Resource Tagging Best Practices Applied (Part 1 – Auditing)

12 Oct

Our most popular blog post was about resource tagging best practices. I thought I would follow up that post with some real-world application of tagging best practices in our own environment with the explicit purpose of tracking down Azure spend and getting that spend information into people’s inboxes so they can take action to reduce costs.

The Environment

  • Our group pays one bill and we don’t charge back the cost of Azure spend, so we technically don’t have a need to track charge codes.  A person is responsible for objects and those objects are part of a solution or project so we have two attributes we are interested in capturing.
  • We have two subscriptions to separate our environments so we don’t need an environment tag.  The two environments are;
    • Critical Infrastructure
    • Labs
  • We are using only two tags at a resource group level
    • Owner
    • Solution

Azure Policy & Policy Definitions

Azure Policy has a number of built-in policies, however, it doesn’t have one for Auditing Resource Tags.  Thankfully, we have a quick win, https://github.com/Azure/azure-policy/tree/master/samples/ResourceGroup/audit-resourceGroup-tags.  You will need to be a subscription owner to create this policy definition.

$definition = New-AzureRmPolicyDefinition -Name "audit-resourceGroup-tags" -DisplayName "Audit resource groups missing tags" -description "Audit resource groups that doesn't have particular tag" -Policy 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/ResourceGroup/audit-resourceGroup-tags/azurepolicy.rules.json' -Parameter 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/ResourceGroup/audit-resourceGroup-tags/azurepolicy.parameters.json' -Mode All
$definition

Let’s do the next step through the UI.  Go to Policy, Assignments, Assign Policy, Select your Subscription.  You can also select resource groups for exclusion (more on that later) for audit purposes I would like to target the entire subscription.

Next, select the Policy Definition, search for word ‘tag’.  Here we can see the built-in definitions and the custom definition we have just uploaded.

Policy Assignment

Once selected, you can complete the remaining fields.  We need to create policy assignments for auditing Owner, Solution tags for both subscriptions.

Once complete you should be able to see the following

Compliance

Which if we select compliance we can see a summary of all the policies

If we select one of the audits, we can see the items that have failed to match the assigned policy, that is resource groups do not have the Owner resource tag.

While this helps find resource groups that are not tagged, the problem is that if someone spins up some resources and destroys them that usage data has no tags associated with it and therefore we can’t track who provisioned it.  I was using the Activity log to try and find who was working with the resources or had created it.

Defining an Initiative

Alternatively, you can combine these policies into an Initiative, basically a group of policies.

In this case I have defined the values in the initiative, but you can also use parameters.  You then have to assign the initiative to a subscription

Here you can see there are two policies are part of this initiative

and then the compliance is summarized

Next Steps

Enforcing Owner and Solution resource tags on resource groups.

Matthew Quickenden

Working with private cloud solutions for several years. Heavy focus on virtualization and automation. Recently working to help business move into and consume true cloud solutions.

LinkedIn