Scenario: Its a most common use of azure resources tags to use it for billing. At one of my customer I came to know that due to some restructuring in the organization, the cost-centers are changing. Hence I had to find a way to update cost center related tags in bulk (and of-course with minimal manual work)
Solution: There are many ways to do it but this time I wanted to do it with azure policies because I am a big fan of modify effect 🙂
Policy also gave flexibility for:
- Configurable parameters (tag name, old value, new value)
- Auto remediation (when see tag_name=old_value, update with new value)
- Visual tracking
So I created the following custom policy. This policy find resources with specific tag and value and then using modify effect of policy, replaces the old value with the new value for that specific tag. Look at the following policy definition for reference.
PS: I assigned the policy on a management group level, so that it can take effect in all my environments.
{
"properties": {
"displayName": "Replace a tag value on resources",
"policyType": "Custom",
"mode": "Indexed",
"description": "Replaces the specified tag old value with a new vault for any resource",
"metadata": {
"category": "Tags",
"createdBy": "b99768fc-a534-4edc-bc4d-94fa827f2686",
"createdOn": "2020-06-17T08:18:33.1397882Z",
"updatedBy": "b99768fc-a534-4edc-bc4d-94fa827f2686",
"updatedOn": "2020-06-17T09:00:20.0023376Z"
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "New Tag Value",
"description": "The to be tag value"
}
},
"oldTagValue": {
"type": "String",
"metadata": {
"displayName": "Old Tag Value",
"description": "The tag value which needs to be replaced"
},
"defaultValue": "Sagar_Sharma_Azure_Blog"
}
},
"policyRule": {
"if": {
"field": "[concat('tags[', parameters('tagName'), ']')]",
"equals": "[parameters('oldTagValue')]"
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "addOrReplace",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[parameters('TagValue')]"
}
]
}
}
}
},
"id": "/providers/Microsoft.Management/managementGroups/IntegrationServicesDelegated/providers/Microsoft.Authorization/policyDefinitions/187c3ab0-dad4-4895-8dd2-a0721c4af9c1",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "187c3ab0-dad4-4895-8dd2-a0721c4af9c1"
}