For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/azure/cosmosdb_account_without_tags.md. A documentation index is available at /llms.txt.

Cosmos DB account without tags

This product is not supported for your selected Datadog site. ().

Metadata

Id: 23a4dc83-4959-4d99-8056-8e051a82bc1e

Cloud Provider: Azure

Platform: Ansible

Severity: Low

Category: Build Process

Learn More

Description

Cosmos DB account resources must include tags to support asset identification, ownership, and automated security or incident response processes. Without tags, inventory, cost allocation, and security triage become more difficult.

For Ansible, tasks using the azure.azcollection.azure_rm_cosmosdbaccount or azure_rm_cosmosdbaccount modules must define the tags property as a mapping of key-value pairs. Resources missing the tags property or with it undefined are flagged. Include keys such as Owner and Environment to enable governance and automation.

Secure example:

- name: create cosmosdb account
  azure.azcollection.azure_rm_cosmosdbaccount:
    name: my-cosmosdb
    resource_group: my-rg
    location: eastus
    kind: GlobalDocumentDB
    offer_type: Standard
    tags:
      Owner: team-abc
      Environment: production
      Project: billing-service

Compliant Code Examples

- name: Create Cosmos DB Account - min
  azure_rm_cosmosdbaccount:
    resource_group: myResourceGroup
    name: myDatabaseAccount
    location: westus
    geo_rep_locations:
    - name: southcentralus
      failover_priority: 0
    database_account_offer_type: Standard
    tags:
      t1: t1
      t2: t2

Non-Compliant Code Examples

---
- name: Create Cosmos DB Account - min
  azure_rm_cosmosdbaccount:
    resource_group: myResourceGroup
    name: myDatabaseAccount
    location: westus
    geo_rep_locations:
      - name: southcentralus
        failover_priority: 0
    database_account_offer_type: Standard