In my last post I looked at how you can require tags on Resource Groups and enforce tag inheritance on resource contained within them. But an interesting question was raised on the other side of that – what happens if you need to update those tags, and how do you ensure the updated tags get passed down to the resources? Well, turns out this is pretty easy as well.
Manually, the process would look something like the following:
– Update tags on Resource Group
– Create remediation task on the inheritance policy, scoped to the Resource Group
Through code, it could look like this:
$PolicyName = "Inheritance Policy Name"
$RSG = "rg-TagTester"
$newTagValue = "100"
$tags = (Get-AzResourceGroup $RSG).Tags
$tags.costcenter = $newTagValue
Get-AzResourceGroup $RSG | Set-AzResourceGroup -Tag $tags
Start-AzPolicyRemediation -Name "TagUpdateProcess" -PolicyAssignmentId (Get-AzPolicyAssignment -Name $PolicyName).PolicyAssignmentId -ResourceGroupName $RSG -ResourceDiscoveryMode ReEvaluateComplianceIn the above code block we simply get all the tags for the resource group, update the costcenter tag to equal the new value. We then set the tags on the Resource Group equal to the new values we’ve just set, and the last line initiates a Policy Remediation task scoped very specifically to the Resource Group we just changed.
Deconstructing a process into its individual steps can help lay out a process for full end-to-end automation. If you had ServiceNOW available for example, you could build a Self Service form that allows an end user to select a specific Resource Group and Subscription (pulled directly from Azure of course), then allow the user to enter updated tag values, with the code block above as a guide build a workflow that updates the tags and initiates a remediation task. Just one way to slice the pie…