Tags are metadata elements that you apply to your Azure resources. They’re key-value pairs that help you identify resources based on settings that are relevant to your organization. For example, If you want to track the deployment environment for your resources, add a key named Environment.
Tag names are case-insensitive for operations. A tag with a tag name, regardless of the casing, is updated or retrieved.
Although tags are very useful for categorization and help quickly identify the resource existence, many forget to use them and resources remain untagged. For this reason one can apply an inherit policy for resources so that tags automatically filled. For example you can append a tag on your subscription and create a policy to inherit this tag on resource groups if it is not added during the creation. Additionally you can create a policy to inherit tags on resources from resource groups. The second scenario will be examined below.
First you should need to create a new policy under Azure policy
You can press on an existing policy and create a duplication definition
Then you should select the Definition location that will be your subscription and then you should edit the Policy Rule. You can leave the policy as it is and change only the displayName of the tag. This policy will inherit the Team tag from the resource group on resources.
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"notEquals": "[resourceGroup().tags[parameters('tagName')]]"
},
{
"value": "[resourceGroup().tags[parameters('tagName')]]",
"notEquals": ""
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "addOrReplace",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName')]]"
}
]
}
}
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Team",
"description": "example: DevOps"
}
}
}
}
You can read more about Azure policies in the below documentation link.
https://learn.microsoft.com/en-us/azure/governance/policy/samples/
Then you should save the policy and go on assignments to assign it on a particular resource.
In the policy assignment you can exclude components that will override the policy. Additionally you can specify a resource group instead of the whole subscription.
The important part would be to provide the Tag Name. This would be the parameter on which you will perform the actions. As we specified that we want the Team tag to be inherited then we will give this as an input.
When you apply tags on resources, you add some metadata on them as a result you will need to have contributor role. When we specify this action automatically, we will need a service principal that will do the job. We can select one automatically using managed identity from the remediation tab of the policy creation.
Finally we can create our assignment and try what we created. I have a test resource group with the tag Team inside my subscription.
When I need to create a new resource under the resource group, this should automatically inherit the tag Team. In order to test I will create a Log Analytics workspace without Tags on the resource group.
we can notice that after the creation this resource will have the tag Team automatically filled.
