Pipeline Caller Tag

1 minute read

Description:

Quick post here but I wanted to find a way to add a tag in the Azure portal for all resources deployed by the pipeline caller since in some instances the Terraform pipeline may use a Service Principle that is shared by all members of a team. This helps reduce confusion because the Activity Log in the portal will just show that the Service Principle created a resource on a specific date but not who actually ran the pipeline to create the resources.

Update: This has been fixed in a new post, please view it here!

To Resolve:

  1. The proposed fix is to add the Build.RequestedFor and Build.RequestedForEmail automatic variables from Azure Devops into the pipeline like so:

    • In your build.yaml, just add -var="requested_for=$(Build.RequestedFor)" \ -var="requested_for_email=$(Build.RequestedForEmail)" \ in your terraform plan
    • Then in your variables.tf, add:
    1
2
3
4
5
6
7
8
9

    variable "requested_for" {
   description = "(Required) Azure Devops Automatic Variable used for tagging resources."
   type        = string
}

variable "requested_for_email" {
   description = "(Required) Azure Devops Automatic Variable used for tagging resources."
   type        = string
}

  • And then in your main.tf, add something like:

    1
2
3
4
5
6
7
8
9
10

     locals {
    tags = {
       Owner       = "Automation Admin"
       CostCenter  = "100"
       EntAppname  = "Automation Admin Terraform POC"
       Environment = "tst"
       Contact     = "gerry@automationadmin.com"
       Latest_RunBy  = "${var.requested_for} - ${var.requested_for_email}"
    }
 }
  1. Like mentioned in the LastUpdate Tag post, this solution has the same major drawback:
    • Every time someone new runs the pipeline in Azure Devops, it will overwrite all tags with their information instead of the previous user’s information.
    • This means user A can go and run a pipeline to deploy resources and they will get the appropriate tag. Good.
    • But then user B goes and runs the same pipeline and the tag gets overwritten with their information therefor wiping all evidence that user A initially created the resources.
    • Like mentioned in that post, it would probably be best to use other tools to determine who created a resource and just use this tag as a not-set-in-stone but good-to-know type informational tag.

Comments

You May Also Enjoy