Blogpost: Why managed resourcegroups are a problem?
Why managed resource groups are a problem?
Main when you start your cloud journey
When you embark on your cloud journey, the best approach is to use the Microsoft Cloud Adoption Framework, which focuses on the following key areas:
Each step represents a highly important one, but I want to focus on the ‘Ready’ step.”
In that area, it’s essential to define the operating model, as it impacts the ‘Landing Zone Concept.’ I always prefer implementing the ‘Enterprise-Scale Framework,’ which resembles the following:
That concept includes a highly important design area within management called ‘Naming Standard and Tagging.’ It’s crucial for future design principles to establish a robust naming and tagging standard.
I always recommend to use the Azure Naming Standard tool and define Azure policies and initiatives to enforce tagging standards on resource groups and audit tags in subscriptions.
That makes enforcing tags and the naming standard significantly more challenging. However, I believe I have a valid solution for you I came across an older discussion regarding this topic here.
The solution doesn’t meet my requirements, so I’m doing my best to resolve the issue and here we are.
I’ve archived the following:
- Define a global policy where the main tags are enforced at resourcegroup level
- Make an exclusion for the (that I’ve known) managed resource groups
- Assign atomatically the enforced resource groups with an default value to the managed resource group
Why does my solution work? I’ve cloned the built-in policy, ‘Require a Tag and Its Value on Resource Groups,’ and customized it to include an exclusion for managed resource groups. The policy now looks like this:
{
"mode": "All",
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
{
"field": "name",
"notLike": "AVNM*"
},
{
"field": "name",
"match": "NetworkWatcherRG"
},
{
"field": "name",
"match": "test"
}
]
},
"then": {
"effect": "deny"
}
}
}Additionally a policy to add the required tag with a predefined value.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f"
],
"operations": [
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[parameters('tagValue')]"
}
]
}
}
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'automatic'"
}
}
}
}When you attempt to create a resource group without the required tag, and the name is not excluded, you’ll encounter the following error:
Everything works perfectly when a managed resource group from the list is created. Here’s an example to test: switch to the Azure Network Manager service and create a new one within your subscription. The service will automatically create a managed resource group named ‘NetworkWatcherRG.’ The policy described above permits its creation and assigns the required tag with a predefined value:
Finally
My final thoughts for this blog post: When starting with Azure, it’s crucial to embark on a well-structured journey by leveraging the Cloud Adoption Framework. Ultimately, implementing a solid Landing Zone architecture will ensure long-term success.
The fact is that Microsoft’s rollout of services requiring managed resource groups can cause certain design areas within the Landing Zone implementation to break. However, it is what it is for now, and I hope Microsoft either revises or adds the capability to define the resource group during the implementation process.
Currently, as far as I know, the following managed resource groups are available:
If you know more services, please let me know to expand the policy.
