finops-toolkit icon indicating copy to clipboard operation
finops-toolkit copied to clipboard
verified publisher icon microsoft

Apply tags to Resource Group during Hubs deployment

Open SCuffy opened this issue 1 year ago â€ĸ 3 comments

📝 Scenario

The Deploy to Azure button for FinOps Hubs presents the Azure portal tab to set Tags, but these only get applied to the Resources, not the Resource Group, even if you create a new RG as part of the deployment.

💎 Solution

Add a step to retrofit the tags to the RG too (new or existing), after it has been created.

ℹī¸ Additional context

In order to do this, we'll need to update the following:

  1. Add "Microsoft.Resources/resourceGroups" to the list of taggable resources in src/templates/finops-hub/createUiDefinition.json
  2. In src/templates/finops-hub/modules/hub.bicep, create a new deployment script that tags the resource group
    • Add a new section under Key Vault that includes a new managed identity, role assignment, and deployment script (you can copy what's in storage.bicep)
    • Assign the Resource Group Contributor role to the managed identity
    • Pass the tags in as an environment variable: 
      contains(tagsByResource, 'Microsoft.Resources/resourceGroups') ? tagsByResource['Microsoft.Resources/resourceGroups'] : {})
    • Create a script in src/templates/finops-hub/modules/scripts/Tag-ResourceGroup.ps1
    • In the script, check to see if there is a tag to add and don't do anything if there isn't
  3. Update the docs/finops-hub/template.md file:
    • Add a note about the Resource Group Contributor access being required only if a resource group tag is applied in the tagsByResource variable.
    • Could you also add the tagsByResource parameter to the Parameters section? Get the description from hub.bicep.
    • Add the managed identity to the list.
  4. Don't forget to update docs/changelog.md

To test, run the local deployment script from PowerShell:

. src/scripts/Deploy-Toolkit.ps1 finops-hub -Build

🙋‍♀ī¸ Ask for the community

We could use your help:

  1. Please vote this issue up (👍) to prioritize it.
  2. Leave comments to help us solidify the vision.

SCuffy avatar Feb 07 '24 02:02 SCuffy

Were there some additional resource types in addition to the RG and the resources in the template? (Maybe via the scripts) I'm sure our tagging policies picked up more, and I made an exclusion on the RG to cover it. I made the RG in advance.

psilantropy avatar Feb 07 '24 19:02 psilantropy

Deployment creates: Data factory (tagged) Managed Identity x2 (tagged) Key vault (tagged) Storage account (tagged) Event grid system topic (NOT tagged) Deployment scripts (only deleteOldResources does not inherit custom tags)

And my new RG doesn't get tagged.

SCuffy avatar Feb 08 '24 06:02 SCuffy

FYI - I'll add this to the 0.2.1 release in hopes that it can be a quick change. I may need to push it to 0.3 since I don't want to delay 0.2.1 given the bug in 0.2. Here's to a productive weekend... 🤞

flanakin avatar Feb 09 '24 11:02 flanakin