A customer wants a policy / initiative that inherits tags from the resource group for the individual resources within such resource group. Since there is a list of tags that should be inherited, I created a policySetDefinition ("initiative") like this:
{
"name": "psd-inherit-rg-tags",
"properties": {
"description": "Adds tags attached to the resource group to individual resources (upon update/modify event)",
"displayName": "Inherit RG tags",
"metadata": {
"category": "Tags"
},
"parameters": {},
"policyDefinitionGroups": [],
"policyDefinitions": [
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070",
"policyDefinitionReferenceId": "Inherit tag CreatedBy from the resource group if missing",
"parameters": {
"tagName": {
"value": "CreatedBy"
}
}
},
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070",
"policyDefinitionReferenceId": "Inherit tag IT-Responsible from the resource group if missing",
"parameters": {
"tagName": {
"value": "IT-Responsible"
}
}
},
{more blocks for more tags here}
This works well and the default effect for the referenced built-in policy with the "name"/id of "ea3f2387-9b95-492a-a190-fcdc54f7b070" modify adds tags to any newly created resource in a resource group or when I update a resource like say a storage account by for instance changing access configurations. But of course I / the customer doesn't want to wait for all existing resources to get their tags from the resource group until some need for an update on a resource comes along. Plus for some resources (like say a public IP) I wouldn't know what a meaningful update requirement would be.
Is there a way to programmatically - via the az cli or powershell - "fake" / produce harmless update events on resources like storage accounts and network components? Or is this the wrong way to go about adding tags to existing resources altogether?
Thanks for any input!
Is there a way to programmatically - via the az cli or PowerShell - "fake" / produce harmless update events on resources like storage accounts and network components?
Yes, you can trigger updates on resources in Azure
using PowerShell, even without making any actual changes to the resources themselves. This can be achieved by updating a non-essential
property of the resource, such as a tag
or description
, and it will act as a resource update with no changes in the configuration.
# Connect to Azure
Connect-AzAccount
# Specify the resource group name
$resourceGroupName = "<RG_name>"
# Get a list of resources in the resource group
$resources = Get-AzResource -ResourceGroupName $resourceGroupName
# Iterate over the resources and update them
foreach ($resource in $resources) {
# Fake update by setting a tag (you can adjust this as needed)
$tags = @{
"Environment" = "test"
}
# Update the resource with the new tag(s)
Set-AzResource -ResourceId $resource.ResourceId -Tag $tags -Force
}
Output:
After running the PowerShell script, tags have been added to the resource.
Once tags have been assigned to the resources, the policy will recognize a resource modification and begin applying the policy to inherit tags from the resource group.