Hi everyone,
I'm trying to create a custom policy that will handle tagging for me. First, I need to force users to fillout tags before RG creation. Another use-case is to append-only allowed values for the "environmenttype" tag which is also included inside the policy.
I've tried to test this policy a few times and every time with a different result. I'm really confused. I know the policy can take up to 30min to be ready, anyway it's strange behavior.
- Sometimes I'll get error from Resource Manger in case I didn't fill any tag or I'll try to bypass environemtnType value with non allowed value - That's the requested solution
- Another time RG was created even without tags and in the Compliance center the RG was marked as compliant
- The last scenario is I've added only one tag before RG creation and the RG was created - Also marked as a compliment in Azure Compliance center.
Here is the policy I'm trying to implement
{
"parameters": {
"ApplicationName": {
"type": "String",
"metadata": {
"displayName": "Application Name",
"description": "Name of the application"
},
"defaultValue": "ApplicationName"
},
"ApplicationOwner": {
"type": "String",
"metadata": {
"displayName": "Application Owner",
"description": "Ower of the application"
},
"defaultValue": "ApplicationOwner"
},
"ApplicationSponsor": {
"type": "String",
"metadata": {
"displayName": "Application Sponsor",
"description": "Sponsor of the application"
},
"defaultValue": "ApplicationSponsor"
},
"TechnicalContact": {
"type": "String",
"metadata": {
"displayName": "Technical Contact",
"description": "Technical contacto for the application"
},
"defaultValue": "TechnicalContact"
},
"Billing": {
"type": "String",
"metadata": {
"displayName": "Billing",
"description": "Billing"
},
"defaultValue": "Billing"
},
"environmentType": {
"type": "String",
"metadata": {
"displayName": "Environemt type",
"description": "Environment type"
},
"defaultValue": "environmentType"
},
"listofallowedtagValues": {
"type": "Array",
"metadata": {
"displayName": "Tag Values",
"description": "Value of the tag, allowd values: DEV, TST, UAT, STA, PRD"
},
"allowedValues": [
"DEV",
"TST",
"UAT",
"STA",
"PRD"
]
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('environmentType'), ']')]",
"in": "[parameters('listofallowedtagValues')]"
},
{
"not": {
"field": "[concat('tags[', parameters('ApplicationName'), ']')]",
"exists": "true"
}
},
{
"not": {
"field": "[concat('tags[', parameters('ApplicationOwner'), ']')]",
"exists": "true"
}
},
{
"not": {
"field": "[concat('tags[', parameters('ApplicationSponsor'), ']')]",
"exists": "true"
}
},
{
"not": {
"field": "[concat('tags[', parameters('TechnicalContact'), ']')]",
"exists": "true"
}
},
{
"not": {
"field": "[concat('tags[', parameters('Billing'), ']')]",
"exists": "true"
}
}
]
},
"then": {
"effect": "Deny"
}
}
}