One of the hardest things to do in the cloud is manage the lifecycle of deployed resources. Many times, resources get deployed and are left deployed and running because no one knows if they are still needed or not. Resource Tags help to provide some governance around this, but sometimes they may not be accurate or give you the information you need to help make that decision quickly.
Some pieces of information that can be very helpful in determining if a resource is still being used is when the resource was last modified and who modified it. This way you can see if a given resource has not been modified recently and who (user/system account) made that last modification.
Some resource types track last modified times, but not all, and they do not track who made that modification. In order to be consistent with resource types, tags can be added to most resource types so that there is a single place to determine when the resource was last modified.
Using native services/capabilities within Azure, we have setup Azure Monitor Alert Rules looking at the Subscription Activity Log to trigger a Logic App that will add tags to the resource for "lastModified" and "modifiedBy." Below is a screenshot of the Logic App configuration used to add the tags.
We used the HTTP action to the Azure REST APIs as it allowed for easy integration with managed identities so that we can give the Logic App identity the Tag Contributor role to the scope we want it to set tags on.
Earlier I said that not all resources support tags. To get around this so that our Logic App does not fail to add the tags, we added a check into the alert rule to not include resources that don’t support tags. We did this by using the "externaldata" operator within KQL. Below is a sample of they query we used.
Sample alert rule query
Once tags have been assigned, you can use Resource Graph to query resources based on the values in this tag. With these queries, you can create visualizations within Log Analytics Workbooks to show this data and action upon older resources.
Sample resource graph query
If you have any questions on this topic or need help managing the lifecycle of your Azure resources, contact us today!
