Add Createdby/Deployedby/Caller/Owner email Tag to Azure resources automatically

 

Introduction

Hello Everyone, This post is about Tagging the Azure resources with Email address of the user who deployed the resources based on deployment Activity Log. I know there are lot of solutions available for owner tag but this solution is simple and i feel can be implemented easily. 

Benefits:

This solution is useful when it comes from multiple sources of deployment. The Creator tag can be added in the code but if someone uses the Azure portal or PowerShell & etc.. then it's difficult to identifythe resources deployed by.   

I have used LogAnalytics Workspace to collect all subscription related logs and Azure Automation Account for applying the tags.  

Prerequisites:

• Create a LogAnalytics Workspace
• Create an Azure Automation Runbook with Run As Account
• Provide Tag Contributor Rights to Automation Account Run As Account at Subscription Level 
• Create V1 based alert rules as V2 has different schema which i didn't include.
• Create a webhook and add the Webhook URL into alert rules.

Below is the KQL query to be used to create a alert and send the results to WebHook of Automation Account. Once the data is passed to Automation Account, runbook will process the data and apply the Tag based on the activity log generated. 

• In order to make this solution work, you have to send the subscription logs to Log Analytics Workspace.
• I have filtered to get only Adminisrative logs as well as excluded some of the deployment logs which is not required or it's reporting incorrect Resource ID.
• Also excluded Publishing, Drafts & Delete related logs to avoid unnecessary data consumtion.

AzureActivity

| where CategoryValue contains "Administrative"

| where ActivityStatusValue contains "Success"

| where ActivitySubstatusValue !contains "OK"

| where OperationNameValue !has "draft"

| where parse_json(Authorization).action !has "Microsoft.Resources/deployments"

| where OperationNameValue !has "publish"

| where OperationNameValue !contains "delete"

| where TimeGenerated > ago(35m)

| sort by TimeGenerated desc 

| project Caller, _ResourceId

| distinct _ResourceId, Caller

| where Caller <> "Add Automation Run as Account Service Principal Object ID"

Below is the script that i've used in runbook for applying the tags. 

#Code Stars here

param (

[Parameter(Mandatory=$false)]

[object] $WebhookData 

)

$servicePrincipalConnection = Get-AutomationConnection -Name AzureRunAsConnection

$params = @{

    ServicePrincipal      = $true

    TenantId              = $servicePrincipalConnection.TenantId

    ApplicationId         = $servicePrincipalConnection.ApplicationId

    CertificateThumbprint = $servicePrincipalConnection.CertificateThumbprint 

}

Add-AzAccount @params

set-azContext -Subscription "Subscription Name"

if ($WebhookData) {

    write-output "Webhook data $WebhookData"

    # Logic to allow for testing in Test Pane

    if(-Not $WebhookData.RequestBody){

        $WebhookData = (ConvertFrom-Json -InputObject $WebhookData)

        write-output "Checking Webhook data $webhookData"

    }

}

$Request = ConvertFrom-Json -InputObject $webhookData.RequestBody

$content = $Request.data.alertContext.SearchResults.tables.rows

write-output "This is content"$content

$results = $content.split("`r`n")

write-output "This is result"$results

Foreach ($result in $results) {

    

# Result is either a Subscription ID or User

If ($result -match "Specify Subscription ID") {

# Result is a Subscription ID

$resID = $result

}

Else {

# Result is a user so write tag

$UserName = $result

Write-Host "Adding tag ProvisionedBy: $UserName for Resource: $resID"

# Check if resource has existing tags (Not null value)

$Resource = Get-AzResource -ResourceId $resID

If ($Resource.Tags) {

# Add ProvisionedBy tag to existing tags

$Resource.Tags.Add("ProvisionedBy",$UserName)

Set-AzResource -Tag $Resource.Tags -ResourceId $resID -Force

}

Else {

# No existing tags. Add new ProvisionedBy tag to resource.

Set-AzResource -Tag @{ ProvisionedBy=$result } -ResourceId $resID -Force

}

}

}

#Clear variables before next iteration

$resID= $NULL

$Resource = $NULL

$UserName = $NULL

#Code Ends here

Hope the above solution will help you to add the Creator tagging. let me know if you've any comments.