Designing Tagging Strategy for Microsoft Azure - Part 3 - Enforcing Tags at the Subscription level and Inheriting on underlying resources

@20aman    Oct 07, 2021

This blog is a part of the Designing Tagging Strategy for Microsoft Azure series. You can find the Index of this series here: Designing Tagging Strategy for Microsoft Azure.

In the last post, we looked at enforcing the tags at the resource level. In this post, we are looking at policies and various nuances in implementing the second strategy i.e. enforcing tags at the Subscription level and inheriting at each resource.

Add or Replace Tags on a Subscription

As the subscription will already exist, it doesn't make sense to "require tags" on the subscription. Instead, you will "add or replace a tag" on the subscription level.

You can add or replace a tag on a subscription by using the below Azure policy. This is an extension of the in-built policies. This combines multiple policies into a single one to simplify the management of policies.

The below policy is enforcing the Environment tag on the Subscription. It adds the tag if it is not present. If it is present and the value is not "Dev" then it updates the the tag's value to Dev.

Note: You can parameterize the tag name and its value as well very easily. You can check in-built policies for reference. Or let me know if this is something you want to see and I can create a parameterized sample.

"policyRule": {
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      {
        "anyOf": [
          {
            "field": "tags['Environment']",
            "exists": "false"
          },
          {
            "field": "tags['Environment']",
            "notEquals": "Dev"
          }
        ]
      }
    ]
  },
  "then": {
    "effect": "modify",
    "details": {
      "roleDefinitionIds": [
        "/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f"
      ],
      "operations": [
        {
          "operation": "addOrReplace",
          "field": "tags['Environment']",
          "value": "Dev"
        }
      ]
    }
  }
}

Inheriting Tags from Subscription

You can easily inherit the tags from a subscription down to its underlying resources by using an Azure policy specifically for this purpose. You have two approaches for inheriting the tags from the subscription level:

  1. Inherit the tags and their value only if this tag is missing from the resource
  2. Inherit and replace the tag if it doesn't match the value of the same tag at the subscription level

Which approach works for you depends on your requirements. For both these scenarios, there are in-built Azure policies provided by Microsoft. Let's look at both of these.

1. Inheriting the tag - only if it is missing

In the below policy, you check that all of the below conditions should be met before the action can be taken:

  • The Environment tag does not exist on the resource
  • The Environment tag at the subscription level is not equal to an empty value

If both of these conditions are true i.e. the Environment tag is missing and has a valid value at the subscription level, then the "modify" effect is applied. Within this effect, the tag from the subscription level is applied at the resource level.

Note: You can parameterize any values within this sample policy. Also, you can extend this policy to multiple tags (without creating additional policies).

"policyRule": {
  "if": {
    "allOf": [
      {
        "field": "tags['Environment']]",
        "exists": "false"
      },
      {
        "value": "[subscription().tags['Environment']]",
        "notEquals": ""
      }
    ]
  },
  "then": {
    "effect": "modify",
    "details": {
      "roleDefinitionIds": [
        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
      ],
      "operations": [
        {
          "operation": "addOrReplace",
          "field": "tags['Environment']",
          "value": "[subscription().tags['Environment']]"
        }
      ]
    }
  }
}

2. Inherit and replace the tag if it doesn't match the value of the same tag at the subscription level

In the below policy, you check that all of the below conditions should be met before the action can be taken:

  • The Environment tag at the resource level doesn't have the same value as the one at the subscription level
  • The Environment tag at the subscription level is not equal to an empty value

If both of these conditions are true i.e. the Environment tag doesn't have the same value as the one at the subscription level and it has a valid value at the subscription level, then the "modify" effect is applied. Within this effect, the tag from the subscription level is applied at the resource level.

Note: You can parameterize any values within this sample policy. Also, you can extend this policy to multiple tags (without creating additional policies).

"policyRule": {
  "if": {
    "allOf": [
      {
        "field": "tags['Environment']]",
        "notEquals": "[subscription().tags['Environment']]"
      },
      {
        "value": "[subscription().tags['Environment']]",
        "notEquals": ""
      }
    ]
  },
  "then": {
    "effect": "modify",
    "details": {
      "roleDefinitionIds": [
        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
      ],
      "operations": [
        {
          "operation": "addOrReplace",
          "field": "tags['Environment']",
          "value": "[subscription().tags['Environment']]"
        }
      ]
    }
  }
}

Complete Policy Samples on GitHub

You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Tagging/.



  Azure    Azure   azurepolicies   custom policies   custompolicy   microsoft   microsoftazure   policies   tag   tagging strategy   tags   tags strategy  
View All Post
Comments powered by Disqus
Follow Me
Key Posts and Series
Latest Posts
Categories
Archives
Tags Cloud