Resource Tagging Best Practices Applied (Part 1 - Auditing)
Our most popular blog post was about resource tagging best practices. I thought I would follow up that post with some real-world application of tagging best practices in our own environment with the explicit purpose of tracking down Azure spend and getting that spend information into people's inboxes so they can take action to reduce costs.
The Environment
Our group pays one bill and we don't charge back the cost of Azure spend, so we technically don't have a need to track charge codes. A person is responsible for objects and those objects are part of a solution or project so we have two attributes we are interested in capturing.
We have two subscriptions to separate our environments so we don't need an environment tag. The two environments are;
Critical Infrastructure
Labs
We are using only two tags at a resource group level
Owner
Solution
Azure Policy & Policy Definitions
Azure Policy has a number of built-in policies, however, it doesn't have one for Auditing Resource Tags. Thankfully, we have a quick win, https://github.com/Azure/azure-policy/tree/master/samples/ResourceGroup/audit-resourceGroup-tags. You will need to be a subscription owner to create this policy definition.
Let's do the next step through the UI. Go to Policy, Assignments, Assign Policy, Select your Subscription. You can also select resource groups for exclusion (more on that later) for audit purposes I would like to target the entire subscription.
Next, select the Policy Definition, search for word 'tag'. Here we can see the built-in definitions and the custom definition we have just uploaded.
Policy Assignment
Once selected, you can complete the remaining fields. We need to create policy assignments for auditing Owner, Solution tags for both subscriptions.
Once complete you should be able to see the following
Compliance
Which if we select compliance we can see a summary of all the policies
If we select one of the audits, we can see the items that have failed to match the assigned policy, that is resource groups do not have the Owner resource tag.
While this helps find resource groups that are not tagged, the problem is that if someone spins up some resources and destroys them that usage data has no tags associated with it and therefore we can't track who provisioned it. I was using the Activity log to try and find who was working with the resources or had created it.
Defining an Initiative
Alternatively, you can combine these policies into an Initiative, basically a group of policies.
In this case I have defined the values in the initiative, but you can also use parameters. You then have to assign the initiative to a subscription
Here you can see there are two policies are part of this initiative
and then the compliance is summarized