Cloud Tag Management - The Never-Ending Cockroach Hunt

By Paul Stack
9/16/2025

Terraform and Pulumi? Still Using a Rolled-Up Newspaper.

Terraform + Pulumi + policy engines = blockers.
System Initiative = enabler.

Open up AWS Cost Explorer. Group your spend by project, team, or any other tag you care about.

Now look at the pie chart. See that giant slice labeled "untagged"? That’s the black hole where your accountability disappears. Nobody knows who owns those resources, what project they belong to, or why they’re still running. Welcome to the tagging apocalypse.

Tags were supposed to save us from this. Instead, they’ve become the cockroaches of the cloud: ugly, everywhere, and almost impossible to kill. And here’s the problem — Terraform and Pulumi, the tools we’ve all hitched our wagons to, aren’t solving it. They were built for provisioning boxes in the cloud, not governing them. Which means tagging — the thing finance, security, ops, and compliance all depend on — is still a mess.

Tags Aren’t "Nice to Have"

If your tags are garbage, your cloud strategy is garbage. Full stop.

  • Finance can’t break down spend. Untagged buckets in Cost Explorer make your bill unreadable noise.
  • Security can’t prove compliance. Good luck with an audit when half your prod databases don’t have data-classification set.
  • Ops can’t automate. Monitoring, backups, pipelines — they all hinge on tags. Inconsistent tags = broken automations.
  • Governance disappears. No tags means no owner. No owner means zombie resources chewing through your budget.

Tags aren’t decoration. They’re survival.

Terraform & Pulumi: Great at Spinning Up Infra, Useless at Tagging

Terraform and Pulumi are great at turning config into infrastructure. But when it comes to tagging? They’re stuck in the dark ages.

  • Default tags are a lie. Terraform’s default_tags only work on some resources. Pulumi has the same gaps. You’ll always be chasing exceptions.
  • Modules are duct tape. "Just build a tagging module!" Sure — until every team forks theirs and suddenly "prod" means 15 different things.
  • Policy engines don’t help. OPA, Sentinel, CrossGuard — they don’t fix your tags. They just slam the brakes if you get it wrong. And here’s the truth: blocking is an anti-pattern. It only exists because our tools don’t self-correct. If the system applied or fixed tags automatically, you’d never design a workflow around stopping people at the gate.
  • They slow you down. Missing a tag shouldn’t halt a deployment. But with IaC + PaC bolted on, it does. Every. Damn. Time.

Terraform and Pulumi don’t give you a tagging strategy. They give you a tagging bottleneck. And that’s why teams end up duct-taping modules, writing brittle policies, and slowing engineers down — all to solve a problem that shouldn’t exist in the first place.

That’s the old way. The new way doesn’t punish you for missing a tag — it fixes the problem for you.

The New Way: System Initiative

System Initiative flips the model: we surface the information, and you decide what to do with it — fix it now or later. The point is, you’re in control, not a blocking policy engine.

By default, we’re informative and helpful:

  • Ship now. Infra gets deployed. No blocked pipelines.
  • Review later. SI scans tags across your infrastructure and surfaces insights:
    • Did you know 37% of your EC2 instances don’t have an owner tag?
    • Did you know your team tag has 12 inconsistent values, including plat, platform, and platform-team?
    • Did you know 40% of your spend in us-east-1 isn’t tagged with project?
  • Fix with policy You define your policy. SI suggests and applies improvements after the fact.
  • Enable, don’t punish If you need blocking, you can still enforce it. But for most teams, SI provides guidance and fixes without getting in the way.

Old Way vs. New Way

  • Old Way: brittle modules, blocked pipelines, and engineers stuck fighting hall monitors with rolled-up newspapers.
  • New Way: AI native automation that reviews, suggests, and fixes — without getting in the way of delivery.

Stop Pretending IaC Is Enough

Terraform and Pulumi were revolutionary — in 2015. But their moment has passed. They provision infrastructure. They don’t govern it. Policy-as-code is lipstick on that pig — reactive, brittle, and obsessed with blocking.

System Initiative is the new way. AI native, proactive, and designed to help teams succeed without friction. We don’t care if your tags are perfect at deploy time. We care that they’re accurate at the moments that actually matter — when finance needs clean cost reports, when auditors ask for proof, when ops need automation to work, and when governance teams are cleaning up abandoned resources.

Hot take: Terraform, Pulumi, and policy-as-code for tagging are just writing bureaucracy in YAML and calling it progress; It’s not "doing DevOps" and now there’s a better way.

Try it for yourself. Then come join us on Discord and share your story. We’re building the future of infrastructure automation together — and we’d love you to be part of it.

Paul Stack, Director of Product

Paul is an engineer turned product manager who is passionate about the Continuous Delivery and DevOps movements and how they are critical in helping businesses deliver value to their customers.

Get started for free.

Sign Up