If the result of a template function is an error, policy evaluation fails. A failed evaluation
is an implicit deny. For more information, see
avoiding template failures.
Sample policy definition
This policy definition adds or replaces the tag specified in the parameter tagName (string) on
resources and inherits the value for tagName from the resource group the resource is in. This
evaluation happens when the resource is created or updated. As a
modify effect, the remediation may be run on existing resources
through a remediation task.
JSON
{
"properties": {
"displayName": "Inherit a tag from the resource group",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.",
"metadata": {
"category": "Tags"
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
}
},
"policyRule": {
"if": {
"allOf": [{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"notEquals": "[resourceGroup().tags[parameters('tagName')]]"
},
{
"value": "[resourceGroup().tags[parameters('tagName')]]",
"notEquals": ""
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [{
"operation": "addOrReplace",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName')]]"
}]
}
}
}
}
}
The value operator is used within the policyRule.if block within properties. In this
example, the logical operatorallOf is
used to state that both conditional statements must be true for the effect, modify, to take
place.
value evaluates the result of the template function
resourceGroup()
to the condition notEquals of a blank value. If the tag name provided in tagName on the
parent resource group exists, the conditional evaluates to true.
Manage multiple Azure environment deployments of your JSON Azure Resource Manager templates (ARM templates) by using functions, variables, tags, and parameter files.