Overview
Tagging is difficult and many organizations are in a constant state of flux updating their tagging strategies to account for all of their resources / consumption. During this process especially for larger organizations this can result in inconsistent tagging policies wherein not all resources are appropriately tagged.
A common occurrence is parallel tagging policies in meaning with inconsistent names. For example, tagging some resources with env:prd and some others with Environment:Production. From a cost allocation perspective this can result in confusing figures if the existing policies aren't accurately accounted for.
The following is a tutorial for configuring Azure Policies that will auto-tag resources with legacy tags and effectively migrate your infrastructure to a new standard.
Getting Started
Step 1: Create a new Azure Policy definition
Where possible it's best to use pre-baked policies defined by Azure to simplify the process of configuration. However, in the case of tag-mapping there are no appropriate default tag policies so we have to create our own.
Step 2: Configure your new Azure Policy definition
Fill out the BASICS section of the policy definition. Feel free to copy the configuration below or use your own details:
- Definition location: {your subscription}
- Name: tag-mapping
- Description: Tag all resources that have the source tag name/value pair with a new target tag name/value pair.
Step 3: Configure the Policy JSON
Update the policy JSON to match the following.
WARNING: This role definition is currently configured to OVERWRITE whatever is there in the targetTagName on the resource. If you wish to keep existing values you will need to update this definition. (refer to this documentation on Azure policy JSON).
NOTE: the value in roleDefinitionIds may not be correct for your environment, if the creation of this policy breaks because of the roleDefinitionId please refer to this guide on role definitions in Azure.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "[concat('tags[', parameters('sourceTagName'), ']')]",
"equals": "[parameters('sourceTagValue')]"
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "add",
"field": "[concat('tags[', parameters('targetTagName'), ']')]",
"value": "[parameters('targetTagValue')]"
}
]
}
}
},
"parameters": {
"sourceTagName": {
"type": "String",
"metadata": {
"displayName": "Source Tag Name",
"description": "Name of the source tag, such as 'env'"
}
},
"sourceTagValue": {
"type": "String",
"metadata": {
"displayName": "Source Tag Value",
"description": "Value of the source tag, such as 'prd'"
}
},
"targetTagName": {
"type": "String",
"metadata": {
"displayName": "Target Tag Name",
"description": "Name of the source tag, such as 'Environment'"
}
},
"targetTagValue": {
"type": "String",
"metadata": {
"displayName": "Target Tag Value",
"description": "Value of the source tag, such as 'Production'"
}
}
}
}
Step 4: Create your Custom Policy definition
Once you have created your custom policy definition you should see it within the definitions menu of Azure Policy. To see it filter by the name of your new policy (in the example this is "tag-mapping").
Step 5: Assign this new policy to your environment to apply it.
Click on the Assignments menu item in Azure Policy and create a new policy assignment. Select the definition you created earlier.
Choose an appropriate name for the assignment and a description of what will happen. In this example we are going to map the tag env:prd to Environment:Production
Configure the tag mapping strategy you would like. In the below all resources that have the tag env:prd will be given a tag Environment:Production as well.
Make sure to tick the Create a remediation task if you are sure this configuration is correct. Otherwise you can create the remediation task after the assignment is generated.
Configure a non-compliance message if appropriate, and once you're done you should see a screen similar to. Hit Create and you are done.
Step 6: Done!
If you created a remediation task as part of this configuration effort your Policy will be taking effect over time now.