Resource Tagging Best Practices Applied (Part 2 – Enforcement)
This post is following on from part 1 about resource tagging on resource groups where we setup azure policies to look for the existence of resource tags on resource groups. While this is helpful to understand the scale of the problem, the real problem is getting people to tag their resource groups when they create them. I work with a bunch of misfits and mavericks and while all brilliant in their own right, asking them to do anything as simple as tagging their stuff is about as futile as yelling at the rain to stop.
The Real Problem
This post is following on from part 1 about resource tagging on resource groups where we setup azure policies to look for the existence of resource tags on resource groups. While this is helpful to understand the scale of the problem, the real problem is getting people to tag their resource groups when they create them. I work with a bunch of misfits and mavericks and while all brilliant in their own right, asking them to do anything as simple as tagging their stuff is about as futile as yelling at the rain to stop.
The Solution
Since asking failed, let's try telling them. Same as in part one let's assign a policy that will force tags to be applied during object creation. You can set the tag value to the text wildcard *
While this will work 100% of the time, it does come along with a few issues. This list is by no means exhaustive and I will update it when and if we find more. If you have tried or are trying this and find any other issues arising from enforcing tags on resource groups, please comment and I can explore and add the content to this post.
Can't use the Portal
At the time of writing this, unfortunately, Azure does not ask you to add tags during the creation of Resource groups through the UI so you simply get an error.
You have to use PowerShell or ARM templates to create resource groups.
New-AzureRmResourceGroup -Name "Blahdedah" -Location "WestUS" -Verbose -Force -Tag @{Owner="matt quickenden"; Solution="IoT Testing"}
Adding a template to Azure
So you're thinking you could upload a template with parameters for tags to Azure Template so you could keep a UI experience?
{ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.1", "parameters": { "ResourceGroupName": { "type": "string" }, "ResourceGroupLocation": { "type": "string" }, "OwnerTag": { "type": "string" }, "SolutionTag": { "type": "string" } }, "variables": { "tags": { "Owner": "[parameters('OwnerTag')]", "Solution": "[parameters('SolutionTag')]" } }, "resources": [ { "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2018-05-01", "location": "[parameters('ResourceGroupLocation')]", "name": "[parameters('ResourceGroupName')]", "properties": {}, "tags": "[variables('tags')]" } ], "outputs": {} }
Close enough, you could limit the location to actual Azure locations etc, but let's check if it works.
Interestingly, Azure creates a resource group first before trying to execute your code. This could work for creating a blank template using ARM but the PowerShell is probably easier or just including the tags in your main ARM template.
Visual Studio Deployments
Deploying quickstart templates from visual studio fails.
the workaround is to open the Deploy-AzureResourceGroup.ps1 script inside the project. Scroll down to the line that starts with New-AzureRmResourceGroup. It should be around line 93.
Edit that line so your tags are added at deployment. That line should look something like this after you have edited it:
New-AzureRmResourceGroup -Name $ResourceGroupName -Location $ResourceGroupLocation -Tag @{Owner="harry potter"; Solution="Deploy with tags "} -Verbose -Force
Azure Backup
Using Azure backup vault to create a backup of a VM. If you have it already set up it seems to be just fine, however, when you attempt to create a new one backup it seems to fail.
Taking a look at the activity log reveals 'Update resource group' failed
cutting through the rest we can find the status error message
"statusMessage": "{\"error\":{\"code\":\"RequestDisallowedByPolicy\",\"target\":\"AzureBackupRG_westus_1\",\"message\":\"Resource 'AzureBackupRG_westus_1' was disallowed by policy. Policy identifiers: '[{\\\"policyAssignment\\\":{\\\"name\\\":\\\"Enforce Resource Group Tag Like Value SOLUTION Pattern\\\",\\\"id\\\":\\\"/subscriptions/....
Adding an exclusion to the enforcement policy for the resource group seems to have done the trick. New backups to this backup vault can be created and continue to run without any issues.
Next Steps
While this enforcement has created some problems, there aren't any show stoppers at the moment and if it really is an issue, for a particular use case or project if you can't simply add an exclusion you can disable the policy temporarily and re-enable it for a month. Some deployments might get through without tags but we can hunt those people down through the activity logs. This is more a catch-all tool so I still consider this useful and still functional so we will proceed.
Next up we will take a look into getting at the data and trying to get closer to the ultimate goal of putting data in an email targeted at the resource group owners.
Resource Tagging Best Practices Applied (Part 1 - Auditing)
Our most popular blog post was about resource tagging best practices. I thought I would follow up that post with some real-world application of tagging best practices in our own environment with the explicit purpose of tracking down Azure spend and getting that spend information into people's inboxes so they can take action to reduce costs.
Our most popular blog post was about resource tagging best practices. I thought I would follow up that post with some real-world application of tagging best practices in our own environment with the explicit purpose of tracking down Azure spend and getting that spend information into people's inboxes so they can take action to reduce costs.
The Environment
Our group pays one bill and we don't charge back the cost of Azure spend, so we technically don't have a need to track charge codes. A person is responsible for objects and those objects are part of a solution or project so we have two attributes we are interested in capturing.
We have two subscriptions to separate our environments so we don't need an environment tag. The two environments are;
Critical Infrastructure
Labs
We are using only two tags at a resource group level
Owner
Solution
Azure Policy & Policy Definitions
Azure Policy has a number of built-in policies, however, it doesn't have one for Auditing Resource Tags. Thankfully, we have a quick win, https://github.com/Azure/azure-policy/tree/master/samples/ResourceGroup/audit-resourceGroup-tags. You will need to be a subscription owner to create this policy definition.
$definition = New-AzureRmPolicyDefinition -Name "audit-resourceGroup-tags" -DisplayName "Audit resource groups missing tags" -description "Audit resource groups that doesn't have particular tag" -Policy 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/ResourceGroup/audit-resourceGroup-tags/azurepolicy.rules.json' -Parameter 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/ResourceGroup/audit-resourceGroup-tags/azurepolicy.parameters.json' -Mode All $definition
Let's do the next step through the UI. Go to Policy, Assignments, Assign Policy, Select your Subscription. You can also select resource groups for exclusion (more on that later) for audit purposes I would like to target the entire subscription.
Next, select the Policy Definition, search for word 'tag'. Here we can see the built-in definitions and the custom definition we have just uploaded.
Policy Assignment
Once selected, you can complete the remaining fields. We need to create policy assignments for auditing Owner, Solution tags for both subscriptions.
Once complete you should be able to see the following
Compliance
Which if we select compliance we can see a summary of all the policies
If we select one of the audits, we can see the items that have failed to match the assigned policy, that is resource groups do not have the Owner resource tag.
While this helps find resource groups that are not tagged, the problem is that if someone spins up some resources and destroys them that usage data has no tags associated with it and therefore we can't track who provisioned it. I was using the Activity log to try and find who was working with the resources or had created it.
Defining an Initiative
Alternatively, you can combine these policies into an Initiative, basically a group of policies.
In this case I have defined the values in the initiative, but you can also use parameters. You then have to assign the initiative to a subscription
Here you can see there are two policies are part of this initiative
and then the compliance is summarized
Topic Search
-
Securing TLS in WAC (Windows Admin Center) https://t.co/klDc7J7R4G
Posts by Date
- March 2025 1
- February 2025 1
- October 2024 1
- August 2024 1
- July 2024 1
- October 2023 1
- September 2023 1
- August 2023 3
- July 2023 1
- June 2023 2
- May 2023 1
- February 2023 3
- January 2023 1
- December 2022 1
- November 2022 3
- October 2022 7
- September 2022 2
- August 2022 4
- July 2022 1
- February 2022 2
- January 2022 1
- October 2021 1
- June 2021 2
- February 2021 1
- December 2020 2
- November 2020 2
- October 2020 1
- September 2020 1
- August 2020 1
- June 2020 1
- May 2020 2
- March 2020 1
- January 2020 2
- December 2019 2
- November 2019 1
- October 2019 7
- June 2019 2
- March 2019 2
- February 2019 1
- December 2018 3
- November 2018 1
- October 2018 4
- September 2018 6
- August 2018 1
- June 2018 1
- April 2018 2
- March 2018 1
- February 2018 3
- January 2018 2
- August 2017 5
- June 2017 2
- May 2017 3
- March 2017 4
- February 2017 4
- December 2016 1
- November 2016 3
- October 2016 3
- September 2016 5
- August 2016 11
- July 2016 13