Tag Compliance with Tag Validator for Datadog

September 15, 2021
|
4
min read

If you’re a user of Datadog, you know that tags are the backbone of how the product functions. Tagging enables users and administrators of the platform to add context to their infrastructure, and enrich the data they get from hosts, metrics, logs, and applications. Whether you’re trying to get a high-level view of your infrastructure, or trying to identify a specific issue with a single micro service, having good, meaningful tags that follow your tagging strategy are of utmost importance.

While having a well-defined tagging strategy is a great first step, executing on it is even more important. Many companies utilize configuration management tools such as Chef, Puppet, and Ansible to maintain their Datadog Agent tag configurations, however, not every organization has the luxury of a well-defined configuration management strategy.

In situations where end-users have control over what gets deployed on their servers, when it gets deployed, and how it’s configured, it can be difficult to make sure your organization’s standards are being followed. This is the exact problem one of my customers had, which led me to create the Validator.

Overview

The Validator accepts a mapping of required tag keys, as well as allowed tag values for those keys. The mapping must consist of key:value pairs, and it also accepts a single wildcard value for validating that the key has some sort of value, in case you don't particularly care about the value of the tag, you just care that it has some value.

The check will then utilize Datadog’s hostAPIs to grab a list of hosts from your Datadog account, and compare the tags of that host with the key:value pairs defined in the conf.yaml file to tell you:1. If your hosts have the keys you’ve stated are important; and 2. If the host has the key, does it have a value that you’ve deemed allowed by your organization. The end result is a few Datadog service checks and binary metric values showing if any hosts are violating each of the 2 mentioned cases.

Key Compliance

The Validator will check to make sure your hosts are tagged with the keys you view are the most important. From this section of the dashboard, you can see the number of hosts that are missing atleast 1 tag key, both as a count and as a percentage of your overall infrastructure. The service check displays the number of key checks that have taken place as a sum. The table will then display the hosts, the tag key being checked, and whether or not the key is missing from that host. The bar chart will show a spread of which tag keys are missing the most from your hosts.

Tag Value Compliance

Similar to the previous section of the dashboard, the tag value compliance checks will show you, of the hosts that have the required tag keys, which have the values you've defined as acceptable.We again display both the count and percentage of hosts that have at least 1non-compliant value, as well as the individual value checks taking place. The table will display the hosts, the tag key checked, and the current value for that key attached to the host. The value then indicates whether that value currently assigned to the host is an acceptable value as outlined in your configuration. And again, just like the key compliance section, the bar chart shows the spread of which tag keys have the most non-compliant values.

Agent Compliance

The final portion of the Validator is agent compliance. Hosts can come into Datadog via other integrations such as AWS,Azure, vSphere, or even our own Nutanix integration. This portion of the dashboard displays whether the hosts in your Datadog instance have the agent installed, and if so, the version of the agent. The top list here also shows the total count of hosts per agent version.

Keeping track of your tags across several public and private clouds can be a daunting task. Don't let keeping track of them be a manual process, let Datadog do it for you!

 

written by
Logan Rohloff
Michigan-born but Boston-residing engineer with experience ranging from application management to infrastructure administration and automation, dodgeball national champion