Auto-Tag Like a Boss: The Nerdy Way to Enforce Azure Governance
Tired of chasing down untagged Azure resources across dozens of subscriptions? This post introduces an event-driven, serverless solution that automatically applies governance-compliant tags at creation — without overwriting existing metadata.
The Tagging Apocalypse
"Who created this VM?"
"Why is this resource not tagged?"
"Can someone explain why our cloud bill looks like a space launch invoice?"
If those questions haunt your daily standups, grab your coffee and get comfy — this one's for you.
The Real Problem
In a perfect world, every Azure resource would be lovingly tagged with who created it, why, and when. But in reality? Cloud chaos reigns:
Random Resource Creation
Resources spun up from portals, pipelines, or sheer panic
Inconsistent Tags
Or none at all—complete anarchy
Audit Nightmares
Chargeback reports that make you cry
Detective Work
Ops teams investigating across 50+ subscriptions
⚠️ Warning
Manual tagging doesn't scale. It breaks governance. It wrecks FinOps. Time for a smarter, sassier solution.
What It Does
Real-Time Auto-Tagging
Tags resources automatically as they're created
Non-Destructive
Doesn't overwrite your existing tags
Event-Driven
Pulls metadata from Event Grid and user claims
Multi-Subscription
Works across ALL subscriptions via a single Function App
💡 Pro Tip
Think of it like a tagging bouncer — no resource gets in without the right info on its name badge.
The Tech Stack
| Component | Role |
|---|---|
| 🔌 Event Grid | Captures ResourceWriteSuccess events across subscriptions |
| ⚡ Azure Functions | Processes tagging logic serverlessly (PowerShell 7) |
| 🆔 Managed Identity | Secure API calls without hardcoded creds |
| 🔍 Application Insights | Monitoring & centralized logs |
| 💾 Azure Storage | Code and state storage |
| 🌐 Azure REST API | Applies tags with REST magic |
The Flow of Tagging Greatness
Resource is created or modified
Portal, CLI, pipeline — we don't discriminate
Event Grid picks it up
System Topics detect ResourceWriteSuccess
Event routed to the Function App
Our PowerShell wizard wakes up
Function analyzes and applies tags
Based on who did what and where
Logs go to App Insights
For transparency, alerts, and the occasional "aha!"
Security: Zero Trust, All Nerd
No Secrets Stored
Managed Identity FTW—no hardcoded credentials
Fine-Grained RBAC
Only the permissions needed, nothing more
Full Audit Trail
Logs every action—perfect for compliance
Network Isolated
Production-safe architecture
Business Value
Cost Control
Accurate ownership = reliable chargebacks
Compliance
Every resource tagged, every time
Time Saved
No more "Who deployed this?" ping-pong
Clarity
Instantly know what's out there and why
Data-Driven
Plan better, spend smarter
How Much Does It Cost?
| Component | Monthly Est. |
|---|---|
| Azure Function (Consumption) | ~$10 |
| Event Grid (first 100K = FREE) | ~$5 |
| Application Insights (Basic) | ~$25 |
| Storage Account | ~$2 |
| Total | ~$42/month |
💡 Pro Tip
Sampling logs in App Insights = instant cost reduction. You don't need every single log entry.
Download & Deploy
Want to peek under the hood? The Azure Function App automatically tags resources with:
- ✓Filters out system and deployment events
- ✓Captures user claims from Event Grid
- ✓Applies a consistent tagging schema
- ✓Tries both Az PowerShell and REST API for resilience
✅ Talk Nerdy Tip
Don't wait for a tagging policy to be enforced—automate it before it becomes a post-mortem.