This guide covers how to tag resources via policy and set up auditing of that policy.
Applying Tagging Policy
This guide outlines how to apply a tag inheritance policy from Resource Group to resource groups in an Azure subscription using Terraform. The policy ensures that all resources within a resource group inherit tags from the resource group, enforcing consistent metadata for governance, billing, and management purposes. This guide will bring resources into line with the ALZ Tagging Strategy and Policy.
All resources under the group inherit these tag names and values automatically when correctly configured:
- application
- businessarea
- dataclassification
- environment
- infracontact
- owner
- purchaseorder
Quick Explainer
Use the ALZ team document as a reference for some standard tags and values. This guide uses the hub subscription as an example, where the policy definition will be created. For all other subscriptions, only a policy assignment is required, referencing the policy definition created under the hub subscription.
Defining the Inherit Tag RG Policy
Path:
staff-infrastructure-azure-landing-zone/terraform/source/100-hub/000-alz-base/policies/inheritTagsRg/inherit-tag-rg.json
The policies folder is located within the source directory and is symlinked to 100-hub/000-alz-base. Within it, the inheritTagsRg folder and the inherit-tag-rg.json file implement the policy definition responsible for inheriting tags from the resource group.
Terraform Code for Policy Definition and Assignment
Path:
staff-infrastructure-azure-landing-zone/terraform/source/100-hub/000-alz-base/policy-rg-tags-inheritance.tf
This handles tag inheritance from the resource group through the inherit-tag-rg.json policy and creates an assignment. The file is symlinked from the source since it’s reused across all three tenants.
Relevant variables (to be added in variables.tf and .tfvars):
variable "inherit_tag_rg_policy" {
description = "The display name of the inherit tag policy definition."
type = string
default = null
}
variable "core_resource_group" {
description = "Resource group for the Core"
type = string
default = null
}
variable "inherit_tag_policydef_uami_name" {
description = "The display name of the inherit tag policy definition user assigned mi."
type = string
default = null
}
variable "inherit_tag_rg_policy_assignment_resource_id" {
description = "The ID of the resource where the initiative will be assigned e.g. subscription or resource group"
type = string
default = null
}
# Only used in the Hub subscription
variable "assignment_not_scopes" {
description = "A list of the Policy Assignment's excluded scopes. Must be full resource IDs"
type = list(any)
default = []
}
variable "skip_tag_remediation" {
description = "Whether to skip remediation actions for the initiative assignment."
type = bool
default = true
}
Once the code is pushed and merged, a new custom policy named Inherit Required Tags from Resource Group will be created under the management group area called MOJ. This is a one-time step per tenant — the policy will be referenced in future assignments.
Some minor differences may be observed between the number of resources displayed in Subscription and those presented in the Policy Compliance view.
| Description | Count |
|---|---|
| List of resources including Bastion | 138 |
| List of resources excluding Bastion | 137 |
| Resource compliance | 100% (139/139) |
| Missing resources | 2 |
The resources below are in the compliance scan as “Compliant” but not listed under Resources:
| Name | Resource type | Compliance state | Resource ID |
|---|---|---|---|
| exporttoworkspace | microsoft.security/automations | Compliant | /subscriptions/d065122c-0c8c-4024-b018-8bc853119e12/resourcegroups/rg-hub-core-001/providers/microsoft.security/automations/exporttoworkspace |
| high-sev-notification | microsoft.security/automations | Compliant | /subscriptions/d065122c-0c8c-4024-b018-8bc853119e12/resourcegroups/rg-hub-core-001/providers/microsoft.security/automations/high-sev-notification |
Audit Policy
This policy outlines the standards and procedures for implementing and auditing resource tags within the Ministry of Justice’s Azure environments. The aim is to ensure resources are correctly tagged to support cost management, security, compliance, governance, and operational efficiency.
Quick Explainer
This policy checks compliance of all Azure-based resources deployed into the ALZ, including but not limited to:
- Virtual machines
- Storage accounts
- Databases
- Containers
- Networking components
- Resource groups
Audit will verify:
- All seven mandatory tags are present
- Tag values
This guide uses the hub subscription as an example, where the policy definition will be created. For all other subscriptions, only a policy assignment is required.
Defining the Audit Tag RG Policy
Path:
staff-infrastructure-azure-landing-zone/terraform/source/100-hub/000-alz-base/policies/auditingTags/tags-auditing-policy-resources.json
The tags-auditing-policy-resources.json file in the auditingTags folder implements the audit tag policy definition.
Terraform Code for Policy Definition and Assignment
Path:
staff-infrastructure-azure-landing-zone/terraform/source/100-hub/000-alz-base/policy-tags-audit.tf
This Terraform module creates and assigns the audit policy using the definition file mentioned above.
Relevant variable:
variable "inherit_tag_policydef_assignment_resource_id" {
type = string
description = "The ID of the resource where the initiative will be assigned e.g. subscription or resource group"
default = null
}
Once pushed and merged, a custom policy named Tags auditing policy for all azure resources will be created under the management group area called MOJ.
As with the tagging policy, differences may be seen between the resources in the Subscription view and those in the Policy Compliance view.
| Description | Count |
|---|---|
| List of resources in Hub | 138 |
| Resource compliance | 100% (140/140) |
| Missing resources | 2 |
The following are compliant in the scan but not listed under Resources:
| Name | Resource type | Compliance state | Resource ID |
|---|---|---|---|
| exporttoworkspace | microsoft.security/automations | Compliant | /subscriptions/d065122c-0c8c-4024-b018-8bc853119e12/resourcegroups/rg-hub-core-001/providers/microsoft.security/automations/exporttoworkspace |
| high-sev-notification | microsoft.security/automations | Compliant | /subscriptions/d065122c-0c8c-4024-b018-8bc853119e12/resourcegroups/rg-hub-core-001/providers/microsoft.security/automations/high-sev-notification |