how to make a policy to tag CreatedBy: AccountID ?

Yahav Horev | CloudTeam.ai 136 Reputation points
2021-07-27T13:26:34.233+00:00

Hello guys ,
i am trying to make a policy that tag each resource we create in our organization with the AccountID value.

i have two tags to force:

1) CreatedDate
2) CreatedBy

The "CreatedBy" tag name i cant find any idea how to insert the "AccountID" who created this resource in the tag value.
I saw when i create a kubernetes service that his resources have this TagName CreatedBy that pointing to the kubernetes .. which means that kind of solution already exist i guess.

my policy looks like this :

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "tags['CreatedOnDate']",
          "exists": "false"
        },
        {
          "field": "tags['CreatedBy']",
          "exists": "false"
        }
      ]
    },
    "then": {
      "effect": "append",
      "details": [
        {
          "field": "tags['CreatedOnDate']",
          "value": "[utcNow()]"
        },
        {

          "field": "tags['CreatedBy']",
          "value": [????]
        }
      ]
    }
  },
  "parameters": {}
}
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
892 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. tbgangav-MSFT 10,416 Reputation points
    2021-08-02T14:51:54.187+00:00

    Hi @Yahav Horev | CloudTeam.ai ,

    As per this uservoice feedback item or this Azure document, almost all ARM template functions are available within a policy rule except a few as listed in the Azure document. However, there's a little issue with CurrentUser() i.e., it isn't an ARM function and when the policy does a run-time evaluation on existing resources, it would have no idea who the current user is because there isn't one. Nothing triggered that evaluation other than schedule, so it has no context to the user. So while it might work on a new / updated resource (if that function existed), it wouldn't work when evaluating existing resources for ongoing compliance. And currently we don't have any other equivalent function for CurrentUser() due to number of reasons (service principals, IaC, etc.). There's only CurrentUser() a very small fraction of the time.

    So, if interested, you may comment with your requirement as a product feedback on this same uservoice feedback item's comment section and/or you may raise a new uservoice in this uservoice feedback forum. In general, Azure feature team would check feasibility of a feature request, prioritize against existing feature backlog, add in roadmap as appropriate and would announce and/or update the related Azure document once a feature request is addressed.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.