DEV Community

DongAn
DongAn

Posted on

Auto-Adding Tags with Azure Policy

Managing resources in Azure can quickly become complex, especially when it comes to cost management, governance, and organization. Tags are your best friend here, allowing you to categorize resources, but manually applying them is tedious and error-prone. This post will guide you on how to use Azure Policy to automatically add a tag and its value to newly created resources, explain a common mistake (like the one I faced!), and show you how to apply tags to existing resources.

The Goal: Auto-Apply a "Cost Center" Tag

Imagine you want every new resource created within a specific Resource Group to automatically get a Cost Center tag with a value of 000. This helps track expenses and assign accountability.

My Previous Policy: A Common Pitfall (and why it didn't work)

I initially tried to achieve this by assigning a policy, thinking it would simply add the tag. However, I kept running into a "Validation failed: Required information is missing or not valid" error when deploying new resources.

Here's why my previous approach likely failed:

The Problem: Using a "Deny" Policy for Tagging

My policy assignment, while appearing to enforce a tag, actually had a "Deny" effect.

  • What a "Deny" Policy Does: A "Deny" policy acts as a gatekeeper. It checks if the conditions (e.g., "does this resource have the 'Cost Center' tag?") are met before the resource is allowed to be created or updated. If the condition isn't met (i.e., the tag is missing), the deployment is blocked, and you receive a validation error. It doesn't modify anything; it just says "No."

  • Why it didn't work for auto-tagging: I wanted the tag to be added automatically, not for the deployment to fail if it was missing. A "Deny" policy is excellent for ensuring compliance (e.g., "NEVER deploy a VM without a 'Owner' tag"), but not for automatic remediation or addition.

The Solution: The "Modify" Policy Effect

To automatically add or update tags, you need to use a policy definition with the Modify effect. This effect actively intervenes during resource creation/update to ensure compliance.

Steps to Auto-Add a Tag Using Azure Policy (Modify Effect)

I will use the built-in policy definition: "Inherit a tag from the resource group if it is missing."

  1. Navigate to Azure Policy:

    • In the Azure portal, search for and select "Policy."

  2. Delete Conflicting Policies (if any):

    • If you have a previous "Deny" policy assignment related to the tag you're trying to auto-add, you must remove it first.
    • Go to Assignments on the left menu.
    • Find your old policy assignment (e.g., "Inherit the Cost Center tag...") and click the ... (ellipses) next to it.
    • Select Delete assignment.

  3. Assign the "Inherit a tag from the resource group if it is missing" Policy:

    • Back in the Policy service, go to Assignments and click Assign policy.
    • Scope: Choose the Management Group, Subscription, or Resource Group where new resources will be created. This is crucial for defining where the policy applies.
    • Policy definition: Click the ... next to "Policy definition" and search for Inherit a tag from the resource group. Select the definition named "Inherit a tag from the resource group if it is missing".
    • Parameters: Go to the "Parameters" tab.
      • For Tag Name, enter Cost Center.
      • For Tag value, you can leave it blank (it will inherit the value from the RG itself) or specify a default like 000 if your RG doesn't have it.
      • Crucial Setup: Ensure the Resource Group you're scoping this to itself has the Cost Center tag with the value 000. The policy inherits the tag from the resource group.
    • Remediation (for existing resources - discussed below): For now, you can leave "Create a remediation task" unchecked. We'll explain this in the next section.
    • Click Review + create, then Create.

Now, whenever you create a new resource within the assigned scope (your Resource Group), if it doesn't already have a Cost Center tag, Azure Policy will automatically add it with the value from the parent Resource Group!

Remediation: Applying Tags to Existing Resources

The Modify effect primarily works on newly created or updated resources. What about resources that already exist in your Resource Group and are missing the Cost Center tag?

This is where Remediation Tasks come in.

  1. After assigning the "Modify" policy:
    • Go to Policy -> Remediation in the Azure portal.
    • Click + New remediation task.
    • Select your newly assigned policy (e.g., "Inherit a tag from the resource group if it is missing").
    • Select the scope (Resource Group) you want to target.
    • Azure will identify non-compliant resources within that scope.
    • Click Remediate.

This task will go through all existing resources in the specified scope that are non-compliant (i.e., missing the Cost Center tag) and apply the tag and its inherited value, bringing them into compliance.

Summary

  • Use the Modify policy effect to automatically add or update tags.
  • Avoid Deny policies if your goal is auto-tagging; they will block deployments.
  • Ensure the parent resource (like the Resource Group) itself has the tag if your policy is set to "inherit" the tag value.
  • Use Remediation Tasks to apply policies to existing, non-compliant resources.

By leveraging Azure Policy with the correct effects, you can enforce robust tagging strategies across your environment, improving governance and cost management without manual intervention.

Top comments (0)