search

microsoft / finops-toolkit

Tools and resources to help you adopt and implement FinOps capabilities that automate and extend the Microsoft Cloud.
https://aka.ms/finops/toolkit
MIT License
284 stars 94 forks source link

Apply tags to Resource Group during Hubs deployment #586

Open SCuffy opened 8 months ago

SCuffy commented 8 months ago

📝 Scenario

The Deploy to Azure button for FinOps Hubs presents the Azure portal tab to set Tags, but these only get applied to the Resources, not the Resource Group, even if you create a new RG as part of the deployment.

💎 Solution

Add a step to retrofit the tags to the RG too (new or existing), after it has been created.

ℹ️ Additional context

In order to do this, we'll need to update the following:

  1. Add "Microsoft.Resources/resourceGroups" to the list of taggable resources in src/templates/finops-hub/createUiDefinition.json
  2. In src/templates/finops-hub/modules/hub.bicep, create a new deployment script that tags the resource group
    • Add a new section under Key Vault that includes a new managed identity, role assignment, and deployment script (you can copy what's in storage.bicep)
    • Assign the Resource Group Contributor role to the managed identity
    • Pass the tags in as an environment variable: 
      contains(tagsByResource, 'Microsoft.Resources/resourceGroups') ? tagsByResource['Microsoft.Resources/resourceGroups'] : {})
    • Create a script in src/templates/finops-hub/modules/scripts/Tag-ResourceGroup.ps1
    • In the script, check to see if there is a tag to add and don't do anything if there isn't
  3. Update the docs/finops-hub/template.md file:
    • Add a note about the Resource Group Contributor access being required only if a resource group tag is applied in the tagsByResource variable.
    • Could you also add the tagsByResource parameter to the Parameters section? Get the description from hub.bicep.
    • Add the managed identity to the list.
  4. Don't forget to update docs/changelog.md

To test, run the local deployment script from PowerShell:

. src/scripts/Deploy-Toolkit.ps1 finops-hub -Build

🙋‍♀️ Ask for the community

We could use your help:

  1. Please vote this issue up (👍) to prioritize it.
  2. Leave comments to help us solidify the vision.
psilantropy commented 8 months ago

Were there some additional resource types in addition to the RG and the resources in the template? (Maybe via the scripts) I'm sure our tagging policies picked up more, and I made an exclusion on the RG to cover it. I made the RG in advance.

SCuffy commented 7 months ago

Deployment creates: Data factory (tagged) Managed Identity x2 (tagged) Key vault (tagged) Storage account (tagged) Event grid system topic (NOT tagged) Deployment scripts (only deleteOldResources does not inherit custom tags)

And my new RG doesn't get tagged.

flanakin commented 7 months ago

FYI - I'll add this to the 0.2.1 release in hopes that it can be a quick change. I may need to push it to 0.3 since I don't want to delay 0.2.1 given the bug in 0.2. Here's to a productive weekend... 🤞