Apply tags to resources using policies

For consistance in filtering your billing, you should take advantage of tags added using policies.

Small organizations can use it to filter out cost related to different applications, and larger organization to divide the billing into different business areas.

Policies can currently only be viewed in the Preview Portal of Azure, but will soon be available in bought.

When using the Web GUI you can assign existing rules to subscription, resource group or resources, but creating custom rules are done with PowerShell.

And here is a PowerShell module you can import and run the New-AzurePolicy command. It will ask for your input on PolicyName, PolicyDescription, PolicyFile and Resource Group, as well as looking through all the subscriptions you have access to. And make you choose which one you are applying a policy in.

Function New-AzurePolicy {
[cmdletbinding()]
Param(
        [parameter(Mandatory)]
        $policyName,
        [parameter(Mandatory)]
        $policyDescription,
        [parameter(Mandatory)]
        $policyFile,
        [parameter(Mandatory)]
        $resourceGroup
        )
Begin {
        #Login to the Azure Resource Management Account
        Login-AzureRmAccount
        }
Process {
            #Get Azure Subscriptions
            $subscriptions = Get-AzureRmSubscription
            $menu = @{}
            for ($i = 1;$i -le $subscriptions.count; $i++) 
            {
                Write-Host -Object "$i. $($subscriptions[$i-1].SubscriptionName)"
                $menu.Add($i,($subscriptions[$i-1].SubscriptionId))
                }
            [int]$ans = Read-Host -Prompt 'Enter selection'
            $subscriptionID = $menu.Item($ans)
            $subscription = Get-AzureRmSubscription -SubscriptionId $subscriptionID
            Set-AzureRmContext -SubscriptionName $subscription.SubscriptionName

            Write-host "Policy is applied to the Resource Group: $resourceGroup" -ForegroundColor Green
            $policy = New-AzureRmPolicyDefinition -Name $policyName -Description $policyDescription -Policy $policyFile;

            Write-host "Sleeping for 10 seconds" -ForegroundColor Yellow
            Start-Sleep -s 10

            #Assign the Azure Policy
            $resourceGroupId = Get-AzureRmResourceGRoup -Name $resourceGroup | Select ResourceId
            New-AzureRmPolicyAssignment -Name $policyName -PolicyDefinition $policy -Scope $resourceGroupId.ResourceId
            Write-host "Policy is assigned to the Resource Group: $resourceGroup" -ForegroundColor Green
        }
End {
    }
}

But before you start creating policies, this was about creating tags applied to resources with policies, so lets have a look at an example JSON template for some tags:

{
  "if": {
    "field": "tags",
    "exists": "false"
  },
  "then": {
    "effect": "append",
    "details": [
      {
        "field": "tags",
        "value": {
          "Application Owner": "Please provide Application Owners name.",
          "Application Cost Center": "Please provide Application Cost Center.",
          "Business Area Reference": "Please provide Business Area Reference",
          "Environment": "Please provide environment type"
        }
      }
    ]
  }
}

The tags will be named “Application Owner” and the value will be information for the Application Owner to write in their name. Unless you allready know the value and it is going to be the same for all resources within the scope of this policy.

Hierarchi, would be to set a subscription policy, to tag all resources with a business area code or name. So you can filter out the different business areas on the bill from Microsoft, based on tags. On the Resource Groups which often represents an application, you can add a tag to all resources with application code, and/or business unit within the business area. Makes it possible to continue to use tags when dividing the bill even more granular.

Or to investigate the costs related to the application, by using the Resource Cost in the Azure Portal. Not everyone have access to the bill itself, or the enterprise enrollment agreement portal.


Leave a Reply

Ehlo!

I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts