Auto-Tag the Azure Resources using the Cloud Custodian

Solve the problem of missing tags for newly created resources

Cloud Custodian #auto-tag-user policy is a powerful action item that can solve the missing tag problems for the newly created resources. Let’s say if any incident to happens, the very first question asked is “who owns that resource”? The security analyst would check the tags associated with the resource. This is where the auto-tag-user policy is so important which can automatically tag the resource with the owner/creator.

1. App Service Plan

policies:
- name: azure-appserviceplan-auto-tag
  resource: azure.appserviceplan
  description: |
    Find azure appserviceplan that has not been tagged with  
    mandatory owner tag while creation. Tag appserviceplan with the   
    user who created it. This policy does not apply on existing 
    appserviceplan.
 filters:
   — “tag:owner”: absent
 mode:
   type: azure-event-grid
   events: [{
       resourceProvider: ‘Microsoft.Web/serverfarms’,
       event: ‘write’
   }]
   provision-options:
     identity:
       type: UserAssigned
       id: exampleid
   execution-options:
     output_dir: azure://example.blob.abcd.windows.net/{account_id}
 actions:
   — type: auto-tag-user
     tag: owner

2. Container Group

policies:
- name…