We have a requirement to force certain tags to our azure resources. Some tags which we need to enforce from subscription level say(eg: st1=st1, st2=st2..), But some are needed to be resourcegroup level(rt1-rt1, rt2=rt2..) and others are to specific resource type (like, aks, appservice, storage account).
By going through the MS doc I found that this can be achieved using azure policy. So the plan is to create azure policy with allowed tags and tag values which need to be enforced on
i) in subscription level
2) resource group level
3) Resource type wise
4) and for other remaining app specific tags to the resources use "az tag update" command.
We need to use automated solution to achieve all these with Azurepipleine and shell commands or scripts as we have only linux machines.
so for the 4th point i got some working pipeline solution to add the app specific tags to the resource level.
But for the requirements 1 to 3, will there any arm or script already available , so that we can integrate them with our azurepipelines.
Any automated solution or suggestion you already tried on this?
update on 12/12
As this docs for Use Tags to organize your azure resources sharing to us, you could use rest api or sdk to add the tags for your resource.
And for the loop for giving the resources with the tags from the resource groups. You could look into this potential workaround for reference. Bash Script
Related
We manage an Azure subscription operated by several countries. Each of them is quite independant about they can do (create/edit/remove resources). A guide of good practices has been sent to them, but we (security team) would like to ensure a set of NSG is systematically applied for every new subnet/vnet created.
Giving a look to Azure Triggers, I am not sure that subnet creation belongs to the auditable events. I also was told to give a look to Azure policy, but once again I am not sure this will match our expectations which are : For every new vnet/subnet, automatically apply a set of predefined NSG.
Do you have any idea about a solution for our need ?
I have done work like this in the past (not this exact issue) and the way I solved it was with an Azure Function that walked the subscription and looked for these kinds of issues. You could have the code run as a Managed Identity with Reader rights on the subscription to report issues, or as a Contributor to update the setting. Here's some code that shows how you could do this with PowerShell https://github.com/Azure/azure-policy/tree/master/samples/Network/enforce-nsg-on-subnet
You could consider using a Policy that has a DeployIfNotExists Action, to deploy an ARM template that contains all the data for the NSG. https://learn.microsoft.com/en-us/azure/governance/policy/samples/pattern-deploy-resources
You can get the ARM template by creating the NSG and getting the template:
GettingNSGTemplate
Note also that creating a subnet is audited, you can see it in the Activity Log for the VNet. See the screen shot.
AddingASubnet
Given that managed resource groups are mandatory for creating an Azure Databricks cluster, is there any way that I can tag the resource group in order to comply with the tagging policy on my subscription?
I am using the template here to deploy my resources.
Based on the post I found:,
Since Feb 10 2020, the Databricks resource will propagate any tags applied to the Databricks resource to the managed resources it created.
I think the solution is more simpler now by tagging Databricks resource directly.
Hope this answer (by others) works for everyone seeing this post.
Any tags that you use when creating the Databricks workspace will be used for the managed resource group as well so just make sure you add the needed tags to the workspace when creating it. I know this works when creating the workspace from the Azure Portal but I can't see any reason this wouldn't work when using ARM templates (or Terraform for that matter).
Also, I'm also pretty sure that future changes will be propagated to said resource group.
I am trying to understand how can I run a python application inside azure container that can spin up various resources like VM, route-table inside resource group of Azure.
http://azure-sdk-for-python.readthedocs.io/en/latest/
Looks like the examples provided in azure python sdk sets authentication stuff like credentials, subscription ID, etc.
Is there a way to avoid setting up of this information by using Role Based Access Control ? What if I provide container an Contributor access to the resource group, in that case, would i able to avoid setting up authentication variables and still achieve creating resources or atleast read/access resources in resource group ?
No, how do you think that would work? In order to be able to create\read\modify resources you need permissions (else anyone would be able to do that). There is no way to do that without some sort of Auth.
I am trying to find a way to retrieve the JSON version of an Azure Resource Group that I created in the portal. I've looked through all the PowerShell documentation, tried scraping JSON from the portal, all to no avail. There are some earlier questions that state that it isn't supported, but they are all fairly old (in terms of Azure feature release speed).
Is there any way to get the JSON for a Resource Group created in the Portal UI? Or is the template approach the only way to go?
While it is possible to retrieve the JSON for a resource group from the Azure Resource Explorer, there are some caveats you need to be aware of.
Resource Explorer is a tool that describes the current runtime configuration rather than the deployment configuration that a resource template does. While it is primarily the same language there are a number of subtle differences.
For instance resource explorer will tell you the IP address that is assigned to a NIC, which isn't something that is possible to assign from a template.
While they can be a good starting point for building resource templates you will need to go through them and clean out the extraneous information.
Personally my three calling points in building resource templates are
Azure Resource Explorer
Azure Quickstart Templates
Azure Resource Manager Schemas
Between the three of those you can usually put together some concise, powerful templates.
There is a feedback item that is 'under review' to allow for the creation of full ARM templates from existing resource groups.
You can use the Azure Resource Explorer to view the JSON representation of your Azure resources. The source code is also available on GitHub in case if you want to learn how it works: https://github.com/projectkudu/ARMExplorer
This is now available in the Azure portal, portal.azure.com. If you browse to a resource group in the portal, under "All settings" for the resource group, there is now an "Export template" option.
Looking at portal.azure.com as of 3/28/2016 it looks like the options have changed from some of the previous responses...
Go to portal.azure.com and log in
Click on "Resource Groups"
Click on "All Settings"
Click on "Deployments"
Click on the particular resource/deployment for which you want to create a template
Click on "Export Template" near the top of the tile/page.
Note: Some of the deployments may not give access to the "Export Template" button. For these, you will most likely see a "Template Link" in the resource summary which gives access to the generic template for that resource deployment.
After the new model was implemented, all of my websites now belong to individual Resource Groups called "Default-Web-East" and all of my SQL databases belong to individual Resource Groups called "Default-SQL-East".
This is confusing to say the least.
I would like to rename the groups to have some semantic meaning. I would also like to group the associated SQL database and Web Site in the same Resource Group.
However, I do not see anyway to do either. Is this possible?
1) Rename the Resource Group?
2) Combine an existing SQL DB and Website together into one Resource Group?
Edit: You can't rename an Azure Resource Group.
What you can do is move your resources to a new Resource Group instead. Moving all resources in Resource Group A to Resource Group B is the poor man's rename.
Unfortunately not all resource providers let you move resources between resource groups, and some that do might have strings attached that only let you move resources under certain conditions.
For Azure Web Apps (previously called Azure Websites) you can currently only move all the websites related resources in a single invocation. That "all websites related resources" means all resource under the provider "Microsoft.Web". This includes all websites, app hosting platforms, and certificates that are in the source resource group.
Via the portal
When viewing a group's resources, you can use the "Move" tab
Clicking the "Move" tab will show something this, allowing you to choose or create a new group:
Via Azure Powershell
The easiest way to do this is to use the Move-AzureRmResource powershell cmdlet.
The command would look like this:
Get-AzureRmResource -ResourceGroupName <sourceResourceGroupName> | Move-AzureRmResource -DestinationResourceGroupName <destResourceGroupName>
source: https://azure.microsoft.com/en-us/documentation/articles/resource-group-move-resources/
Via Rest API
The other way to do this is to use the MoveResource Rest API or with the ArmClient.
Here's the API call you'll want to make:
POST https://<endpoint>/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/moveResources?api-version={api-version}
Where {resourceGroupName} is the source resource group.
I'm pretty sure the endpoint should be "https://management.azure.com", but if you use the ArmClient the tool will just take care of the endpoint for you.
Request Body:
{
"targetResourceGroup": "/subscriptions/{subscriptionId}/resourceGroups/{targetResourceGroupNameName}",
"resources":
[
"/subscriptions/{id}/resourceGroups/{source}/providers/{namespace}/{type}/{name}",
"/subscriptions/{id}/resourceGroups/{source}/providers/{namespace}/{type}/{name}"
]
}
In addition to the main answer, Azure Portal has a feature of moving the Resources that is allowed to be moved to a new Resource group.
Go to your Resource Group that has Resources you want to move to an existing or a new created Resource Group.
Select the one, multiple or all (1) Resources you want to move and click on the Move (2) bottom as shown in image. (you can select moving to Resources with in the same subscription or to another subscription) A third option if you need just to change the Region) see the the figure at the end.
It will ask you to chose which Resource Group to move to.
Note: This process might take some time, be patient. When done, you
will see that the resource disappear from the old one and will be
found in the new one. That said some resources might be restricted
from been moved to other resources.
Move (Fixing) only region