Skip to main content
HashnodeUnderstand. Build. Conquer the CloudUnderstand. Build. Conquer the Cloud

Command Palette

Search for a command to run...

Enforcing Azure Tag Compliance with Azure Policy: A Step-by-Step Guide to Automating Tagging

Enforce and inherit tags across your resources, ensuring compliance, cost tracking, and resource management in your Azure environment

Updated
3 min read
Enforcing Azure Tag Compliance with Azure Policy: A Step-by-Step Guide to Automating Tagging
R
Roberto

I'm technologist in love with almost all things tech from my daily job in the Cloud to my Master's in Cybersecurity and the journey all along.

Let’s break down the provided Azure Policy code shown below line by line. This policy is designed to enforce a specific tag (CostCenter) on resources by modifying them if the tag is missing. Here’s the detailed explanation:

Code Breakdown

"policyRule": {
    "if": {
        "field": "tags['CostCenter']",
        "exists": "false"
    },
    "then": {
        "effect": "modify",
        "details": {
            "roleDefinitionIds": [
                "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
            ],
            "operations": [{
                "operation": "addOrReplace",
                "field": "tags['CostCenter']",
                "value": "[resourcegroup().tags['CostCenter']]"
            }]
        }
    }
}

1. policyRule Section

This is the main section that defines the logic of the policy. It consists of two parts: if (the condition) and then (the action to take if the condition is met).

2. if Condition

"if": {
    "field": "tags['CostCenter']",
    "exists": "false"
}

  • Purpose: This defines the condition that the policy evaluates.

  • field: tags['CostCenter']:

    • This checks the CostCenter tag on the resource.

    • The field keyword is used to specify the property of the resource to evaluate.

  • exists: false:

    • This checks whether the CostCenter tag does not exist on the resource.

    • If the tag is missing, the condition evaluates to true, and the policy will take action.

3. then Action

"then": {
    "effect": "modify",
    "details": {
        "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "operations": [{
            "operation": "addOrReplace",
            "field": "tags['CostCenter']",
            "value": "[resourcegroup().tags['CostCenter']]"
        }]
    }
}
  • Purpose: This defines the action to take if the if condition is true (i.e., the CostCenter tag is missing).

effect: modify

  • The modify effect is used to change the resource to bring it into compliance.

  • In this case, it will add or replace the CostCenter tag on the resource.

details Section

This section specifies how the modify effect will be applied.

roleDefinitionIds
"roleDefinitionIds": [
    "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
]

  • Purpose: Specifies the role required to perform the modify operation.

  • Role ID: b24988ac-6180-42a0-ab88-20f7382dd24c corresponds to the Contributor role in Azure.

    • The Contributor role has the necessary permissions to modify resources, including adding or replacing tags.
operations
"operations": [{
    "operation": "addOrReplace",
    "field": "tags['CostCenter']",
    "value": "[resourcegroup().tags['CostCenter']]"
}]

  • Purpose: Defines the specific operation to perform on the resource.

  • operation: addOrReplace:

    • This operation will add the tag if it doesn’t exist or replace its value if it already exists.

  • field: tags['CostCenter']:

    • Specifies the target field to modify, which is the CostCenter tag.

  • value: [resourcegroup().tags['CostCenter']]:

    • This is a policy function that retrieves the value of the CostCenter tag from the resource group that the resource belongs to.

    • The tag value is inherited from the resource group and applied to the resource.

How This Policy Works

  1. Evaluation:

    • The policy evaluates whether the CostCenter tag exists on a resource.

    • If the tag is missing, the condition (if) evaluates to true.

  2. Action:

    • The policy applies the modify effect.

    • It uses the Contributor role to add or replace the CostCenter tag on the resource.

    • The value of the CostCenter tag is inherited from the resource group.

  3. Result:

    • If the CostCenter tag is missing, it will be added to the resource with the value from the resource group.

    • If the CostCenter tag already exists but has a different value, it will be replaced with the value from the resource group.

Example Scenario

  • Resource Group:

    • Has a CostCenter tag with the value Finance.

  • Resource:

    • Does not have a CostCenter tag.

  • Policy Action:

    • The policy adds the CostCenter tag to the resource with the value Finance (inherited from the resource group).

Key Points

  • Tag Inheritance: This policy ensures that resources inherit the CostCenter tag from their resource group, promoting consistency.

  • Compliance: The modify effect automatically brings non-compliant resources into compliance by adding or updating the tag.

  • Role-Based Access: The policy requires the Contributor role to perform the modification, ensuring proper permissions are in place.

Roberto w/assistance from DeepSeek

#azure#azure-devops

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

U

Understand. Build. Conquer the Cloud

70 posts

No time for a novel? Here are my my Cloud Architect field notes: Distilling my complex cloud adventures into digestible TL;DRs.