Azure Policy Configuration

Azure Policy – Add Date/Time Resource Group Tag

image

Have you ever tried to figure out the creation date of a resource group in Azure? As easy it may sound as difficult it is. I needed a timestamp, because I wanted to do some automation. So first I expected to see a timestamp in Azure Resource Graph. Well, this did not work and a feature request is open. The second source to get the creation date of a resource group (or any other resource) would be the Azure Activity Log. The problem there is, that gazillion of events are logged and it is troublesome to filter to the right creation event. Another approach could be, to send all Activity Logs to Log Analytics and write a Kusto query for the appropriate event. Well, yes this would be easier, but still too complicated.

The final solution I came up with, was to modify a built-in policy to create a custom policy definition, which appends a tag to the resource group. If you are not familiar with the Azure Policy service, it is a great tool to govern your cloud infrastructure. There are more than 200 built-in policy definitions (and continuously growing!) available in Azure, which provide a broad range of settings to apply. In addition, we are able to build our own policy definitions to cover our needs. Because the options mentioned in the beginning, did not solve my problem, I decided to set a timestamp on a resource group at creation time. Meaning, when a resource group gets created, there should be a “creation date” tag attached to the resource group.

Something like this…

image

…well I know, this is not rocket science, but hey it works. You can find the policy definition here in a single file. Just deploy the policy, and assign it to a management group or subscription…

image

You may think, this timestamp looks odd and we should format it, so we just have the date and no time displayed. Well, there are some restriction with the function “utcNow()” in policy definition files as documented by Microsoft

The following functions are available to use in a policy rule, but differ from use in an Azure Resource Manager template:

  • addDays(dateTime, numberOfDaysToAdd)
    • dateTime: [Required] string – String in the Universal ISO 8601 DateTime format ‘yyyy-MM-ddTHH:mm:ss.fffffffZ’
    • numberOfDaysToAdd: [Required] integer – Number of days to add
  • utcNow() – Unlike a Resource Manager template, this can be used outside defaultValue.
    • Returns a string that is set to the current date and time in Universal ISO 8601 DateTime format ‘yyyy-MM-ddTHH:mm:ss.fffffffZ’

…as far I have tested we can not use any of the date / time formats used in a regular ARM template in a policy definition. It just throws an error…

image

…for my purpose it is sufficient and in my next post, we will see an example, why a “creation date” tag might be useful.

Find policy on GitHub

Hope this helps!

One Reply to “Azure Policy – Add Date/Time Resource Group Tag

  1. Hi Stefan.

    Came across your solution, when I was looking for this kind of policy. Unfortunately my policy applies a tag with the literal value “[utcNow()]” and the function within the policy isn’t applied. Any suggestions??

    /Kenneth ML

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.