Resource Tag management in Microsoft Azure

Adding tags to resources in Azure is generally a good idea. This helps administrators manage billing, knowing what things are and when they can be safely decommissioned etc..

I have includes here some guidance and useful scripts for adding tags and managing tags on resources and resource groups.

The first things to work out is what tags you want to enforce and standardise on in your organisation. This can usually be agreed between the people responsible for managing the subscriptions and the people paying or passing on the the costs.

An example of a typical minimum set is:

  • product – the name of the product or system this resource is part of. Personally I like all items associated with product or system to also be in a specific Resource Group
  • owner – who is the owner or contact responsible for this resource. Make this an email address and name
  • environment – Is this ‘prod’, ‘stag’, ‘test’ or ‘dev’. This may be not so critical if, like me, you have distinct subscriptions for each environment. Some organisations however do not and this become key.
  • expires – When can this resource definitely be removed? a date in yyyy-mm-dd format or ‘never’
  • cost-centre – the accounts department will want something like this or some such code that cross-references with the accounts to indicate which department in the organisation is budgeting for this bit of kit.
  • cost-code – the accounts department will probably also want something like this too to indicate the kind of expense or project it is.

The important thing is to define a good standard that everyone can find and is not too onerous to adhere to and maintain. Also provide your community with as many tools and helpers as you can to make it happen.

You can also define an Azure Policy to enforce tagging at creation. However I have found that this causes issue with using the Portal to create resource, when you are not able to add tags at the time of creation. ( Saying that…as of today 2018-11-01, it does look like Microsoft are now adding tagging as part of the UI creation workflow, which makes policies a possibility. I have not tested this fully yet!)
For information of Azure Policy and tags see http://www.azurefieldnotes.com/2018/10/12/resource-tagging-best-practices-applied-part-1-auditing/ and http://www.azurefieldnotes.com/2018/10/14/resource-tagging-best-practices-applied-part-2-enforcement/

Once everything is tagged well, then start regular audit reporting on what resource do not conform and if necessary have a policy to issue a notice, then shutdown, then remove anything that is not suitably tagged. The community MUST know what your policy is though.

Any resources that really do not have contacts, or you can’t contact the original creator, can be moved into a restricted resource group. When the owner finally notices they may start to panic and get in touch šŸ˜‰

Below are some sample scripts to help you get everything ‘tagged up’. You will need to chnage the actual tags to suit your environment etc..

PowerShell to Create and tag a new Resource Group

$resourceGroupName = "{resource groups name}"
$location = "{location}"
#Tags
$product = "{product}"
$owner = "{email address}"
$build = "{Built by <CD tool or user> 01/03/2018 21:04:56}"
$expires = "{expiry date or 'never'}"
$environment = "{environment}"
#-- Add more tags here --

$rg = New-AzureRmResourceGroup -Location $location -Name $resourceGroupName
$resourceTags = @{"product"=$product;"owner"=$owner;"build"=$build;"expires"=$expires;"environment"=$environment}
Set-AzureRmResource -Tag $resourceTags -ResourceId $rg.ResourceId -Force

PowerShell Script for tagging an existing Resource Group


$resourceGroupName = "{resource groups name}"
$location = "{location}"
  
#Tags
$product = "{product}"
$owner = "{email address}"
$build = "{Built by  01/03/2018 21:04:56}"
$expires = "{expiry date or 'never'}"
$environment = "{environment}"
#-- Add more tags here --
  
$rg = Get-AzureRmResourceGroup $resourceGroupName
$resourceTags = @{"product"=$product;"owner"=$owner;"build"=$build;"expires"=$expires;"environment"=$environment}
Set-AzureRmResource -Tag $resourceTags -ResourceId $rg.ResourceId -Force

PowerShell Script for tagging everything in a Resource Group


#================================================================
# Apply Tags to all Resources in a Resource Group
#
# Last updated: 2017-06-20 by Nicholas Rogoff
#================================================================
    
#Set Variables
  
$subscriptionName = "{subscription name}"
$resourceGroupName = "{resource groups name}"
#Tags
$product = "{product}"
$owner = "{email address}"
$build = "{Built by  01/03/2018 21:04:56}"
$expires = "{expiry date or 'never'}"
$environment = "{environment}"
#-- Add more tags here --
  
#Login (ARM)
Connect-AzureRmAccount
  
Select-AzureRmSubscription -SubscriptionName $subscriptionName
  
$resources = Get-AzureRmResource | Where-Object {$_.ResourceGroupName -eq $resourceGroupName}
  
foreach ($resource in $resources)
{
    # Ignore certain types of resources
    if($resource.ResourceType -ne "Microsoft.Web/sites/slots")
    {
        $resourceTags = $resource.Tags
        #== start debug
        Write-Verbose -Message "--- Tags found for $($resource.Name)--- " -Verbose
        $resource.Tags
        #== end debug
  
        #== Check if one of the tags ('owner') exists and assume the rest are there! This check can be made more comples if need be
        if($resourceTags -and $resourceTags.count -gt 0 -and $resourceTags.values.Contains('owner'))
        {
            Write-Verbose -Message "Resource $($resource.Name) has 'segment-name' tag, so will NOT apply additional tags" -Verbose
        }
        else
        {
            Write-Verbose -Message "Resource $($resource.Name) does NOT any tags" -Verbose
            #-- add tags in the next line
            $resourceTags += @{"product"=$productName;"owner"=$owner;"build"=$build;"expires"=$expires;"environment"=$environment}
            Set-AzureRmResource -Tag $resourceTags -ResourceId $resource.ResourceId
            Write-Verbose -Message "Resource $($resource.Name) has had tags applied" -Verbose
        }
    }
}

Reporting with Tags

I may blog some stuff about effective reporting with these tags in place later. However there is this clever PowerShell solution excellently explained by Mathew Quickenden here http://www.azurefieldnotes.com/2018/02/08/reporting-on-resource-group-tags-in-azure/ that is well worth looking at.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.