Share via

Modifying Azure policy to add exclusion based on specific Resource Group name?

EnterpriseArchitect 6,041 Reputation points
2022-11-24T05:54:59.343+00:00

I need some help in modifying the Azure Policy definition to include the below lines: 

{  
  "allOf": [  
    {  
      "field": "type",  
      "equals": "Microsoft.Resources/subscriptions/resourceGroups"  
    },  
    {  
      "field": "[concat('tags[', parameters('tagName'), ']')]",  
      "exists": "false"  
    },  
    {  
      "anyOf": [  
        {  
          "value": "[startsWith(field('name'), 'MC_')]",  
          "notEquals": "true"  
        }  
      ]  
    }  
  ]  
}

This is my existing Azure policy definition with allOf: 

  "policyRule": {  
    "if": {  
      "allOf": [  
        {  
          "field": "type",  
          "equals": "Microsoft.Network/virtualNetworks"  
        },  
        {  
          "field": "Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]",  
          "notContains": "11.22.33"  
        }  
      ]  
    },  
    "then": {  
      "effect": "deny"  
    }  
  }

and another one with anyOf 

    "policyRule": {  
      "if": {  
        "anyOf": [  
          {  
            "not": {  
              "field": "[concat('tags[', parameters('tagnameteam'), ']')]",  
              "in": "[parameters('listofallowedtagvalues')]"  
            }  
          }  
        ]  
      },  
      "then": {  
        "effect": "Deny"  
      }  
    }  
  }

How can I achieve it by modifying the existing Azure policy definition?

Thank you.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
1,019 questions
0 comments
Accepted answer
  1. Jesse Loudon 336 Reputation points
    2022-11-26T05:26:17.963+00:00

    I had a go at this but haven't tested.

    Note: removed the condition referencing "Microsoft.Resources/subscriptions/resourceGroups" because the existing definition already references "Microsoft.Network/virtualNetworks" and policy validation complains if you have conditions for more than 1 resources type specified in the same definition.

    Question: are tag values also required for the exclusion, not just the RG name? 

    {  
    "mode": "All",  
    "parameters": {  
        "tagName": {  
            "type": "String",  
            "metadata": {  
                "displayName": "Tag name",  
                "description": "Name of the tag"  
            }  
        }  
    },  
    "policyRule": {  
        "if": {  
            "allOf": [  
                {  
                    "field": "type",  
                    "equals": "Microsoft.Network/virtualNetworks"  
                },  
                {  
                    "field": "Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]",  
                    "notContains": "11.22.33"  
                },  
                {  
                    "allOf": [  
                        {  
                            "field": "[concat('tags[', parameters('tagName'), ']')]",  
                            "exists": "false"  
                        },  
                        {  
                            "value": "[startsWith(field('name'), 'MC_')]",  
                            "notEquals": "true"  
                        }  
                    ]  
                }  
            ]  
        },  
        "then": {  
            "effect": "deny"  
        }  
    }  
}
    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.