Posted on 1 Comment

Azure policy require specific tags on resources

Azure policies can help you control your azure management especially when it comes to best practices. A nice to have policy for your setup would be to require tags on specific resources in order to organize better your infrastructure.

Tag resources, resource groups, and subscriptions for logical organization – Azure Resource Manager | Microsoft Learn

First you will need to create your policy. By searching for Policy on Azure you should select Definitions and then Add policy definition.

In this scenario we will examine how we can request for specific tags on resource creation. The policy uses anyOf keyword which means that if any of the tags are not set then the effect will be deny. The tags that I request are: created-by, Team, Application, TBD. All those tags should be set before creating the resource. The tag should be spelled correctly and policy will not work for different deviations of the worlds. For example createdBy is different from created-by.

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "anyOf": [
        {
          "field": "[concat('tags[', parameters('tag_createdBy'), ']')]",
          "exists": "false"
        },
        {
          "field": "[concat('tags[', parameters('tag_team'), ']')]",
          "exists": "false"
        },
        {
          "field": "[concat('tags[', parameters('tag_tbd'), ']')]",
          "exists": "false"
        },
        {
          "field": "[concat('tags[', parameters('tag_application'), ']')]",
          "exists": "false"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {
    "tag_createdBy": {
      "type": "String",
      "metadata": {
        "displayName": "created-by",
        "description": "example: Gerasimos Alexiou"
      }
    },
    "tag_team": {
      "type": "String",
      "metadata": {
        "displayName": "Team",
        "description": "example: DevOps"
      }
    },
    "tag_tbd": {
      "type": "String",
      "metadata": {
        "displayName": "TBD",
        "description": "example: (to be deleted) true or false"
      }
    },
    "tag_application": {
      "type": "String",
      "metadata": {
        "displayName": "Application",
        "description": "example: Grafana,Teamcity"
      }
    }
  }
}

After the creation of the policy you will need to assign it on a specific location/resource-group/subscription. In the parameters dialog you will need to provide the evaluation parameters. For the sake of simplicity I provided the same name for policy parameters and azure parameters. In the end Azure will request from the user the specific parameters, created-by, Team, TBD, Application.

We can test the behavior by creating a new resource with missing tags.

When TBD tag is missing, the validation will fail and the deployment cannot start until the tags are created.

After providing all the tags

The validation will pass and the deployment will be successful.

Posted on Leave a comment

Find resource groups that contain tags on Azure using az cli

Sometimes you may need to massively search for resource groups or resources on Azure that have tags set. For example you may have some tags like temp resource that you want to delete with cron jobs. I myself wanted such a script and the first thing to do was to ask chatGPT about this. Although the provided answer is a good starting point I wanted a version that will bring all the resources that have a tag, and not a specific tag. I was searching for tags in general and not for a specific tag.

For such case I created my own script using az cli. In order to use it you will need to first login inside azure with your credentials.

az login

and then set your subscription

az account set --subscription "ID"

The script which brings resource-groups with tags can be found below.

$rgroups = az group list | ConvertFrom-Json
Write-Host Total Resource groups: $rgroups.Count  

$tags = @()
foreach ($item in $rgroups)
{
 if ( -not [string]::IsNullOrEmpty($item.tags)  ) { $tags+= $item } 
}
Write-Host Resource groups with Tags: $tags.Count  

echo $tags

When you run the script you can get the total number of resource groups and the ones that contain tags. You can then use the tags object to loop through the items with tags.

You can use the same logic to find also resources with tags inside an azure subscription

$resources = az resource list | ConvertFrom-Json
Write-Host Total Resources: $resources.Count  

$tags = @()
foreach ($item in $resources)
{
 if ( -not [string]::IsNullOrEmpty($item.tags)  ) { $tags+= $item } 
}
Write-Host Resources with Tags: $tags.Count  

echo $tags

Youtube video: