Share via

Azure Policy not enforcing the specified tags

Hill Alcantara 46 Reputation points
2022-10-10T04:31:47.603+00:00

I created a custom policy to add or replace multiple tags on resource groups. It is working for newly created resources. But, when I update the tags manually to the newly created resources (after it was tagged), the policy did not see it as non-compliant. I ran an adhoc compliance scan and got the same results.

{
"properties": {
"displayName": "Add or replace multiple tags on resource groups",
"policyType": "Custom",
"mode": "All",
"description": "Adds or replaces the specified tag and value when any resource group is created or updated.",
"metadata": {
"category": "Tags",
},
"parameters": {
"tagName1": {
"type": "String",
"metadata": {
"displayName": "Tag Name 1",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue1": {
"type": "String",
"metadata": {
"displayName": "Tag Value 1",
"description": "Value of the tag, such as 'production'"
}
},
"tagName2": {
"type": "String",
"metadata": {
"displayName": "Tag Name 2",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue2": {
"type": "String",
"metadata": {
"displayName": "Tag Value 2",
"description": "Value of the tag, such as 'production'"
}
},
"tagName3": {
"type": "String",
"metadata": {
"displayName": "Tag Name 3",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue3": {
"type": "String",
"metadata": {
"displayName": "Tag Value 3",
"description": "Value of the tag, such as 'production'"
}
},
"tagName4": {
"type": "String",
"metadata": {
"displayName": "Tag Name 4",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue4": {
"type": "String",
"metadata": {
"displayName": "Tag Value 4",
"description": "Value of the tag, such as 'production'"
}
},
"tagName5": {
"type": "String",
"metadata": {
"displayName": "Tag Name 5",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue5": {
"type": "String",
"metadata": {
"displayName": "Tag Value 5",
"description": "Value of the tag, such as 'production'"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName1'), ']')]",
"notEquals": "[parameters('tagValue1')]"
},
{
"field": "[concat('tags[', parameters('tagName2'), ']')]",
"notEquals": "[parameters('tagValue2')]"
},
{
"field": "[concat('tags[', parameters('tagName3'), ']')]",
"notEquals": "[parameters('tagValue3')]"
},
{
"field": "[concat('tags[', parameters('tagName4'), ']')]",
"notEquals": "[parameters('tagValue4')]"
},
{
"field": "[concat('tags[', parameters('tagName5'), ']')]",
"notEquals": "[parameters('tagValue5')]"
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "addOrReplace",
"field": "[concat('tags[', parameters('tagName1'), ']')]",
"value": "[parameters('tagValue1')]"
},
{
"operation": "addOrReplace",
"field": "[concat('tags[', parameters('tagName2'), ']')]",
"value": "[parameters('tagValue2')]"
},
{
"operation": "addOrReplace",
"field": "[concat('tags[', parameters('tagName3'), ']')]",
"value": "[parameters('tagValue3')]"
},
{
"operation": "addOrReplace",
"field": "[concat('tags[', parameters('tagName4'), ']')]",
"value": "[parameters('tagValue4')]"
},
{
"operation": "addOrReplace",
"field": "[concat('tags[', parameters('tagName5'), ']')]",
"value": "[parameters('tagValue5')]"
}
]
}
}
}
}
}

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
1,018 questions
0 comments
Accepted answer
  1. Stanislav Zhelyazkov 28,596 Reputation points MVP Volunteer Moderator
    2022-10-10T11:44:28.06+00:00

    Hi,
    I guess it depends on how do you test in order to define that is not working. This policy will work only if all of the defined tags do not have the defined tag values. Keep in mind that this policy will also not care if you do not have the tag defined at all.

    My suggestion is to create one policy definition and do 5 policy assignments for each definition with different input - one policy assignment for each tag and value pair.

    Example policy rule 

    "policyRule": {  
            "if": {  
                "allOf": [  
                    {  
                        "field": "type",  
                        "equals": "Microsoft.Resources/subscriptions/resourceGroups"  
                    },  
                    {  
                        "anyOf": [  
                            {  
                                "allOf": [  
                                    {  
                                        "field": "[concat('tags[', parameters('tagName'), ']')]",  
                                        "exists": "false"  
                                    },  
                                    {  
                                        "value": "[resourceGroup().tags[parameters('tagName')]]",  
                                        "notEquals": "[parameters('tagValue')]"  
                                    }  
                                ]  
                            },  
                            {  
                                "allOf": [  
                                    {  
                                        "field": "[concat('tags[', parameters('tagName'), ']')]",  
                                        "exists": "true"  
                                    },  
                                    {  
                                        "value": "[resourceGroup().tags[parameters('tagName')]]",  
                                        "notEquals": "[parameters('tagValue')]"  
                                    }  
                                ]  
                            }  
                        ]  
                    }  
                ]  
            },  
            "then": {  
                "effect": "modify",  
                "details": {  
                    "roleDefinitionIds": [  
                        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"  
                    ],  
                    "operations": [  
                        {  
                            "operation": "addOrReplace",  
                            "field": "[concat('tags[', parameters('tagName'), ']')]",  
                            "value": "[parameters('tagValue')]"  
                        }  
                    ]  
                }  
            }  
        }

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.