validation enforced consistently across all three environments and all 100+ stacks.
Technology Stack
| Category | Technology |
|---|---|
| Policy as Code | Rego (OPA) |
| Infrastructure as Code | Terraform |
| Platform | Spacelift |
| Infrastructure | AWS (EC2, RDS, S3, ECS) |
| Methodology | FinOps Framework |
- 100% Tagging Compliance Enforced: Rego rules gate every code check-in, ensuring all new infrastructure carries mandatory Environment and Owner tags before merge - enforced automatically with no manual review required.
- FinOps Attribution Accuracy Restored: Mandatory tags enforced at code level enable automated cost allocation by team and environment across all AWS resources, eliminating hours of monthly manual reconciliation across 100+ stacks.
- Zero Per-Stack Configuration: The autoattach:* label propagates Rego rules to all child spaces automatically, including new stacks - zero manual attachment, zero maintenance overhead, scales with the platform.
- Policy Noise Eliminated: A targeted Rego exception filters provider-level default_tags entries, removing all spurious warnings and ensuring developers only see genuine violations that require action.
- Compliance Shifted Left: Developers receive immediate feedback at check-in, identifying the resource and missing tag, enabling self-remediation before code enters the codebase - untagged resources no longer reach production.
An AdTech platform operating 100+ Spacelift-managed Terraform stacks with no tagging standard, unreliable FinOps reporting, and no pre-deployment compliance gate was transformed into a fully governed, policy-driven infrastructure estate through Ksolves’ DevOps consulting services. Rego plan policies auto-attached via the autoattach:* label now enforces mandatory Environment and Owner tags at every code check-in across all stacks, with zero per-stack configuration required. FinOps cost attribution is accurate and automated, false-positive policy noise has been eliminated, and compliance is enforced at the source rather than chased after deployment. The pattern is extensible to additional mandatory tags and serves as the foundation for broader policy-as-code adoption across the engineering organisation.
Untagged cloud spend eroding your FinOps confidence?
