Designing Tagging Strategy for Microsoft Azure - Part 6 - Auto Calculate and Apply Tags
@20aman Oct 15, 2021This blog is a part of the Designing Tagging Strategy for Microsoft Azure series. You can find the Index of this series here: Designing Tagging Strategy for Microsoft Azure.
Auto Calculate and Apply tags
As we discussed in the last post, whenever you can you should try to auto calculate and apply the tags in an automated fashion. Some examples include:
- This could be based on the name of the resource group if you have a naming convention defined for a resource group (by using substring on the resource group name).
- Another use case could be calculating date time. You can leverage utcNow() and substring() functions to find date time as per your formatting standards.
Let's look at the second use case as that is more generic and applicable to all scenarios. You can use this to apply the below tags:
- BuildDate - date stamp when the resource is first deployed. Right now Azure does not store this metadata and without this tag, it is hard to find this down the line. So it is a good practice to tag each resource at the creation time.
- UpdateDate - date and time stamp whenever the resource is updated.
Policy sample
Let's look at the BuildDate tag and how to apply this automatically for each and every resource.
Note:
- The policy applies the tag in the MM/DD/YYYY format. This ensures that the BuildDate tag everywhere adheres to a standard.
- The policy applies only when the tag does not exist on the resource. Once the tag is there, the policy will not apply to those resources (based on the if conditions specified below within the policy)
Let's jump into the policy sample now. A complete sample can be found at my GitHub repository (link provided at the bottom of this post).
"mode": "All",
"policyRule": {
"if": {
"anyOf": [
{
"field": "tags['BuildDate']",
"exists": "false"
},
{
"field": "tags['BuildDate']",
"notMatch": "##/##/####"
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "addOrReplace",
"field": "tags['BuildDate']",
"value": "[concat(substring(utcNow(),5,2),'/', substring(utcNow(),8,2),'/',substring(utcNow(),0,4))]"
}
]
}
}
}
You can also find the policy for the UpdateDate tag in GitHub with a timestamp along with the date stamp.
Complete Policy Samples on GitHub
You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Tagging.