Azure Tags

Girish Prajwal 706 Reputation points
2020-10-27T14:36:00.383+00:00

Hi Team,

We already have Tags assigned to our resources. WE need to find the below and then assign the tags accordingly.

  • We have Tag names with Business Owner, Technical Owner, Environment, WBS
  • Tag Values as BO - it is with Project Manager'e email addresses, Cloud Architects email addresses, Enironment as Prod, Dev, Staging, CostCenterValue (in strings)
  • We do have duplicate Tag Names and Values as above for few of the Resources

We need to find the Resources and Resource Groups which are not tagged as per the Tag Names Business Owner and Technical Owner alone. Please suggest on how to find such resources and assign the tags as above.

Azure Cost Management
Azure Cost Management
A Microsoft offering that enables tracking of cloud usage and expenditures for Azure and other cloud providers.
2,021 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
790 questions
Accepted answer
  1. olufemia-MSFT 2,861 Reputation points
    2020-11-01T03:12:51.053+00:00

    Understood, @Girish Prajwal . Thanks for clarifying.

    Based on your requirement, I suggest Azure Policy as a feasible solution which will also help with your tag governance strategy.
    Also recommend reviewing the published best-practice guidance on tagging & naming Azure resources.
    Here's a Tutorial addressing a similar scenario.

    Example based on your scenario:
    First, create a Policy rule with a deny effect to prevent creation of resource groups without the required BO tags. 

    "if": {  
    "allOf": [{  
            "field": "type",  
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"  
        },  
        {  
            "field": "tags['Business Owner']",  
            "exists": false  
        }  
    ]  
},  
"then": {  
    "effect": "deny"  
}

    Note: As this policy rule targets a resource group, the policy definition mode must be set to 'All'.

    Second, create a Policy rule with a Modify effect and 'add' operation to enforce all new and existing resources created under the Parent resource group inherit the BO tag. 

    "policyRule": {  
    "if": {  
        "field": "tags['Business Owner']",  
        "exists": "false"  
    },  
    "then": {  
        "effect": "modify",  
        "details": {  
            "roleDefinitionIds": [  
                "/providers/microsoft.authorization/roleDefinitions/<**mySubID**>"  
            ],  
            "operations": [{  
                "operation": "add",  
                "field": "tags['Business Owner]",  
                "value": "[resourcegroup().tags['PMemail@domain.com']]"  
            }]  
        }  
    }  
}

    Note: This policy rule targets resources that support tags, the Policy definition mode must be set to 'Indexed'. This ensures the policy skips resource groups.

    Once the tag policies above are created, join them into a single initiative for tag governance and assign them to a management group or subscription. The initiative and included policies then evaluate compliance of existing resources and alters requests for new or updated resources that match the if property in the policy rule. However, the policy doesn't automatically update existing non-compliant resources with the defined tag changes.

    Last step is to remediate non compliant resources and/or resource groups using these steps.

    Hope this helps but do ping if you have any followup questions.

    Cheers

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest