After 14 years using Microsoft On Premise BI Tools (SQL Server, Reporting Services, Integration Services and Analysis Services) Its time to embrace Business Intelligence in the cloud.
Deny the creation of a resource group without applicationName Tag
Every resource group should have an application name because Resource Groups should be Application Related. However you cant get the applicationName from the Above Subscription.
As a Example, the Resource Group is for HR Performance.
applicationName Tag Configuration
Deny the resource group if its missing the applicationName tag
Steps to apply this policy in Azure
Search for policy and Assign
Go to Assignments. This shows you all the policies or Initiatives that are in place. The Scope for this shows that the all subscriptions are being shown in this list.
Click Assign Policy
Set Scope of Policy
First thing you need to do is set the Scope. We have Management groups in place and as a test, a Personal Subscription is being used
The Resource Group isn’t set because this is just being set at Subscription level
Exclude Resource
You can also exclude resource, and in this case resources from the above Policy. However for this policy we don’t need to do this.
Set the Policy Definition.
There are two types of definitions. Custom and built in
If you look for ‘Tag’ you get a list of the Built in Definitions for tags.
We know that we want to ‘Require a tag on resource groups’ so this built in policy can be selected
Choose the Built in policy and Select
The Assignment Name has been slightly changed to include the tag this will be set for
We are in the Basics tab at the moment
Parameters
Go to the Parameters Tab.
Remediation
Click the Remediation Tab
In order to understand the Remediation tab there are a few specific concepts to Understand
Managed Identity
Managed identities is a more secure authentication method for Azure cloud services that allows only authorized managed–identity-enabled virtual machines to access your Azure subscription.
This means that any service that ‘does something’ to another service can do so automatically using a Managed Identity
DeployIfNotExists and Modify effects
Every single Policy in Azure Policy has a single effect. Effects behave differently if they are for a new, updated or existing resource. The Effects supported are:
Append
Audit
AuditIfNotExists
Deny
DeployIfNotExists
Disabled
EnforceOPAConstraint (preview)
EnforceRegoPolicy (preview)
Modify
The question is. What is the effect of Require a tag on resource groups
Definitions
Go to Definitions in Policy and Search for the Built in Policy.
The effect of your chosen built in Policy the effect is to deny .
You can also see the JSON Definition of the chosen Policy
Because the Policy is deny we don’t need to set up a Managed Identity
Click Review + Create
And Click Create
Definitions
Going back to the policy Definition
You can see that this Policy has been assigned to a Subscription
Checking your Policy has worked
To test the policy create a new resource Group within the selected Subscription without adding any tags
When you get started with Azure, you want to ensure that your resource groups and resources are tagged. this is great for Management of your Azure Subscriptions/
You can categorise all your resources with tags. You can also view Billing by Tags.
When you add a tag into the Portal (Or programatically) you can add in any tag name as you go. Once created they come up in a list and you can choose from them again.
You can use Azure Policies to try and Enforce some Tagging Logic
Azure Policies
Policies allow you to use the built in or custom definitions. the Policies can then be assigned to a Management group, Resource Group or Subscription
Policies are executed when new resources are created. old resources may not be compliant
You can use built in tagging Policies that are already defined within definitions in JSON (Built in)
Or you can add a new definition by adding your own JSON or copying and amending a built in Policy (Custom)
We are going to have a look at some specific examples of how to use Policies for Tagging.
Azure uses Tagging for easier management. Tagging is done with Key value pairs. You can create the manually in the Azure Portal but you can also do it programatically via Powershell (For Example)
For this example Log onto the Azure Portal, Open Cloud Shell (This is the new Azure Portal, Not classic)
And set it to run with powershell
Just to get warmed up, lets list all our Resource groups
Get-AzResourceGroup
You can right click in powershell and paste the code above. then click Enter
This gives you a list of all your resource Groups
You even get a list of tags for each resource group with the above command
However, the resource groups that are available to me currently are the ones on my personal visual studio subscription. the Current Subscription
Lets see what subscriptions we have available
Get-AzureRMSubscription
You get the Subscription Name, ID and TenantID
Lets find out the current Subscription Context
Get-AzureRmContext
You can also use the following command to get subscription details
(Get-AzureRmContext).Subscription
Now we want to change the current Subscription context. this example is going to look at a resource group and a resource in our Proof Of Concept Subscription
This function allows us to see every tag at resource level against the Resource group. So this script doesnt quite give us what we want. We know that there are no tags at resource group level. How do we establish this with Powershell?
And then run (Get-AzureRmResource -Name “AdventureWorksDW”).Tags to look at the tags, this script deletes all the tags and inserts just the one, this isn’t the logic we want to use. We want to Add tags to a Resource that already has tags
a couple more really useful Scripts in regards to tags
Get-AzureRmTag
This script allows you to see all your tags and how many times they are used within the subscription
From the above script we can see that businessProcesst is a tag that has been added which needs amending to businessProcess (Its been incorrectly typed in)
Get more information about the Tag (Tag Values and Count of Use)
Get-AzureRmTag -Name "environmentType"
This script is great for looking at the values in a specific tag. And in this case we want to know more about businessProcesst
Get-AzureRmTag -Name "businessProcesst"
And to really tie it down we want to know what resource or resource Group it belongs too?
You can run the following Script to get the Specific resource Group for the tag
(Get-AzResourcegroup -Tag @{ “businessProcesst"="Proof of Concept"}).ResourceGroupName
Its in the Proof of Concept Resource group so all that is needed is to delete and recreate
And this Script checks if its against any resources
(Get-AzResource -Tag @{ “businessProcesst"="Proof of Concept"}).Name
In this case No
Remove-AzureRmTag -Name "businessProcesst"
Although we have checked, the error message stills says that the Tag is being referenced by resources.
It may be easier to update the Tag in Azure rather than using Code. there doesnt appear to be a way of changing the tag name in poweshell (Or at least I haven’t found it yet)
You can go to tags. Click on the Tag. Then click on … at the end of the tag Row and choose Edit tags.
Then Save
This just gives a flavor of how to use powershell to manage tags. This information can be saved into Scripts so we can reproduce the creation of tags if required.
Tags applied to resource Groups don’t get added to the Resources below. Powershell gives you move control over making sure the Resources and resources Groups have the correct tags applied
Tagging is a feature that has been introduced into the Azure Resource Manager model (ARM). They can be used to Logically group and track resources. The old (Classic) version of Azure was Azure Service Manager.
Azure tagging can be done using Azure Portal, Azure Powershell, CLI (Command Line User Interface) or ARM (Azure Resource Manager) JSON templates
Tags can then be used to select resources or Resource Groups and are useful when you need to organize resources for billing or management
You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy.
Each tag consists of a name and a value pair. For example, you can apply the name “Environment” and the value “Production” to all the resources in production.
Key Points
You can only apply tags to resources that support Resource Manager operations
VMs, Virtual Networks and Storage created through the classic deployment model must be re-deployed through Resource Manager to support tagging
A good way around this is to tag the resource group they belong to instead.
All ARM resources support tagging
Each resource or resource group can have a maximum of 15 tags.
Tags are key/value pairs, name is limited to 512 characters, value is limited to 256 characters
Tags are free-form text so consistent correct spelling is very important
Tags defined on Resource Groups exist only on the group object and do not flow down to the resources under them
Through the relationship you can easily find resource by filtering by tagged resource group Its recommended keeping the tags to the resource group unless they are resource specific.
Each tag is automatically added to the subscription-wide taxonomy
Application or resource specific tags will “pollute” the tag list for the entire subscription.
Issues with Tags
Using the recommended Tag procedure of tagging at resource group level causes issues because the Tags dont get inherited at Resource level.
The hope was that any tags that you apply at one level of the hierarchy will be inherited by the lower levels within the hierarchy and this doesnt happen.
You need to be careful that your tags stay Logical and don’t differ from higher levels. It may well be preferable to do this via Powershell Scrips that manually to ensure correct logic is maintained between resources and Resource Groups.
Resource Groups
The underlying technology that powers resource groups is the Azure Resource Manager (ARM).
ARM was built by Microsoft in response to the shortcomings of the old Azure Service Manager (ASM)
ARM requires that resources be placed in resource groups, which allows for logical grouping of related resources.
Although creating a resource group requires specifying a region for it to be stored in, the resources in that resource group could span multiple regions.
In the ARM architecture, resource groups not only become units of deployment, but also units of management of related resources.
It allows role-based access control (RBAC) at the resource group level, making it much easier to manage user access to the resources in the group.
When users log into the Azure Portal, they will only see resource groups they have access to and not others within the subscription. u Administrators will still be able to assign access control for users to individual resources within the resource group based on their roles. This is great to see costs associated with Each Resource Group
Successful Azure Resource Groups
If an application requires different resources that need to be updated together, such as having a SQL database, a web app, a mobile app, etc. then it makes sense to group these resource in the same resource group.
Use different resource groups for dev/test, staging, or production, as the resources in these groups have different lifecycles.
All the resources in the group should share the same environment (Dev, Test etc) because you deploy, update and delete together
If you have for example the marketing analytics database in one Resource Group and a demo database in another resource group, Each resource group needs its own server
You cant Rename a resource Group
A good naming convention to use is rg-projectorapp-subprojectorapp-dev or projectorapp-subprojectorapp-dev-rg
Examples of Resource groups
Adding Tags to a VM resource within a Resource Group
Tagging Examples
Now you have logical resource Groups set up we can set up tags which are good for larger organisations.
Business Tags:
Cost centre
Responsible Person or Party
Application Name
Environment
Development
Testing
Staging
Production
Security Tags:
Data Profile
Automation Tags
Power Off
Maintenance Window
Key
Example
Comment
Type
costCenter
12345
This is your internal billing code
Business
managedBy
debbie@peak.co.uk
Name or email address
Business
applicationName
myapp
name of the Project
Business
environment
<production, Staging, QA>
Identifies the environment
Business
dataProfile
<Public, Confidential, Restricted, Internal>
Data Sensitivity. Public: This information is public information, and can be openly shared on your website Internal: Internal information is company-wide and should be protected with limited controls. Confidential: Confidential information is team-wide and its use should be contained within the business. Restricted: Restricted information is highly sensitive and its use should be limited on a need-to-know basis.
Security
powerOff
yes, no
Can this resource be shut down at 7pm
Automation
Example of a Subscription with Tags on the Resource groups.
Looking at this example, the Tagging has been added to the resource Groups. However if you look at a resource, you wont see the tags.
We need to look at a way of ensuring that the Tags applied to the resource group are also applied for each resource.
Adding tags to a resource in Azure Portal
Policies for Tags
Azure Policy is a service in Azure that you use to create, assign and, manage policies.
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.
You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively. it may be useful to add a tag for this
LockLevel <CanNotDelete, ReadOnly, NA>
Conclusion
We will look at tagging in more detail in other posts. What Policies you can apply. tagging via Powershell, CLI and ARM JSON Templates. How to manage and enforce good Tagging Logic.
Debbies Microsoft Power BI, SQL and Azure Blog 