Open AErmie opened 1 week ago
Manually applied the "Inherit a tag from the subscription" policy in FORGE to the Landing Zone root level.
[!NOTE] Reference documentation:
Within that policy assignment, we can specify exactly which tag(s) we want it to inherit (it's not an all-or-none approach). So I tested with just the account_coding
tag.
Since there were existing resources, I had to manually created/trigger a Remediation Task (as the automatic one didn't work for some reason). The task ran fairly quickly, and as you can see, remediated appropriately The failed resources are VM extensions, as the VM apparently needs to be running for the tag to be applied (to the extension, not the VM itself).
Created a custom Policy Initiative (aka "policy set"), while including 3 instances of the built-in Inherit a tag from the subscription policy (one per desired tag to inherit, namely account_coding
, billing_group
, and ministry_name
).
While the Policy Initiative was successfully created, along with 3 instances of the built-in policy, even though the individual policy definition associations within the initiative specified different parameter values, the end result was that each instance only used the first parameter defined (ie. the value for InheritTag-Account-Coding
which is account_coding
).
"policyDefinitions": [
{
"policyDefinitionReferenceId": "Inherit the Account Coding tag from the subscription",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b27a0cbd-a167-4dfa-ae64-4337be671140",
"parameters": {
"tagName": {
"value": "[parameters('InheritTag-Account-Coding')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "Inherit the Billing Group tag from the subscription",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b27a0cbd-a167-4dfa-ae64-4337be671140",
"parameters": {
"tagName": {
"value": "[parameters('InheritTag-Billing-Group')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "Inherit the Ministry Name tag from the subscription",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b27a0cbd-a167-4dfa-ae64-4337be671140",
"parameters": {
"tagName": {
"value": "[parameters('InheritTag-Ministry-Name')]"
}
},
"groupNames": []
}
]
This may be to referencing the same policy definition ID (ie. /providers/Microsoft.Authorization/policyDefinitions/b27a0cbd-a167-4dfa-ae64-4337be671140
), and we may therefore need to create 3 custom policy definitions instead.
As part of leveraging the FinOps Toolkit for cost reporting (see: Implementation of FinOps Toolkit / Cost Reporting), we need to look into applying and using tag inheritance.
This will ensure that tags applied at a Subscription level, will also be applied at the Resource Group level, and subsequently at the Resource level. This will enable us to be able to filter cost data by these tags.
Acceptance Criteria
[ ] Scenario: Tag inheritance is enabled for cost reporting
[x] Scenario: Cost data can be filtered by tags after tag inheritance is enabled
[ ] Scenario: Required permissions are addressed for tag inheritance implementation