Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom tags for workspace resource groups #4134

Closed
TonyWildish-BH opened this issue Nov 12, 2024 · 4 comments
Closed

Custom tags for workspace resource groups #4134

TonyWildish-BH opened this issue Nov 12, 2024 · 4 comments
Labels
question Further information is requested

Comments

@TonyWildish-BH
Copy link

Is there a way to specify custom Azure tags per-workspace?

Description

I would like to crate workspaces in the TRE where the Azure resource group has a custom tag applied to it. I.e., the tag name would be the same for all resource groups, but the tag value would differ.

This is mostly useful in terms of managing costs, monitoring and billing by project etc. So a typical example of a tag would be cost_centre = 12345 for project A, cost_centre = 54321 for project B, and so on. That said, there are other cases where we might want to add arbitrary tags to resource groups when they're created.

It looks to me like this isn't supported. Has anyone considered this before?
@TonyWildish-BH TonyWildish-BH added the question Further information is requested label Nov 12, 2024
@tim-allen-ck
Copy link
Collaborator

Hi @TonyWildish-BH yes we've done something similar for a customer.
The tag is created in a workspace then we used policy to add it to the resources within the RG.

@TonyWildish-BH
Copy link
Author

thanks for the quick answer Tim. Is there some code to go with this, or is it all done manually?

@tim-allen-ck
Copy link
Collaborator

Here's the policy resource we used.
Outside of this we have a local local.custom_tags that builds a map of tags that's built from some variables passed in from a customised porter template of the base workspace.

resource "azurerm_policy_definition" "custom_tre_tags" {
  name         = "custom_tre_tags_${local.workspace_resource_name_suffix}"
  display_name = "Azure TRE ${local.workspace_resource_name_suffix}: Custom Tags"
  description  = "Add custom tags to all resources in TRE ${local.workspace_resource_name_suffix}"
  policy_type  = "Custom"
  mode         = "Indexed"

  metadata = <<METADATA
  {
    "category": "Tags",
    "version": "1.0.0"
  }
  METADATA

  policy_rule = jsonencode({
    "if" : {
      "allOf" : [
        {
          "field" : "tags['tre_workspace_id']",
          "equals" : var.tre_resource_id
        },
        {
          "anyOf" : [
            for tag_key, tag_value in local.custom_tags : {
              "field" : "tags['${tag_key}']",
              "notEquals" : tag_value
            }
          ]

        }
      ]
    },
    "then" : {
      "effect" : "modify",
      "details" : {
        "conflictEffect" : "audit",
        "roleDefinitionIds" : [
          "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "operations" : [
          for tag_key, tag_value in local.custom_tags : {
            "operation" : "addOrReplace",
            "field" : "tags['${tag_key}']",
            "value" : tag_value
          }
        ]
      }
    }
  })
}

@TonyWildish-BH
Copy link
Author

Thanks Tim, that looks very useful!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tim-allen-ck @TonyWildish-BH