Azure Policy - Resource Manager validation

Petr Vojar 1 Reputation point
2022-03-31T16:06:18.337+00:00

Hi everyone,

I'm trying to create a custom policy that will handle tagging for me. First, I need to force users to fillout tags before RG creation. Another use-case is to append-only allowed values for the "environmenttype" tag which is also included inside the policy.

I've tried to test this policy a few times and every time with a different result. I'm really confused. I know the policy can take up to 30min to be ready, anyway it's strange behavior.

  • Sometimes I'll get error from Resource Manger in case I didn't fill any tag or I'll try to bypass environemtnType value with non allowed value - That's the requested solution
  • Another time RG was created even without tags and in the Compliance center the RG was marked as compliant
  • The last scenario is I've added only one tag before RG creation and the RG was created - Also marked as a compliment in Azure Compliance center.

Here is the policy I'm trying to implement

{
        "parameters": {
            "ApplicationName": {
                "type": "String",
                "metadata": {
                    "displayName": "Application Name",
                    "description": "Name of the application"
                },
                "defaultValue": "ApplicationName"
            },
            "ApplicationOwner": {
                "type": "String",
                "metadata": {
                    "displayName": "Application Owner",
                    "description": "Ower of the application"
                },
                "defaultValue": "ApplicationOwner"
            },
            "ApplicationSponsor": {
                "type": "String",
                "metadata": {
                    "displayName": "Application Sponsor",
                    "description": "Sponsor of the application"
                },
                "defaultValue": "ApplicationSponsor"
            },
            "TechnicalContact": {
                "type": "String",
                "metadata": {
                    "displayName": "Technical Contact",
                    "description": "Technical contacto for the application"
                },
                "defaultValue": "TechnicalContact"
            },
            "Billing": {
                "type": "String",
                "metadata": {
                    "displayName": "Billing",
                    "description": "Billing"
                },
                "defaultValue": "Billing"
            },
            "environmentType": {
                "type": "String",
                "metadata": {
                    "displayName": "Environemt type",
                    "description": "Environment type"
                },
                "defaultValue": "environmentType"
            },
            "listofallowedtagValues": {
                "type": "Array",
                "metadata": {
                    "displayName": "Tag Values",
                    "description": "Value of the tag, allowd values: DEV, TST, UAT, STA, PRD"
                },
                "allowedValues": [
                    "DEV",
                    "TST",
                    "UAT",
                    "STA",
                    "PRD"
                ]
            }
        },
        "policyRule": {
            "if": {
                "allOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.Resources/subscriptions/resourceGroups"
                    },
                    {
                        "field": "[concat('tags[', parameters('environmentType'), ']')]",
                        "in": "[parameters('listofallowedtagValues')]"
                    },
                    {
                        "not": {
                            "field": "[concat('tags[', parameters('ApplicationName'), ']')]",
                            "exists": "true"
                        }
                    },
                    {
                        "not": {
                            "field": "[concat('tags[', parameters('ApplicationOwner'), ']')]",
                            "exists": "true"
                        }
                    },
                    {
                        "not": {
                            "field": "[concat('tags[', parameters('ApplicationSponsor'), ']')]",
                            "exists": "true"
                        }
                    },
                    {
                        "not": {
                            "field": "[concat('tags[', parameters('TechnicalContact'), ']')]",
                            "exists": "true"
                        }
                    },
                    {
                        "not": {
                            "field": "[concat('tags[', parameters('Billing'), ']')]",
                            "exists": "true"
                        }
                    }
                ]
            },
            "then": {
                "effect": "Deny"
            }
        }
    }
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
958 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. SwathiDhanwada-MSFT 18,881 Reputation points
    2022-04-07T05:30:31.54+00:00

    @Petr Vojar Welcome to Microsoft Q & A Community Forum. I understand that you are trying to deny creation of resource groups when certain tags aren't added and as well trying to enforce tags to be compliant with the list of supported values that specify.

    For both use cases, you have an existing built-in polices which you can use.

    1. Require a tag on resource groups.
    2. Append a tag and its value to resource groups

    Kindly check these policies. Meanwhile, I will test out your custom policy and revert to you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.