Governance Policies Cost Resource Lifecycle - Azure/az-prototype GitHub Wiki
Governance policies for Resource Lifecycle
Domain: cost
| Name | Description |
|---|---|
| Cost-optimized resource lifecycle | Combine auto-shutdown, lifecycle policies, retention limits, mandatory tags, and budget alerts for comprehensive cost governance |
| Description | Instead |
|---|---|
| Do not deploy resources without cost tracking tags | Apply Environment, CostCenter, Owner, and Project tags to every resource |
| Do not set unlimited log retention for dev/POC | Use 30 days for dev/POC; use 90 days with archive tier for production |
| Do not forget to configure budget alerts | Create a monthly budget with 50%, 80%, 100% actual and 120% forecasted thresholds |
| Do not leave dev VMs running 24/7 | Configure auto-shutdown at 7 PM with 30-minute notification |
- Azure Cost Management best practices
- Storage lifecycle management
- Log Analytics pricing
- Azure budgets
- Azure tagging strategy
| Check | Severity | Description |
|---|---|---|
| WAF-COST-LIFE-001 | Required | Configure auto-shutdown schedules for dev/POC VMs — shut down at 7 PM, no auto-start |
| WAF-COST-LIFE-002 | Required | Configure storage lifecycle management policies — move to Cool after 30 days, Archive after 90 days, delete after 365 days |
| WAF-COST-LIFE-003 | Required | Set appropriate Log Analytics retention — 30 days for dev/POC, 90 days for production, with archive tier for compliance |
| WAF-COST-LIFE-004 | Required | Configure appropriate soft-delete retention periods — shorter for dev/POC, longer for production |
| WAF-COST-LIFE-005 | Required | Apply mandatory cost tracking tags to all resources — Environment, CostCenter, Owner, Project |
| WAF-COST-LIFE-006 | Required | Configure Azure budget alerts with action groups — monthly budget with 50%, 80%, 100%, and 120% thresholds |
Configure auto-shutdown schedules for dev/POC VMs — shut down at 7 PM, no auto-start
Severity: Required
Rationale: Dev VMs running 24/7 cost 3x more than VMs with 10-hour daily usage; auto-shutdown eliminates forgotten instances
Agents: terraform-agent, bicep-agent, cloud-architect, cost-analyst
- Microsoft.Compute/virtualMachines
- Microsoft.DevTestLab/schedules
- Microsoft.OperationalInsights/workspaces
- Microsoft.KeyVault/vaults
- Microsoft.RecoveryServices/vaults
- Microsoft.Resources/resourceGroups
Configure storage lifecycle management policies — move to Cool after 30 days, Archive after 90 days, delete after 365 days
Severity: Required
Rationale: Storage lifecycle policies automatically tier data by age; Cool tier is 50% cheaper than Hot, Archive is 90% cheaper
Agents: terraform-agent, bicep-agent, cloud-architect, cost-analyst
- Microsoft.Compute/virtualMachines
- Microsoft.Storage/storageAccounts
- Microsoft.OperationalInsights/workspaces
- Microsoft.KeyVault/vaults
- Microsoft.RecoveryServices/vaults
- Microsoft.Resources/resourceGroups
Set appropriate Log Analytics retention — 30 days for dev/POC, 90 days for production, with archive tier for compliance
Severity: Required
Rationale: Log Analytics charges per GB ingested and per day retained beyond 31 days; reducing retention from 90 to 30 days saves ~65%
Agents: terraform-agent, bicep-agent, cloud-architect, cost-analyst, monitoring-agent
- Microsoft.Compute/virtualMachines
- Microsoft.OperationalInsights/workspaces
- Microsoft.KeyVault/vaults
- Microsoft.RecoveryServices/vaults
- Microsoft.Resources/resourceGroups
Configure appropriate soft-delete retention periods — shorter for dev/POC, longer for production
Severity: Required
Rationale: Soft-delete protects against accidental deletion but costs storage; longer retention in dev wastes budget
Agents: terraform-agent, bicep-agent, cloud-architect, cost-analyst
- Microsoft.Compute/virtualMachines
- Microsoft.KeyVault/vaults
- Microsoft.OperationalInsights/workspaces
- Microsoft.RecoveryServices/vaults
- Microsoft.Resources/resourceGroups
Apply mandatory cost tracking tags to all resources — Environment, CostCenter, Owner, Project
Severity: Required
Rationale: Tags enable cost allocation, showback/chargeback, and automated cleanup of orphaned resources
Agents: terraform-agent, bicep-agent, cloud-architect, cost-analyst, project-manager
- Microsoft.Compute/virtualMachines
- Microsoft.Resources/resourceGroups
- Microsoft.Web/serverfarms
- Microsoft.OperationalInsights/workspaces
- Microsoft.KeyVault/vaults
- Microsoft.RecoveryServices/vaults
- Microsoft.Resources/resourceGroups
Configure Azure budget alerts with action groups — monthly budget with 50%, 80%, 100%, and 120% thresholds
Severity: Required
Rationale: Budget alerts provide early warning before costs exceed expectations; without them, overspend is only discovered on invoices
Agents: terraform-agent, bicep-agent, cloud-architect, cost-analyst
- Microsoft.Compute/virtualMachines
- Microsoft.Consumption/budgets
- Microsoft.Insights/actionGroups
- Microsoft.OperationalInsights/workspaces
- Microsoft.KeyVault/vaults
- Microsoft.RecoveryServices/vaults
- Microsoft.Resources/resourceGroups
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/actionGroups | ag-ops | Action group for budget alert notifications — required for budget alerts to trigger email/webhook notifications |