Thank you for posting your query on Microsoft Q&A.
You can use Terraform's Azure Provider to create custom policies that enforce tag requirements on resource groups.
Here's an example of how you can create a policy that requires the "Environment" and "AskID" tags on resource groups, and specifies a list of allowed values for each tag:
resource "azurerm_policy_definition" "example" {
name = "require-tags-on-resource-groups"
policy_type = "Custom"
mode = "All"
policy_rule = <<POLICY_RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not": {
"field": "tags.Environment",
"in": [
"DEV",
"STG",
"PRD"
]
}
},
{
"not": {
"field": "tags.AskID",
"in": [
"123",
"ABC",
"234"
]
}
}
]
},
"then": {
"effect": "deny"
}
}
POLICY_RULE
}
Then create an initiative that references this policy and assigns it to the subscriptions you want to target:
resource "azurerm_policy_initiative" "example" {
name = "require-tags-on-resource-groups"
display_name = "Require Tags on Resource Groups"
policy_definition_id = azurerm_policy_definition.example.id
}
resource "azurerm_policy_assignment" "example" {
name = "require-tags-on-resource-groups"
scope = data.azurerm_subscription.example.id
policy_definition_id = azurerm_policy_definition.example.id
display_name = "Require Tags on Resource Groups"
}
This will create the policy and the initiative and assigns it to the subscription.
Please note that you will need to have the right permissions to create and assign policies and initiatives in Azure, as well as to use the Azure Provider in Terraform. Also, make sure you are using the latest version of the Azure Provider for Terraform.
References:
[https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/governance/policy/tutorials/govern-tags.md
[https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs