Tag Policy conditions and triggers
A full reference of the conditions, scopes, actions, and triggers you can use when creating a Tag Policy.
Match Conditions
| Field | Value | Description |
|---|---|---|
| Conjunction | When | The first row — fixed |
AND | Add an AND condition (all must be true) | |
OR | Add an OR condition (at least one true) | |
| Field | Resource name | The field to compare — fixed in v1.0 |
| Operator | start with | The resource name starts with the string |
end with | The resource name ends with the string | |
contains | The resource name contains the string | |
| Value | Any string | Case-insensitive |
Condition examples
When Resource name contains prod
AND Resource name start with vm-
Matches: vm-prod-app-01, vm-prod-db-02
Does not match: vm-staging-01, prod-lb-01 (does not start with vm-)
When Resource name contains prod
OR Resource name contains staging
Matches: every resource whose name contains prod or staging
Resource scope
| Scope | Notes |
|---|---|
| Instance | A regular VM (Compute Engine) |
| VPC | Virtual Private Cloud |
| K8S Cluster | The applied tag → automatically inherited by member VMs |
| Load Balancer | |
| DB Cluster | The tag applies to the cluster, not to the DB instances |
| Storage Disk | |
| Subnet | |
| Security Group | |
| Floating IP |
📝 Note: Resource scope cannot be changed after the policy is created.
Action
| Action | Description | Allowed triggers |
|---|---|---|
Add tag (keep existing) | Adds the tags while keeping existing tags | On Creation and/or Manual Run |
Replace existing tags | Removes all existing tags, keeping only the policy's tags | Only Manual Run |
📝 Note: The Replace action with the Instance scope does not replace tags inherited from a K8S Cluster — that VM is reported as Skipped. The action cannot be changed after the policy is created.
Trigger
| Trigger | UI label | Description |
|---|---|---|
creation | On Resource Creation | Runs automatically when a new resource matching the scope is created |
manual | Manual Run | Runs when the admin clicks Run now |
Run status
| Status | Meaning |
|---|---|
SUCCESS | Every matching resource was tagged |
PARTIAL | Some resources were skipped (inheritance, or a cluster with no VMs) |
SKIPPED | No resource matched the conditions |
FAILED | A technical error |
Resource status in Run details
| Status | Meaning |
|---|---|
TAGGED | The resource was tagged successfully |
SKIPPED | The resource was skipped — see the Note column for the reason |