turbot / steampipe-mod-azure-tags

Is your Azure tagging strategy following best practice? This mod checks if your Azure resource tags are set correctly to help you manage them effectively using Powerpipe and Steampipe.
https://hub.powerpipe.io/mods/turbot/azure_tags
Apache License 2.0
6 stars 3 forks source link
azure hacktoberfest powerpipe powerpipe-mod steampipe steampipe-mod tagging tags

Azure Tags Mod for Powerpipe

An Azure tags checking tool that can be used to look for untagged resources, missing tags, resources with too many tags, and more.

Run checks in a dashboard:

image

Or in a terminal:

image

Documentation

Getting Started

Installation

Install Powerpipe (https://powerpipe.io/downloads), or use Brew:

brew install turbot/tap/powerpipe

This mod also requires Steampipe with the Azure plugin as the data source. Install Steampipe (https://steampipe.io/downloads), or use Brew:

brew install turbot/tap/steampipe
steampipe plugin install azure

Steampipe will automatically use your default Azure and Azure Active Directory credentials. Optionally, you can setup multiple subscriptions for Azure or customize Azure credentials.

Finally, install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-azure-tags

Browsing Dashboards

Start Steampipe as the data source:

steampipe service start

Start the dashboard server:

powerpipe server

Browse and view your dashboards at http://localhost:9033.

Running Checks in Your Terminal

Instead of running benchmarks in a dashboard, you can also run them within your terminal with the powerpipe benchmark command:

List available benchmarks:

powerpipe benchmark list

Run a benchmark:

powerpipe benchmark run azure_tags.benchmark.limit

Different output formats are also available, for more information please see Output Formats.

Configure Variables

Several benchmarks have input variables that can be configured to better match your environment and requirements. Each variable has a default defined in its source file, e.g., controls/limit.sp, but these can be overridden in several ways:

It's easiest to setup your vars file, starting with the sample:

cp powerpipe.ppvars.example powerpipe.ppvars
vi powerpipe.ppvars

Alternatively you can pass variables on the command line:

powerpipe benchmark run azure_tags.benchmark.mandatory --var 'mandatory_tags=["Application", "Environment", "Department", "Owner"]'

Or through environment variables:

export PP_VAR_mandatory_tags='["Application", "Environment", "Department"]'
powerpipe benchmark run azure_tags.benchmark.mandatory

These are only some of the ways you can set variables. For a full list, please see Passing Input Variables.

Remediation

Using the control output and the Azure CLI, you can remediate various tagging issues.

For instance, with the results of the compute_virtual_machine_mandatory control, you can add missing tags with the Azure CLI:

#!/bin/bash

OLDIFS=$IFS
IFS='#'

INPUT=$(powerpipe control run compute_virtual_machine_mandatory --var 'mandatory_tags=["Application"]' --output csv --header=false --separator '#' | grep 'alarm')
[ -z "$INPUT" ] && { echo "No virtual machines in alarm, aborting"; exit 0; }

while read -r group_id title description control_id control_title control_description reason resource status resource_group subscription
do
  az tag create --resource-id ${resource} --tags Application=MyApplication
done <<< "$INPUT"

IFS=$OLDIFS

To remove prohibited tags from Compute virtual machines:

#!/bin/bash

OLDIFS=$IFS
IFS='#'

INPUT=$(powerpipe control run compute_virtual_machine_prohibited --var 'prohibited_tags=["Password"]' --output csv --header=false --separator '#' | grep 'alarm')
[ -z "$INPUT" ] && { echo "No virtual machines in alarm, aborting"; exit 0; }

while read -r group_id title description control_id control_title control_description reason resource status resource_group subscription
do
  az tag delete --resource-id ${resource} --name Password --yes
done <<< "$INPUT"

IFS=$OLDIFS

Open Source & Contributing

This repository is published under the Apache 2.0 license. Please see our code of conduct. We look forward to collaborating with you!

Steampipe and Powerpipe are products produced from this open source software, exclusively by Turbot HQ, Inc. They are distributed under our commercial terms. Others are allowed to make their own distribution of the software, but cannot use any of the Turbot trademarks, cloud services, etc. You can learn more in our Open Source FAQ.

Get Involved

Join #powerpipe on Slack →

Want to help but don't know where to start? Pick up one of the help wanted issues: