Sep 12, 2021
5 min read
Auto-Tag the Azure Resources using the Cloud Custodian
Solve the problem of missing tags for newly created resources
Cloud Custodian #auto-tag-user policy is a powerful action item that can solve the missing tag problems for the newly created resources. Let’s say if any incident to happens, the very first question asked is “who owns that resource”? The security analyst would check the tags associated with the resource. This is where the auto-tag-user policy is so important which can automatically tag the resource with the owner/creator.
1. App Service Plan
policies:
- name: azure-appserviceplan-auto-tag
resource: azure.appserviceplan
description: |
Find azure appserviceplan that has not been tagged with
mandatory owner tag while creation. Tag appserviceplan with the
user who created it. This policy does not apply on existing
appserviceplan.
filters:
— “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Web/serverfarms’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
— type: auto-tag-user
tag: owner2. Container Group
policies:
- name: azure-container-group-auto-tag
resource: azure.container-group
description: |
Find azure container-group that has not been tagged with
mandatory owner tag while creation. Tag container-group with the
user who created it. This policy does not apply on existing
container-group.
filters:
— “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.ContainerInstance/containerGroups’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
— type: auto-tag-user
tag: owner3. Container Registry
policies:
- name: azure-containerregistry-auto-tag
resource: azure.containerregistry
description: |
Find azure container-registry that has not been tagged with
mandatory owner tag while creation. Tag container-registry with
the user who created it. This policy does not apply on existing
container-registry.
filters:
— “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.ContainerRegistry/registries’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
— type: auto-tag-user
tag: owner4. Event Hub
policies:
- name: azure-eventhub-auto-tag
resource: azure.eventhub
description: |
Find azure eventhub that has not been tagged with
mandatory owner tag while creation. Tag eventhub with
the user who created it. This policy does not apply on existing
eventhub.
filters:
— “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.EventHub/Namespaces’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
— type: auto-tag-user
tag: owner5. Key Vault
policies:
- name: azure-keyvault-auto-tag
resource: azure.keyvault
description: |
Find azure keyvault that has not been tagged with
mandatory owner tag while creation. Tag keyvault with
the user who created it. This policy does not apply on existing
keyvault.
filters:
— “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.KeyVault/vaults’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
— type: auto-tag-user
tag: owner6. Network Security Group
policies:
- name: azure-networksecuritygroup-auto-tag
resource: azure.networksecuritygroup
description: |
Find azure network security group that has not been tagged with
mandatory owner tag while creation. Tag network security group
with the user who created it. This policy does not apply on
existing network security group.
filters:
— “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Network/networkSecurityGroups’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
— type: auto-tag-user
tag: owner7. Resource Group
policies:
- name: azure-resource-group-auto-tag
resource: azure.resourcegroup
description: |
Find azure resource group that has not been tagged with
mandatory owner tag while creation. Tag resource group
with the user who created it. This policy does not apply on
existing resource group.
filters:
— “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Resources/subscriptions/resourceGroups’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
— type: auto-tag-user
tag: owner8. Redis Cache
policies:
- name: azure-redis-auto-tag
resource: azure.redis
description: |
Find azure redis that has not been tagged with
mandatory owner tag while creation. Tag redis with the user who
created it. This policy does not apply on existing redis.
filters:
— “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Cache/Redis’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
— type: auto-tag-user
tag: owner9. Storage Accounts
policies:
- name: azure-storage-auto-tag
resource: azure.storage
description: |
Find azure storage accounts that has not been tagged with
mandatory owner tag while creation. Tag storage accounts with
the user who created it. This policy does not apply on existing
storage accounts.
filters:
— “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Storage/storageAccounts’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
— type: auto-tag-user
tag: owner10. SQL Server
policies:
- name: azure-storage-auto-tag
resource: azure.storage
description: |
Find azure sqlserver that has not been tagged with mandatory
owner tag while creation. Tag sqlserver with the user who
created it. This policy does not apply to existing sqlserver.
filters:
— “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Sql/servers’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
— type: auto-tag-user
tag: owner11. Virtual Network
policies:
- name: azure-vnet-auto-tag
resource: azure.vnet
description: |
Find azure vnet that has not been tagged with mandatory
owner tag while creation. Tag vnet with the user who
created it. This policy does not apply to existing vnet.
filters:
— “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Network/virtualNetworks’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
— type: auto-tag-user
tag: owner12. Web App
policies:
- name: azure-webapp-auto-tag
resource: azure.webapp
description: |
Find azure webapp that has not been tagged with mandatory
owner tag while creation. Tag webapp with the user who
created it. This policy does not apply to existing webapp.
filters:
— “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Web/sites’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
— type: auto-tag-user
tag: owner
