Azure Resource Tagging Strategy
Azure Resource Tagging Strategy
Comprehensive tagging strategy for Epic on Azure deployments ensuring governance, compliance, and operational excellence.
๐ฏ Overview
Azure resource tagging provides the foundation for healthcare infrastructure governance, enabling precise cost allocation, compliance tracking, and operational management across Epic clinical systems.
Strategic Benefits
- Financial Accountability: Precise cost allocation to clinical departments and Epic environments
- Compliance Auditing: HIPAA and SOX audit trail validation through consistent tagging
- Operational Excellence: Automated resource lifecycle management and incident response
- Epic Environment Management: Clear identification of production vs. training systems
๐ Tagging Classification
Tag Categories
| Category | Scope | Purpose | Governance Level |
|---|---|---|---|
| Standard Tags | All Resource Groups | Organizational governance and compliance | Mandatory |
| VM Level Tags | Virtual Machines and related resources | Operational management and Epic integration | Required for compute |
| Application Tags | Epic-specific resources | Clinical workflow and Epic certification | Epic environments only |
๐ท๏ธ Standard Tags (Required on All Resource Groups)
Organizational Governance
| Tag Name | Description | Allowed Values | Example |
|---|---|---|---|
aide-id | AIDE ID for service catalog | aide_0077877, aide_0085665, aide_0085666, aide_0088164 | aide_0085665 (Epic West). Validation: ^(aide_\d+|uhgwm_[a-z]+)$ |
itsm-assignment-group | ServiceNow assignment group | EPIC NATIONAL INSTANCE โ SPT, USS_Virtual_Workspace | EPIC NATIONAL INSTANCE โ SPT |
Division | Optum Health division identifier | Optum Health | Optum Health |
Product | Healthcare product classification | Epic EMR | Epic EMR |
gl-code | General ledger financial tracking. Auto-resolved by workload ร environment. | 44770-01530-USASS800-XXXXXX (80 codes, see resource-tags.md) | 44770-01530-USASS800-169950 (epic/dev) |
Environment and Classification
| Tag Name | Description | Allowed Values | Healthcare Impact |
|---|---|---|---|
environment | Environment tier classification | dev, qa, int, stg, tst, prf, uat, dmo, prd | Clinical vs. training system identification |
DataClassification | Data sensitivity classification (Azure Policy tag, distinct from data-classification operational tag) | PHI, NONPHI | HIPAA compliance and access control |
DR | Disaster recovery designation | Yes, No | Business continuity planning |
service-tier | Service level classification | p1, p2, p3 | SLA and support escalation |
platform-managed | Platform team management | true, false | Support responsibility |
workspace | Workspace identifier for deployment | Lowercase alphanumeric with hyphens. Validation: ^[a-z0-9][a-z0-9-]*[a-z0-9]$ | Deployment source identification |
workload | Workload type for GL code mapping | epic, citrix, connectivity, network, storage, monitoring, security, shared | Cost allocation and GL code resolution |
region | Azure region for deployment | centralus, eastus, westus3, etc. | Geographic location tracking |
data-classification | Data classification level (module-level operational tag) | public, internal, confidential, restricted | Operational data sensitivity classification |
backup-required | Whether backup is required | true, false | Backup policy management |
managed-by | Management tool used | terraform | Operational metadata |
๐ฅ๏ธ VM Level Tags (Required for Virtual Machines)
Epic Application Identification
| Tag Name | Description | Allowed Values | Clinical Purpose |
|---|---|---|---|
solution-name | High-level solution category | epic-app, epic-stamp, epic-cogito, epic-shared-infrastructure | Epic component grouping |
epic-app | Specific Epic application | arr, bca, bcaweb, hyperspace, mychart, sts, welcomeweb, sharedinfra | Clinical workflow identification |
epic-stamp | Epic environment designation | production, alternate-production, build, training, read-only, shared-infrastructure | Clinical vs. training separation |
Component | Infrastructure component type | Epic ODB, Epic ECSA, Cogito, Citrix Netscaler | Technical role identification |
ComponentVersion | Legacy โ remove. Covered by tagging.tf |
Operational Management
| Tag Name | Description | Purpose | Example |
|---|---|---|---|
tech-owner | Technical owner team | Epic integration accountability | [email protected] |
account-owner | Business owner team | Clinical department accountability | [email protected] |
PatchSchedule | Update management classification. Enforced by Azure Policy with 50+ allowed values. | Examples: ALL_DO_NOT_PATCH, ZWW0D6H02, ZEPCDWS102AM | Clinical impact-based maintenance |
dr-tier | Disaster recovery tier | active, standby, restoration | RTO/RPO classification |
Deployment Tracking
| Tag Name | Description | Purpose | Example |
|---|---|---|---|
workspace-id | Terraform workspace identifier | Deployment source tracking | ohemr-epic-pro-001 |
working-directory | Repository working directory | Change management | westepicpro/cogitowestus3 |
source-code-repo | Source code repository | Audit trail and change tracking | Link to GitHub repo |
risk-record | Associated risk records | Compliance and risk management | Comma-separated risk IDs |
๐ฅ Healthcare-Specific Tagging Examples
Epic Production Environment
# Epic Hyperspace Production VDA
tags = {
# Standard organizational tags
aide-id = "aide_0085665"
itsm-assignment-group = "EPIC NATIONAL INSTANCE โ SPT"
Division = "Optum Health"
Product = "Epic EMR"
environment = "prd"
gl-code = "44770-01530-USASS800-169953"
service-tier = "p1"
platform-managed = "true"
# Healthcare compliance
DataClassification = "PHI"
DR = "Yes"
# Epic-specific identification
solution-name = "epic-app"
epic-app = "hyperspace"
epic-stamp = "production"
Component = "Epic VDA"
ComponentVersion = "version-2024.1"
# Operational management
tech-owner = "[email protected]"
account-owner = "[email protected]"
PatchSchedule = "Critical"
dr-tier = "active"
# Deployment tracking
workspace-id = "ohemr-epic-pro-001"
working-directory = "westepicpro/hyperspacewestus3"
source-code-repo = "https://github.com/optum-tech-compute/ohemr-epic-pro-001"
}
Epic Training Environment
# Epic Training System
tags = {
# Standard tags with training designation
environment = "tst"
DataClassification = "NONPHI"
DR = "No"
service-tier = "p2"
# Epic training identification
epic-app = "hyperspace"
epic-stamp = "training"
Component = "Epic Training VDA"
# Training-specific management
tech-owner = "[email protected]"
account-owner = "[email protected]"
PatchSchedule = "Standard"
dr-tier = "restoration"
}
Citrix Infrastructure Supporting Epic
# Citrix NetScaler for Epic Access
tags = {
# Infrastructure support tags
solution-name = "epic-shared-infrastructure"
Component = "Citrix Netscaler"
ComponentVersion = "13.1-48.47"
# Epic dependency tracking
epic-app = "infrastructure"
epic-stamp = "production"
# High availability classification
service-tier = "p1"
dr-tier = "active"
PatchSchedule = "Critical"
}
๐ง Implementation Guidelines
Terraform Tag Implementation
Global Tag Variables:
# terraform/variables.tf
variable "global_tags" {
description = "Global tags applied to all resources"
type = map(string)
default = {
aide-id = "aide_0085665"
itsm-assignment-group = "EPIC NATIONAL INSTANCE โ SPT"
Division = "Optum Health"
Product = "Epic EMR"
platform-managed = "true"
gl-code = "44770-01530-USASS800-169950"
}
}
variable "environment_tags" {
description = "Environment-specific tags"
type = map(string)
}
variable "epic_tags" {
description = "Epic application-specific tags"
type = map(string)
}
Resource Group Tagging:
# Resource group with required standard tags
resource "azurerm_resource_group" "epic_app" {
name = "rg-epic-app-prod-westus3"
location = "West US 3"
tags = merge(
var.global_tags,
var.environment_tags,
{
environment = "prd"
DataClassification = "PHI"
DR = "Yes"
service-tier = "p1"
}
)
}
Azure Policy Enforcement
Tag Inheritance Policy:
{
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "modify",
"details": {
"operations": [
{
"operation": "addOrReplace",
"field": "tags['environment']",
"value": "[resourceGroup().tags['environment']]"
},
{
"operation": "addOrReplace",
"field": "tags['DataClassification']",
"value": "[resourceGroup().tags['DataClassification']]"
}
]
}
}
}
}
๐ Cost Management & Reporting
Epic Department Cost Allocation
| Department | Filter Tags | Cost Center | Epic Environment |
|---|---|---|---|
| Cardiology | epic-app=arr + AccountOwner=cardiology* | CC-CARDIOLOGY-001 | Production |
| Emergency | epic-app=hyperspace + AccountOwner=emergency* | CC-EMERGENCY-002 | Production + Training |
| Pharmacy | epic-app=sts + AccountOwner=pharmacy* | CC-PHARMACY-003 | Production |
| IT Training | epic-stamp=training | CC-TRAINING-004 | Training only |
Automated Cost Reporting
# PowerShell script for Epic cost allocation
$CostQuery = @{
Type = "Usage"
Timeframe = "MonthToDate"
Dataset = @{
Granularity = "Daily"
Aggregation = @{
totalCost = @{
name = "Cost"
function = "Sum"
}
}
Grouping = @(
@{
type = "Tag"
name = "epic-app"
},
@{
type = "Tag"
name = "environment"
}
)
}
}
# Generate Epic cost allocation report
$EpicCosts = Invoke-AzRestMethod -Uri "/subscriptions/$SubscriptionId/providers/Microsoft.CostManagement/query" -Method POST -Payload ($CostQuery | ConvertTo-Json -Depth 10)
๐ Compliance Validation
HIPAA Audit Support
PHI Data Classification Validation:
# Azure CLI query for PHI resource audit
az resource list \
--tag DataClassification=PHI \
--query "[].{Name:name, ResourceGroup:resourceGroup, Type:type, Location:location, Tags:tags}" \
--output table
Epic Environment Verification:
# Verify Epic production resources are properly classified
az resource list \
--tag epic-stamp=production \
--tag DataClassification=PHI \
--query "[?tags.DR != 'Yes']" \
--output table
SOX Financial Controls
GL Code Compliance Check:
# Verify all resources have required financial tags
$Resources = Get-AzResource | Where-Object {
-not $_.Tags.ContainsKey("gl-code") -or
-not $_.Tags.ContainsKey("account-owner")
}
if ($Resources) {
Write-Warning "Resources missing required financial tags:"
$Resources | Select-Object Name, ResourceGroupName, ResourceType | Format-Table
}
๐จ Troubleshooting Guide
Common Tagging Issues
Problem: Resource deployment blocked due to missing required tags
Diagnosis: Azure Policy enforcement blocking non-compliant resources
Resolution:
- Review required tag list for resource type
- Update Terraform configuration with missing tags
- Ensure tag inheritance from resource group
Problem: Epic cost allocation reporting inaccurate
Diagnosis: Inconsistent or missing Epic-specific tags Resolution:
- Audit all Epic resources for required tags (epic-app, epic-stamp)
- Update missing tags through Terraform or Azure CLI
- Re-run cost allocation reports
Problem: HIPAA audit findings related to resource classification
Diagnosis: Inconsistent DataClassification tagging Resolution:
-
Identify all resources handling PHI data
-
Apply DataClassification=PHI tag
-
Verify DR=Yes for all PHI resources
๐ Related Documentation
- Epic Architecture Requirements: Epic-specific infrastructure standards
- Operations Procedures: Day-to-day operations and maintenance
- Security Guidelines: Security controls and compliance requirements
- Operations Runbooks: Standard operating procedures
๐ Support & Contacts
Tagging Governance
| Domain | Contact | Responsibility |
|---|---|---|
| Epic Tags | [email protected] | Epic application and environment tags |
| Financial Tags | [email protected] | GL codes and cost allocation |
| Compliance Tags | [email protected] | HIPAA and SOX tag validation |
| Technical Tags | [email protected] | Operational and deployment tags |
Emergency Contacts
- Tag Policy Violation: [email protected]
- Epic Cost Allocation Issue: [email protected]
- Compliance Audit Support: [email protected]
๐ท๏ธ Tagging Excellence: Comprehensive resource tagging enables precise governance, cost allocation, and compliance validation for Epic healthcare infrastructure.