Resource Tagging Best Practices Applied (Part 1 - Auditing)
Our most popular blog post was about resource tagging best practices. I thought I would follow up that post with some real-world application of tagging best practices in our own environment with the explicit purpose of tracking down Azure spend and getting that spend information into people's inboxes so they can take action to reduce costs.
Our most popular blog post was about resource tagging best practices. I thought I would follow up that post with some real-world application of tagging best practices in our own environment with the explicit purpose of tracking down Azure spend and getting that spend information into people's inboxes so they can take action to reduce costs.
The Environment
Our group pays one bill and we don't charge back the cost of Azure spend, so we technically don't have a need to track charge codes. A person is responsible for objects and those objects are part of a solution or project so we have two attributes we are interested in capturing.
We have two subscriptions to separate our environments so we don't need an environment tag. The two environments are;
Critical Infrastructure
Labs
We are using only two tags at a resource group level
Owner
Solution
Azure Policy & Policy Definitions
Azure Policy has a number of built-in policies, however, it doesn't have one for Auditing Resource Tags. Thankfully, we have a quick win, https://github.com/Azure/azure-policy/tree/master/samples/ResourceGroup/audit-resourceGroup-tags. You will need to be a subscription owner to create this policy definition.
$definition = New-AzureRmPolicyDefinition -Name "audit-resourceGroup-tags" -DisplayName "Audit resource groups missing tags" -description "Audit resource groups that doesn't have particular tag" -Policy 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/ResourceGroup/audit-resourceGroup-tags/azurepolicy.rules.json' -Parameter 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/ResourceGroup/audit-resourceGroup-tags/azurepolicy.parameters.json' -Mode All $definition
Let's do the next step through the UI. Go to Policy, Assignments, Assign Policy, Select your Subscription. You can also select resource groups for exclusion (more on that later) for audit purposes I would like to target the entire subscription.
Next, select the Policy Definition, search for word 'tag'. Here we can see the built-in definitions and the custom definition we have just uploaded.
Policy Assignment
Once selected, you can complete the remaining fields. We need to create policy assignments for auditing Owner, Solution tags for both subscriptions.
Once complete you should be able to see the following
Compliance
Which if we select compliance we can see a summary of all the policies
If we select one of the audits, we can see the items that have failed to match the assigned policy, that is resource groups do not have the Owner resource tag.
While this helps find resource groups that are not tagged, the problem is that if someone spins up some resources and destroys them that usage data has no tags associated with it and therefore we can't track who provisioned it. I was using the Activity log to try and find who was working with the resources or had created it.
Defining an Initiative
Alternatively, you can combine these policies into an Initiative, basically a group of policies.
In this case I have defined the values in the initiative, but you can also use parameters. You then have to assign the initiative to a subscription
Here you can see there are two policies are part of this initiative
and then the compliance is summarized
Topic Search
-
Securing TLS in WAC (Windows Admin Center) https://t.co/klDc7J7R4G
Posts by Date
- March 2025 1
- February 2025 1
- October 2024 1
- August 2024 1
- July 2024 1
- October 2023 1
- September 2023 1
- August 2023 3
- July 2023 1
- June 2023 2
- May 2023 1
- February 2023 3
- January 2023 1
- December 2022 1
- November 2022 3
- October 2022 7
- September 2022 2
- August 2022 4
- July 2022 1
- February 2022 2
- January 2022 1
- October 2021 1
- June 2021 2
- February 2021 1
- December 2020 2
- November 2020 2
- October 2020 1
- September 2020 1
- August 2020 1
- June 2020 1
- May 2020 2
- March 2020 1
- January 2020 2
- December 2019 2
- November 2019 1
- October 2019 7
- June 2019 2
- March 2019 2
- February 2019 1
- December 2018 3
- November 2018 1
- October 2018 4
- September 2018 6
- August 2018 1
- June 2018 1
- April 2018 2
- March 2018 1
- February 2018 3
- January 2018 2
- August 2017 5
- June 2017 2
- May 2017 3
- March 2017 4
- February 2017 4
- December 2016 1
- November 2016 3
- October 2016 3
- September 2016 5
- August 2016 11
- July 2016 13