Automatically tagging Azure Resource Groups with the owner4 min read

Estimated Reading Time: 2 minutes

[Update] The latest script is now available on GitHub – https://github.com/knom/AzureResourceOwnerTag 

In our team we have the notion to TAG Resource Groups with the ALIAS of the owner. This is to identify, who the main point of contact is.

Step 1: Apply a tag with name “alias” and the value (e.g. “me”) to the resource group or even resource.

image

Step 2: You can then search and filter for resource groups TAGGED with some values…
Tags is a menu item under More Services in the Azure menu.
image

You can even pin your favorite query to the Dashboard:
image  image

To use Powershell to find the resources for an alias we run the following query:

Find-AzureRmResourceGroup -Tag @{ alias = "me" }

Or Azure CLI:

azure group list --tags alias=me

Now, what if you wanted to have TAGGING happen automatically?

Azure Activity Logs provide a history of activities that happened to a resource group or resource.
So we could just use the activity log to find out who created the resource group and then make an alias tag out of that!

Using Azure.Insights Powershell scripts you can get a list of all people that manipulated the resource group over the last max. 15 day:

$users = Get-AzureRmLog -ResourceGroup $rg -StartTime (Get-Date).AddDays(-14) -EndTime (Get-Date)| Select Caller | Where { $_.Caller } | Sort-Object -Property Caller -Unique

Now we can either use the FIRST or the LAST user that touched it – and apply that as an ALIAS TAG.

Set-AzureRmResourceGroup -Name $rg -Tag @{ alias = $users[0]}

Next we get the UN-ALIASED resource groups like this…

$allRGs = (Get-AzureRmResourceGroup).ResourceGroupName
Write-Verbose "Found $($allRGs.Length) total RGs"

$aliasedRGs = (Find-AzureRmResourceGroup -Tag @{ alias = $null }).Name
Write-Verbose "Found $($aliasedRGs.Length) aliased RGs"

$notAliasedRGs = $allRGs | ?{-not ($aliasedRGs -contains $_)}
Write-Verbose "Found $($notAliasedRGs.Length) un-tagged RGs"

Now we know all the Resource Groups on which we have to run the above tagging on!

That’s it!
Once again – the complete script (which is assuming you are already logged-in into your Azure RM subscription):

$allRGs = (Get-AzureRmResourceGroup).ResourceGroupName
 
Write-Warning "Found $($allRGs.Length) total RGs"
 
$aliasedRGs = (Find-AzureRmResourceGroup -Tag @{ alias = $null }).Name
 
Write-Warning "Found $($aliasedRGs.Length) aliased RGs"
 
$notAliasedRGs = $allRGs | ?{-not ($aliasedRGs -contains $_)}
 
Write-Warning "Found $($notAliasedRGs.Length) un-tagged RGs"
 
$result = New-Object System.Collections.ArrayList
 
foreach ($rg in $notAliasedRGs)
{
    $callers = Get-AzureRmLog -ResourceGroup $rg -StartTime (Get-Date).AddDays(-14) -EndTime (Get-Date)| Select Caller | Where { $_.Caller } | Sort-Object -Property Caller -Unique
    if ($callers){
        $alias = $callers[0].Caller -replace "@microsoft.com",""
        Write-Warning "Tagging Resource Group $rg for alias $alias"
        if (-not $DryRun)
        {
            Set-AzureRmResourceGroup -Name $rg -Tag @{ alias = $alias}
        }
        $result.Add((New-Object PSObject –Property @{Name=$rg; Alias=$alias}));
        
    }
    else{
        Write-Warning "No activity found for Resource Group $rg"
    }
}

Next Steps:

Leave a Reply

Your email address will not be published. Required fields are marked *