Share via

Azure Policy: Inheriting a Tag and Its Value from Subscription to Resource Groups

Bombbe 1,621 Reputation points
2024-01-05T12:37:51.27+00:00

Is it possible to create an Azure policy that can automatically inherit a tag and its value (no matter what the value are) from the subscription to the resource group? The tag is always the same, for instance, Application, but the value can change depending on different application name. I want to put this policy as high as possible in our management group so that it can automatically inherit the Application tag and its value to all the different subscriptions through a single policy (tag and value would always be on the subscription level). I don't want to specify something like "Inherit Application tag with Value Application1" because it would drive us to use many more policies. We have an application per subscription, and this solution would work for us.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
830 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SwathiDhanwada-MSFT 18,551 Reputation points
    2024-01-11T16:20:33.1766667+00:00

    @Bombbe Here is policy definition where the subscription tag value will be inherited to resource groups based on the tag name.

    {
	"properties": {
		"displayName": "Inherit a tag from the subscription to Resource Group",
		"policyType": "Custom",
		"mode": "All",
		"description": "Adds or replaces the specified tag and value from the containing subscription when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task.",
		"parameters": {
			"tagName": {
				"type": "String",
				"metadata": {
					"displayName": "Tag Name",
					"description": "Name of the tag, such as 'environment'"
				}
			}
		},
		"policyRule": {
			"if": {
				"allOf": [
					{
						"field": "[concat('tags[', parameters('tagName'), ']')]",
						"notEquals": "[subscription().tags[parameters('tagName')]]"
					},
					{
						"value": "[subscription().tags[parameters('tagName')]]",
						"notEquals": ""
					}
				]
			},
			"then": {
				"effect": "modify",
				"details": {
					"roleDefinitionIds": [
						"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
					],
					"operations": [
						{
							"operation": "addOrReplace",
							"field": "[concat('tags[', parameters('tagName'), ']')]",
							"value": "[subscription().tags[parameters('tagName')]]"
						}
					]
				}
			}
		}
	},
	"id": "/providers/Microsoft.Authorization/policyDefinitions/100c504b-a675-4441-8c44-96e485d14559",
	"type": "Microsoft.Authorization/policyDefinitions",
	"name": "100c504b-a675-4441-8c44-96e485d14559"
}
  2. DavidHannigan 0 Reputation points
    2024-07-17T14:20:00.4533333+00:00

    I believe I got mine working by the code above but also added in a "field": "type" for it to be the resource groups. Mode has to be set to "All" as it is a resource group, which has been done above. Not sure if this helps

    {
	"properties": {
	  "displayName": "Resource Groups Inherit Sub Tags",
	  "policyType": "Custom",
	  "mode": "All",
	  "metadata": {
		"version": "1.0.0",
		"category": "Tags"
	  },
	  "version": "1.0.0",
	  "parameters": {
		"tagName": {
		  "type": "String",
		  "metadata": {
			"displayName": "Tag Name",
			"description": "Name of the tag, such as 'environment'"
		  }
		}
	  },
	  "policyRule": {
		"if": {
		  "allOf": [
			{
			"field": "type",
			"equals": "Microsoft.Resources/subscriptions/resourceGroups"
			},
			{
			"field": "[concat('tags[', parameters('tagName'), ']')]",
			"notEquals": "[subscription().tags[parameters('tagName')]]"
			},
			{
			"value": "[subscription().tags[parameters('tagName')]]",
			"notEquals": ""
			}
		  ]
		},
		"then": {
		  "effect": "modify",
		  "details": {
			"roleDefinitionIds": [
			  "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
			],
			"operations": [
			  {
				"operation": "add",
				"field": "[concat('tags[', parameters('tagName'), ']')]",
				"value": "[subscription().tags[parameters('tagName')]]"
			  }
			]
		  }
		}
	  },
	  "versions": [
		"1.0.0"
	  ]
	},
    "id": "/providers/Microsoft.Authorization/policyDefinitions/RGs-Inherit-Sub-Tags",
    "type": "Microsoft.Authorization/policyDefinitions",
    "name": "RGs-Inherit-Sub-Tags"
}
  3. DavidHannigan 0 Reputation points
    2024-07-17T18:38:03.2666667+00:00

    We also had a requirement for resource groups to inherit certain tags from the subscription, so I created this.

    {
	"properties": {
	  "displayName": "RGs Inherit Sub Tags if Missing",
	  "policyType": "Custom",
	  "mode": "All",
	  "metadata": {
		"version": "1.0.0",
		"category": "Tags"
	  },
	  "version": "1.0.0",
	  "parameters": {
		"tagName": {
		  "type": "String",
		  "metadata": {
			"displayName": "Tag Name",
			"description": "Name of the tag, such as 'environment'"
		  }
		}
	  },
	  "policyRule": {
		"if": {
		  "allOf": [
			{
			"field": "type",
			"equals": "Microsoft.Resources/subscriptions/resourceGroups"
			},
			{
			"field": "[concat('tags[', parameters('tagName'), ']')]",
			"exists": "false"
			},
			{
			"value": "[subscription().tags[parameters('tagName')]]",
			"notEquals": ""
			}
		  ]
		},
		"then": {
		  "effect": "modify",
		  "details": {
			"roleDefinitionIds": [
			  "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
			],
			"operations": [
			  {
				"operation": "add",
				"field": "[concat('tags[', parameters('tagName'), ']')]",
				"value": "[subscription().tags[parameters('tagName')]]"
			  }
			]
		  }
		}
	  },
	  "versions": [
		"1.0.0"
	  ]
	},
    "id": "/providers/Microsoft.Authorization/policyDefinitions/RGs-Inherit-Sub-Tags-If-Missing",
    "type": "Microsoft.Authorization/policyDefinitions",
    "name": "RGs-Inherit-Sub-Tags-If-Missing"
}
    0 comments