Skip to content

CSDM-First Tag Taxonomy v2.0ΒΆ

The bc:* tag namespace maps AWS infrastructure directly to the ServiceNow CSDM 5 four-level hierarchy: Business Capability β†’ Business Service β†’ Application Service β†’ Configuration Item (CI). This page is the ops-team reference for what tags to apply and why.

v2.0 replaces v1.0 ordering

Version 1.0 listed tags alphabetically. Version 2.0 orders tags by CSDM level β€” Business Capability tags first, then Business Service, Application Service, and CI-level tags. This matches the top-down governance model required for ServiceNow CSDM 5 import.

CSDM 5 Four-Level HierarchyΒΆ

graph TD
    L1["Level 1: Business Capability<br/>bc:capability, bc:domain"]
    L2["Level 2: Business Service<br/>bc:service, bc:service-owner"]
    L3["Level 3: Application Service<br/>bc:application, bc:technical-lead"]
    L4["Level 4: CI<br/>bc:environment, bc:project, bc:cost-center, bc:wbs"]
    L1 --> L2
    L2 --> L3
    L3 --> L4
    style L1 fill:#1a4f8a,color:#fff
    style L2 fill:#2d6fa8,color:#fff
    style L3 fill:#4087c4,color:#fff
    style L4 fill:#667eea,color:#fff

CloudHealth Dimension Mapping: AS-IS vs TO-BEΒΆ

CloudHealth Dimension AS-IS bc:* TO-BE Gap
Account Owner Manual spreadsheet bc:service-owner Tag coverage required
Technical Lead Not tracked bc:technical-lead New mandatory tag
WBS Manual billing code bc:wbs Automated attribution
Environment Account-level only bc:environment Resource-level granularity
Project Cost center code bc:project Alignment to WBS

Mandatory Tag TableΒΆ

Every production CI must carry these tags. Missing mandatory tags trigger SCP enforcement (Phase C β€” 2027-Q1).

Tag Key CSDM Level Description Allowed Values / Format
bc:capability Level 1 Business capability this resource supports energy-trading, grid-management, customer-billing, data-platform
bc:domain Level 1 Business domain operations, finance, commercial, technology
bc:service Level 2 Business service name Free text, max 64 chars, kebab-case
bc:service-owner Level 2 Service owner team or person Email address or team alias
bc:application Level 3 Application name Free text, max 64 chars, kebab-case
bc:technical-lead Level 3 Technical lead email Email address of engineer on-call for this application
bc:environment Level 4 Deployment environment prod, staging, dev, sandbox
bc:project Level 4 Project or initiative funding this resource WBS code or project alias
bc:cost-center Level 4 Cost center for chargeback Cost center code (6 digits)
bc:wbs Level 4 WBS code for billing Bluecurrent WBS format
Tag Key CSDM Level Description
bc:managed-by Level 3 Provisioner β€” terraform, cdk, manual, cloudformation
bc:version Level 3 Application version or release tag
bc:data-classification Level 4 public, internal, confidential, restricted
bc:backup-required Level 4 true or false β€” triggers Backup Policy enforcement
bc:shutdown-schedule Level 4 weekdays-only, always-on, on-demand

Integration TargetsΒΆ

Compatibility target β€” NOT integrated 2026 Stage 1. ServiceNow CSDM 5 compatibility target prepared; NOT integrated 2026 stage 1. Live API sync deferred to CC-S2 Stage 2. The mapping below documents the intended mapping for when integration is activated.

bc:tag CSDM 5 Class CMDB Table Field
bc:capability cmdb_ci_business_capability sn_cmdb_ci_bc name
bc:service cmdb_ci_service cmdb_ci_service name
bc:application cmdb_ci_appl cmdb_ci_appl name
bc:technical-lead cmdb_ci_appl cmdb_ci_appl owned_by
bc:environment cmdb_ci (base class) environment
bc:cost-center cmdb_ci (base class) cost_cc

NOT live sync in 2026 Stage 1 β€” CSV bridge only. Atlassian Assets mapping compatibility target prepared; NOT integrated 2026 stage 1. Assets connector code deferred to CC-S2 pending JSM Assets API token (HITL credential).

bc:tag Atlassian Assets Object Type Attribute
bc:application Software Name
bc:service Service Name
bc:technical-lead Service Owner
bc:environment Server Environment
bc:cost-center Server CostCenter

CloudHealth Dimension MappingΒΆ

CloudHealth uses account-level and resource-level tags for cost allocation. The bc:* namespace maps to CloudHealth dimensions as follows (β‰₯7 dimensions required for full cost attribution):

CloudHealth Dimension bc:tag Notes
Account Owner bc:service-owner Team responsible for cost
ManagedBy bc:managed-by IaC tool managing the resource
Technical Lead bc:technical-lead Engineer on-call for cost anomalies
WBS bc:wbs Bluecurrent WBS billing code
WBS-AccountID bc:cost-center Cost center code for chargeback
Environment bc:environment Isolates prod vs non-prod spend
Project bc:project Initiative-level cost attribution

Tag Enforcement Phased RolloutΒΆ

Phase Timeline Enforcement Coverage
Phase A β€” Monitor 2026-Q3 CloudWatch tag compliance metrics only; no deny All new resources
Phase B β€” Warn 2026-Q4 Tag Policy @@enforce β€” flags non-compliant in Console ec2:instance, rds:db, s3:bucket
Phase C β€” Enforce 2027-Q1 SCP deny on Create* without mandatory tags All resource types

Allowed Values GovernanceΒΆ

Allowed values for enum-type tags are maintained in tenants/_base/ci-schema/aws-tagging-standard-multi-account-lz-v2.md Section 8. Changes to allowed values go through:

  1. HITL proposes new allowed value in Jira story
  2. Cloud Architect reviews impact on existing Tag Policies
  3. Tag Policy JSON updated in tenants/_base/ci-schema/billing-tag-policy-template.json
  4. Quarterly review of allowed values against organizational changes

Quick Tag CheckΒΆ

Verify tag coverage for an existing EC2 instance:

# Check bc:* tag coverage on a specific instance
aws ec2 describe-tags \
    --profile $AWS_OPERATIONS_PROFILE \
    --filters "Name=resource-id,Values=<instance-id>" \
    --query 'Tags[?starts_with(Key, `bc:`)]'

# Tag coverage analysis across all EC2 in an account
uv run runbooks inventory tag-coverage \
    --profile $AWS_OPERATIONS_PROFILE