Automation

Scaling Resource Tagging in Azure: A Configurable Solution for Multiple Subscriptions and Tags

Posted on by admin1
Scaling Resource Tagging in Azure


Managing resources in the cloud can be a challenging task, especially when it comes to organizing and grouping your resources effectively. Azure tags are an essential part of Azure resource management, allowing for easy identification and grouping of resources. However, applying tags to multiple resources across different subscriptions can be daunting, especially if you’re doing it manually. If you’re looking for a scalable and configurable solution to manage resource tags across multiple Azure subscriptions, then this blog post is for you! In this article, “Scaling Resource Tagging in Azure: A Configurable Solution for Multiple Subscriptions and Tags” we’ll introduce you to an approach that enables technical architects and developers to reliably tag resources in Microsoft’s cloud computing platform using configuration as code settings. This approach facilitates resource tagging consistency within an organization’s Azure tenant, allowing IT administrators to define and update their services through custom configurations that are easy to set up, audit, scale out when needed, and maintain over time without additional help.

We understand the importance of managing your resources efficiently and effectively, which is why we’ve developed this solution to make it easier for you to manage your Azure resources. With our proposed scalable solution, you can comfortably manage resource tags across multiple subscriptions, with the added benefit of configurability and scalability.

So, if you’re struggling to manage resource tags across multiple Azure subscriptions, read on as we dive into all these features (and more) of our proposed scalable solution for managing tags in Azure!

Table of contents

  1. Azure Resource Inventory Discovery
  2. Updating the tags in the Inventory file
  3. Creating the Azure Service Principal
  4. Azure Resource Tagging script
  5. Tag Validation
  6. Conclusion

I wrote two scripts for achieving this. The first one is the Discovery script which discovers all the resources from all the subscriptions. Once you have discovered all the resources from Azure, you can tweak them by adding or deleting them. So, now you are ready with the inventory of the resources you want to apply tags to. So this inventory file will become the input for the second script which actually tags the resources. Now let’s understand these scripts:

Read: Bulk tagging of Azure resources with PowerShell

Azure Resource Discovery

The discovery script discovers all the subscriptions’ resources and dumps the info into a CSV File. The name of the spreadsheet contains the current date. Here is the script.

connect-azAccount
$date = Get-Date -UFormat("%m-%d-%y")
$currentDir = $(Get-Location).Path
$oFile = "$($currentDir)\List_Of_All_Azure_Resources_Inventory_$($date).csv"
 
if(Test-Path $oFile){
    Remove-Item $oFile -Force
}
 
"SUBSCRIPTION_NAME,SUBSCRIPTION_ID, RESOURCE_GROUP_NAME,RESOURCE_NAME,RESOURCE_TYPE,TAGS" | Out-File $oFile -Append -Encoding ascii
 
Get-AzSubscription | ForEach-Object{
    $subscriptionId = $_.Id
    $subscriptionName = $_.Name
     
    Set-AzContext -SubscriptionId $subscriptionId
    Get-AzResourceGroup | ForEach-Object{
        $resourceGroupName = $_.ResourceGroupName
        Get-AzResource -ResourceGroupName $resourceGroupName | ForEach-Object{
            $resourceName = $_.Name
              
            $resourceType = $_.ResourceType
             
            if(!([string]::IsNullOrEmpty($_.Tags))){
                $tags = @()
                $_.Tags.GetEnumerator() |ForEach-Object {
                    [string]$tags += $_.key+ "=" + $_.value+ ";"
                }
            }
            else{
                $tags = ""
            }
             
            "$subscriptionName,$subscriptionId,$resourceGroupName,$resourceName,$resourceType,$tags" | Out-File $oFile -Append -Encoding ascii
        }
    }
}

This script will create the CSV file containing the list of all the resources. Here is the sample:

Updating the tags in the Inventory file

Now we have the inventory of the resources where we need to apply the tag so we will add the tags in the tags column. We need to put the tags in the form of key-value pairs and each pair will be delimited by a semicolon. So this way you can add as many tags as you want as far as you follow this convention. Please make sure not to add a semicolon at the end.

Creating the Azure Service Principle

Here, we will create a service principal and assign permission to Azure subscription so we can use this service principal to connect to subscriptions via connect-AzAccount and apply the tags.

STEP 1: Open the Azure Active Directory and click the New Registration button.

STEP 2: Now, fill in the Service principal’s name, Supported Account types, and Redirect URI. And then press the Register button to create Service Principal.

STEP 3: Note the application id as we will use this in the following script.

STEP 4: Now, create a secret and specify the expiration duration.

STEP 5: Here, Note the secret as we will need it in Powershell Script.

In the above section, you have created the service principal and secret. Now, we will assign the contributor rights to all subscriptions where you want to tag these resources. These subscriptions will be listed in the discovery Excel file.

STEP 1: Go to the subscription and add the role assignment.

STEP 2: Now, select the Privileged administrator roles radio button.

STEP 3: Here, select the Contributor role.

STEP 4: Select the user, group, or service principal radio button because we will have to use the service principal created in the earlier step.

STEP 5: Here, you can search and select the service principal name created earlier.

STEP 6: Now, we will select the service principal name and assign the permission.

We have noted down the service principal id and client secret so we will use the name in the following script.

Azure Resource Tagging

In this script, you will have to run this script to apply the unique tags. This script will tag the resources if tags need to be applied to the resources in a single subscription.

$tenant = "your tenant id"
$ApplicationId = "your service principle id"
$SecuredPassword = ConvertTo-SecureString -String "Service Principle secret " -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecuredPassword


function Create-tagHashTable {
    param(
        [Parameter(Mandatory=$true)]
        [string]$tagsStrings
         )
         $ht = @{}
     foreach ($string in $tagsStrings) {
    $pairs = $string -split ';'
    
    foreach ($pair in $pairs) {
        $key, $value = $pair -split '='
       # $ht[$key] = $value
        $ht.add($key,$value)
       
   }    
}
return $ht
}
 
$date = Get-Date -UFormat("%m-%d-%y")  
$currentDir = $(Get-Location).Path
$csvFile = Import-csv -Path "$($currentDir)\List_Of_All_Azure_Resources__Inventory_$($date).csv"
# Loop through each row in the Excel file
foreach ($row in $csvFile) {
    # Get the resource information from the row
    $subscriptionName = $row.SUBSCRIPTION_NAME
    $subscriptionId = $row.SUBSCRIPTION_ID
    $resourceGroupName = $row.RESOURCE_GROUP_NAME
    $resourceName = $row.RESOURCE_NAME
    $resourceType = $row.RESOURCE_TYPE
    $tags = $row.TAGS
# This will connect to specific subscription with the service principal created and apply the tag.
 Connect-AzAccount -ServicePrincipal  -Subscription $subscriptionId -Credential $Credential -Tenant $tenant 
    $TagsHashTable= Create-tagHashTable($tags)
 
       $resource = Get-AzResource  -ResourceGroupName $resourceGroupName  -Name $resourceName -ResourceType $resourceType
       # Updaste tag means you can update the earlier tag for example country= USA to Country=canada
    Update-AzTag  -ResourceId $resource.ResourceId  -Tag $TagsHashTable -Operation Merge
    
}

What if I have multiple subscriptions and tags need to be applied to multiple subscriptions?

Tag Validation

Now once the script ran successfully we can validate the tag by going over to tags. So if you select the tags from the portal.

You will see the tags you applied. And you can go to individual resources you will see the tags:

For example, this individual resource shows the tag.

Conclusion

The solution provided in the blog not only makes the entire tagging process easier but also gives you full control over which subscription resources you want to tag. Additionally, it allows you to maintain an inventory of your resources along with their associated tags, and apply the tags you want. Ultimately, tagging Azure resources can be a time-consuming task, but this solution can save time and improve accuracy. Utilizing this solution for group resource management can be advantageous for your organization and its IT infrastructure.

Leave a Reply

Your email address will not be published. Required fields are marked *