Ensure Azure resources that support tags have Tags

Error: Azure resources that support tags do not have Tags

Bridgecrew Policy ID: BC_AZR_GENERAL_81
Checkov Check ID: -
Severity: LOW

Azure resources that support tags do not have Tags

Description

Many different types of Azure resources support tags. Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names. While there are many ways that tags can be used, we recommend you follow a tagging practice.

View Microsoft's recommended tagging best practices here.

azurerm_analysis_services_server
azurerm_api_management
azurerm_api_management_named_value
azurerm_api_management_property
azurerm_app_configuration
azurerm_app_service
azurerm_app_service_certificate
azurerm_app_service_certificate_order
azurerm_app_service_environment
azurerm_app_service_managed_certificate
azurerm_app_service_plan
azurerm_app_service_slot
azurerm_application_gateway
azurerm_application_insights
azurerm_application_insights_web_test
azurerm_application_security_group
azurerm_attestation_provider
azurerm_automation_account
azurerm_automation_dsc_configuration
azurerm_automation_runbook
azurerm_availability_set
azurerm_backup_policy_vm
azurerm_backup_protected_vm
azurerm_bastion_host
azurerm_batch_account
azurerm_bot_channels_registration
azurerm_bot_connection
azurerm_bot_web_app
azurerm_cdn_endpoint
azurerm_cdn_profile
azurerm_cognitive_account
azurerm_communication_service
azurerm_container_group
azurerm_container_registry
azurerm_container_registry_webhook
azurerm_cosmosdb_account
azurerm_custom_provider
azurerm_dashboard
azurerm_data_factory
azurerm_data_lake_analytics_account',
azurerm_data_lake_store
azurerm_data_share_account
azurerm_database_migration_project
azurerm_database_migration_service
azurerm_databox_edge_device
azurerm_databricks_workspace
azurerm_dedicated_hardware_security_module
azurerm_dedicated_host
azurerm_dedicated_host_group
azurerm_dev_test_global_vm_shutdown_schedule
azurerm_dev_test_lab
azurerm_dev_test_linux_virtual_machine
azurerm_dev_test_policy
azurerm_dev_test_schedule
azurerm_dev_test_virtual_network
azurerm_dev_test_windows_virtual_machine
azurerm_devspace_controller
azurerm_digital_twins_instance
azurerm_disk_access
azurerm_disk_encryption_set
azurerm_dns_a_record
azurerm_dns_aaaa_record
azurerm_dns_caa_record
azurerm_dns_cname_record
azurerm_dns_mx_record
azurerm_dns_ns_record
azurerm_dns_ptr_record
azurerm_dns_srv_record
azurerm_dns_txt_record
azurerm_dns_zone
azurerm_eventgrid_domain
azurerm_eventgrid_system_topic
azurerm_eventgrid_topic
azurerm_eventhub_cluster
azurerm_eventhub_namespace
azurerm_express_route_circuit
azurerm_express_route_gateway
azurerm_express_route_port
azurerm_firewall
azurerm_firewall_policy',
azurerm_frontdoor
azurerm_frontdoor_firewall_policy
azurerm_function_app
azurerm_function_app_slot
azurerm_hdinsight_hadoop_cluster
azurerm_hdinsight_hbase_cluster
azurerm_hdinsight_interactive_query_cluster
azurerm_hdinsight_kafka_cluster
azurerm_hdinsight_ml_services_cluster
azurerm_hdinsight_rserver_cluster
azurerm_hdinsight_spark_cluster
azurerm_hdinsight_storm_cluster
azurerm_healthcare_service
azurerm_hpc_cache
azurerm_image
azurerm_integration_service_environment
azurerm_iot_security_solution
azurerm_iot_time_series_insights_gen2_environment
azurerm_iot_time_series_insights_reference_data_set
azurerm_iot_time_series_insights_standard_environment
azurerm_iotcentral_application
azurerm_iothub
azurerm_iothub_dps
azurerm_ip_group
azurerm_key_vault
azurerm_key_vault_certificate
azurerm_key_vault_key
azurerm_key_vault_secret
azurerm_kubernetes_cluster
azurerm_kubernetes_cluster_node_pool
azurerm_kusto_cluster
azurerm_lb
azurerm_linux_virtual_machine
azurerm_linux_virtual_machine_scale_set
azurerm_local_network_gateway
azurerm_log_analytics_cluster
azurerm_log_analytics_linked_service
azurerm_log_analytics_saved_search
azurerm_log_analytics_solution
azurerm_log_analytics_storage_insights
azurerm_log_analytics_workspace
azurerm_logic_app_integration_account
azurerm_logic_app_workflow
azurerm_machine_learning_workspace
azurerm_maintenance_configuration
azurerm_managed_application
azurerm_managed_application_definition
azurerm_managed_disk
azurerm_management_group_template_deployment
azurerm_maps_account
azurerm_mariadb_server
azurerm_media_live_event
azurerm_media_services_account
azurerm_media_streaming_endpoint
azurerm_monitor_action_group
azurerm_monitor_action_rule_action_group
azurerm_monitor_action_rule_suppression
azurerm_monitor_activity_log_alert
azurerm_monitor_autoscale_setting
azurerm_monitor_metric_alert
azurerm_monitor_scheduled_query_rules_alert
azurerm_monitor_scheduled_query_rules_log
azurerm_monitor_smart_detector_alert_rule
azurerm_mssql_database
azurerm_mssql_elasticpool
azurerm_mssql_server
azurerm_mssql_virtual_machine
azurerm_mysql_server
azurerm_nat_gateway
azurerm_netapp_account
azurerm_netapp_pool
azurerm_netapp_snapshot
azurerm_netapp_volume
azurerm_network_connection_monitor
azurerm_network_ddos_protection_plan
azurerm_network_interface
azurerm_network_profile
azurerm_network_security_group
azurerm_network_watcher
azurerm_notification_hub
azurerm_notification_hub_namespace
azurerm_orchestrated_virtual_machine_scale_set
azurerm_point_to_site_vpn_gateway
azurerm_postgresql_server
azurerm_powerbi_embedded
azurerm_private_dns_a_record
azurerm_private_dns_aaaa_record
azurerm_private_dns_cname_record
azurerm_private_dns_mx_record
azurerm_private_dns_ptr_record
azurerm_private_dns_srv_record
azurerm_private_dns_txt_record
azurerm_private_dns_zone
azurerm_private_dns_zone_virtual_network_link
azurerm_private_endpoint
azurerm_private_link_service
azurerm_proximity_placement_group
azurerm_public_ip
azurerm_public_ip_prefix
azurerm_purview_account
azurerm_recovery_services_vault
azurerm_redis_cache
azurerm_redis_enterprise_cluster
azurerm_relay_namespace
azurerm_resource_group
azurerm_resource_group_template_deployment
azurerm_route_filter
azurerm_route_table
azurerm_search_service
azurerm_security_center_automation
azurerm_service_fabric_cluster
azurerm_service_fabric_mesh_application
azurerm_service_fabric_mesh_local_network
azurerm_service_fabric_mesh_secret
azurerm_service_fabric_mesh_secret_value
azurerm_servicebus_namespace
azurerm_shared_image
azurerm_shared_image_gallery
azurerm_shared_image_version
azurerm_signalr_service
azurerm_snapshot
azurerm_spatial_anchors_account
azurerm_spring_cloud_service
azurerm_sql_database
azurerm_sql_elasticpool
azurerm_sql_failover_group
azurerm_sql_server
azurerm_ssh_public_key
azurerm_stack_hci_cluster
azurerm_storage_account
azurerm_storage_sync
azurerm_stream_analytics_job
azurerm_subnet_service_endpoint_storage_policy
azurerm_subscription
azurerm_subscription_template_deployment
azurerm_synapse_spark_pool
azurerm_synapse_sql_pool
azurerm_synapse_workspace
azurerm_tenant_template_deployment
azurerm_traffic_manager_profile
azurerm_user_assigned_identity
azurerm_virtual_desktop_application_group
azurerm_virtual_desktop_host_pool
azurerm_virtual_desktop_workspace
azurerm_virtual_hub
azurerm_virtual_hub_security_partner_provider
azurerm_virtual_machine
azurerm_virtual_machine_extension
azurerm_virtual_machine_scale_set
azurerm_virtual_network
azurerm_virtual_network_gateway
azurerm_virtual_network_gateway_connection
azurerm_virtual_wan
azurerm_vmware_private_cloud
azurerm_vpn_gateway
azurerm_vpn_server_configuration
azurerm_vpn_site
azurerm_web_application_firewall_policy
azurerm_windows_virtual_machine
azurerm_windows_virtual_machine_scale_set

Fix - Buildtime

Terraform

The example below shows how to tag a security group in Terraform. The syntax is generally the same for any taggable resource type.

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_managed_disk" "example" {
  name                 = "acctestmd"
  location             = "West US 2"
  resource_group_name  = azurerm_resource_group.example.name
  storage_account_type = "Standard_LRS"
  create_option        = "Empty"
  disk_size_gb         = "1"

+  tags = {
+    environment = "staging"
  }
}