how to write custom policy for require tags for resourcegroups with valid tag value list for multiple tags using terraform

Saikrishna Pusala 20 Reputation points
2023-01-27T15:52:08.89+00:00

I want to have 2 tags for example , We can increase the tags later

Environment = [DEV,STG,PRD]

AskID = [123,ABC,234]

I want this policy to be applied for multiple subscriptions .

And similarly can we have same type of policy for require tags for resources with valid value set for multiple resources in resource groups .

Also the tag values should be case sensitive . Can we get help on this

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
759 questions
0 comments No comments
{count} votes

Accepted answer
  1. Arun Siripuram 801 Reputation points
    2023-01-27T17:14:09.51+00:00

    Thank you for posting your query on Microsoft Q&A.

    You can use Terraform's Azure Provider to create custom policies that enforce tag requirements on resource groups.

    Here's an example of how you can create a policy that requires the "Environment" and "AskID" tags on resource groups, and specifies a list of allowed values for each tag:

    resource "azurerm_policy_definition" "example" {
      name         = "require-tags-on-resource-groups"
      policy_type  = "Custom"
      mode         = "All"
    
      policy_rule = <<POLICY_RULE
      {
        "if": {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Resources/subscriptions/resourceGroups"
            },
            {
              "not": {
                "field": "tags.Environment",
                "in": [
                  "DEV",
                  "STG",
                  "PRD"
                ]
              }
            },
            {
              "not": {
                "field": "tags.AskID",
                "in": [
                  "123",
                  "ABC",
                  "234"
                ]
              }
            }
          ]
        },
        "then": {
          "effect": "deny"
        }
      }
      POLICY_RULE
    }
    
    

    Then create an initiative that references this policy and assigns it to the subscriptions you want to target:

    resource "azurerm_policy_initiative" "example" {
      name         = "require-tags-on-resource-groups"
      display_name = "Require Tags on Resource Groups"
    
      policy_definition_id = azurerm_policy_definition.example.id
    }
    
    resource "azurerm_policy_assignment" "example" {
      name                 = "require-tags-on-resource-groups"
      scope                = data.azurerm_subscription.example.id
      policy_definition_id = azurerm_policy_definition.example.id
      display_name         = "Require Tags on Resource Groups"
    }
    
    

    This will create the policy and the initiative and assigns it to the subscription.

    Please note that you will need to have the right permissions to create and assign policies and initiatives in Azure, as well as to use the Azure Provider in Terraform. Also, make sure you are using the latest version of the Azure Provider for Terraform.

    References:

    [https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/governance/policy/tutorials/govern-tags.md

    [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful