Keeping Your Azure Environment Clean with Automation

As your organization grows and your Azure usage expands, it can become difficult to manage all the resources that you’ve deployed. Over time, you may accumulate unused or unnecessary resources, such as storage accounts, virtual machines, unattached IP addresses and disks, and more. Not only do these resources clutter your Azure environment and make it harder to find what you need, but they can also incur unnecessary costs if they’re not being used.

To help manage your Azure resources more effectively, you can use Azure Tags to label your resources with metadata, such as owners, projects, environments, but also with the expiration date.

I am often in situation when I am creating something in Azure for proof of concept, test, or as a temporary solution. In these cases I usually know how long that service should be running and when to delete it. Tag with expiration date is a solution to that problem.

In this article, we’ll go over how to use an Azure Automation account to automatically remove expired Resource Groups and resources.

Adding the ExpirationDate tag to Resource Groups

To start, we’ll need add an expiration date tag to Resource Groups in our Azure environment where we now that they are not permanent. This tag will indicate the date when the resource group should be deleted, if it’s no longer needed.

You can do this manually from Azure Portal, or using some of the scripted methods i described in this article: Cleaning up Azure Resource Tags

Using Azure Automation to Remove Expired Resource Groups and Resources

Once you’ve added an expiration date tag to your resource groups, you can use an Azure Automation account to automatically remove expired resource groups and resources. To do this, we’ll create a PowerShell script that queries Azure for resource groups with the expiration date tag, checks if the expiration date has passed or is approaching, and deletes the resource group if it’s expired.

Configuring the Automation Account Variables

Before you can run the PowerShell script in your Automation account, you’ll need to configure the variables used in the script. To do this, follow these steps:

1. Click on the “Variables” tab in the Automation account overview page.
2. Click the “Add a variable” button to add a new variable.
3. Enter a name for the variable (e.g., “EmailFrom”), and enter the value for the variable (e.g., your email address).
4. Repeat steps 2-3 for each variable used in the script below, such as “EmailTo”, “SmtpServer”, “DaysBeforeExpiration”, and so on

Configure Azure Automation

To get started, follow these steps:

1. Open the Azure portal and navigate to your Automation account.
2. Click on the “Runbooks” tab in the Automation account overview page.
3. Click the “Add a runbook” button to create a new runbook.
4. Choose “PowerShell” as the runbook type.
5. Enter a name and description for the runbook, and click “Create” to create the runbook.
6. Copy and paste the following PowerShell script into the runbook and click Save.

This script does the following:

• Gets variables from the Azure Automation account that are used in the script, such as the expiration date tag name, the email address to send notifications to, and the number of days before expiration to send notifications.
• Gets all resource groups in Azure that have the expiration date tag. Loops through each resource group and checks if it has the production environment tag. If it does, the script skips the resource group and moves to the next one.
• Gets the expiration date from the expiration date tag and calculates the number of days until the expiration date.
• If the expiration date is in the past, the script attempts to delete the resource group and sends an email notification indicating that the resource group has been deleted.
• If the expiration date is within the specified number of days, the script sends an email notification indicating that the resource group will expire soon.

Before running this in production

The provided script is given just as an example to give you an idea what is possible.

While automating the cleanup of unused resources can be a great way to optimize Azure costs, it’s important to be aware of the risks involved in running such a script. The primary risk is that the script may accidentally delete a resource that is still in use, which could result in data loss or downtime for your application. This risk is particularly high if you have not thoroughly tested the script and verified that it correctly identifies resources that can be safely deleted.

Given these risks, it may be prudent to consider an alternative approach to automating resource cleanup in Azure. One option is to create a notification-only script that sends email notifications to Azure administrators when resources are approaching their expiration date, but does not automatically delete them. This approach allows administrators to manually review and approve the deletion of each resource, which can reduce the risk of accidentally deleting a resource that is still in use.

Conclusion

In this article, we’ve discussed how to automatically remove unused Azure resources and resource groups by adding an expiration date tag and using Azure Automation and PowerShell to automate the cleanup process. I hope this gives you an idea of how Azure Automation can be useful for this type of jobs.

Check out my article about saving on Azure Costs: Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency

And also check out tag Automation on my blog for more ideas.

Vukasin