Edit

Share via


Azure Policy pattern: tags

Tags are an important part of managing, organizing, and governing your Azure resources. Azure Policy makes it possible to configure tags on your new and existing resources at scale with the modify effect and remediation tasks.

Sample 1: Parameterize tags

This policy definition uses two parameters, tagName and tagValue to set what the policy assignment is looking for on resource groups. This format allows the policy definition to be used for any number of tag name and tag value combinations, but only maintain a single policy definition.

Note

While this policy definition pattern is similar to the one in Pattern: Parameters - Sample #1, this sample uses mode All and targets resource groups.

{
    "properties": {
        "displayName": "Add or replace a tag on resource groups",
        "mode": "All",
        "description": "Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task.",
        "metadata": {
            "category": "Tags"
        },
        "parameters": {
            "tagName": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Name",
                    "description": "Name of the tag, such as 'environment'"
                }
            },
            "tagValue": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Value",
                    "description": "Value of the tag, such as 'production'"
                }
            }
        },
        "policyRule": {
            "if": {
                "allOf": [{
                        "field": "type",
                        "equals": "Microsoft.Resources/subscriptions/resourceGroups"
                    },
                    {
                        "field": "[concat('tags[', parameters('tagName'), ']')]",
                        "notEquals": "[parameters('tagValue')]"
                    }
                ]
            },
            "then": {
                "effect": "modify",
                "details": {
                    "roleDefinitionIds": [
                        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                    ],
                    "operations": [{
                        "operation": "addOrReplace",
                        "field": "[concat('tags[', parameters('tagName'), ']')]",
                        "value": "[parameters('tagValue')]"
                    }]
                }
            }
        }
    }
}

Sample 1: Explanation

"properties": {
    "displayName": "Add or replace a tag on resource groups",
    "mode": "All",
    "description": "Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task.",
    "metadata": {
        "category": "Tags"
    },

In this sample, mode is set to All since it targets a resource group. In most cases, mode should be set to Indexed when working with tags. For more information, see modes.

"if": {
    "allOf": [{
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "notEquals": "[parameters('tagValue')]"
        }
    ]
},

In this portion of the policy definition, concat combines the parameterized tagName parameter and the tags['name'] format to tell field to evaluate that tag for the parameter tagValue. As notEquals is used, if tags[tagName] doesn't equal tagValue, the modify effect is triggered.

"operations": [{
    "operation": "addOrReplace",
    "field": "[concat('tags[', parameters('tagName'), ']')]",
    "value": "[parameters('tagValue')]"
}]

Here, the same format for using the parameterized tag values is used by the addOrReplace operation to create or update the tag to the desired value on the evaluated resource group.

Sample 2: Inherit tag value from resource group

This policy definition uses the parameter tagName to determine which tag's value to inherit from the parent resource group.

{
    "properties": {
        "displayName": "Inherit a tag from the resource group",
        "mode": "Indexed",
        "description": "Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.",
        "metadata": {
            "category": "Tags"
        },
        "parameters": {
            "tagName": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Name",
                    "description": "Name of the tag, such as 'environment'"
                }
            }
        },
        "policyRule": {
            "if": {
                "allOf": [{
                        "field": "[concat('tags[', parameters('tagName'), ']')]",
                        "notEquals": "[resourceGroup().tags[parameters('tagName')]]"
                    },
                    {
                        "value": "[resourceGroup().tags[parameters('tagName')]]",
                        "notEquals": ""
                    }
                ]
            },
            "then": {
                "effect": "modify",
                "details": {
                    "roleDefinitionIds": [
                        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                    ],
                    "operations": [{
                        "operation": "addOrReplace",
                        "field": "[concat('tags[', parameters('tagName'), ']')]",
                        "value": "[resourceGroup().tags[parameters('tagName')]]"
                    }]
                }
            }
        }
    }
}

Sample 2: Explanation

"properties": {
    "displayName": "Inherit a tag from the resource group",
    "mode": "Indexed",
    "description": "Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.",
    "metadata": {
        "category": "Tags"
    },

In this sample, mode is set to Indexed since it doesn't target a resource group or subscription even though it gets the value from a resource group. For more information, see modes.

"if": {
    "allOf": [{
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "notEquals": "[resourceGroup().tags[parameters('tagName')]]"
        },
        {
            "value": "[resourceGroup().tags[parameters('tagName')]]",
            "notEquals": ""
        }
    ]
},

The policyRule.if uses concat like Sample #1 to evaluate the tagName's value, but uses the resourceGroup() function to compare it to the value of the same tag on the parent resource group. The second clause here checks that the tag on the resource group has a value and isn't null.

"operations": [{
    "operation": "addOrReplace",
    "field": "[concat('tags[', parameters('tagName'), ']')]",
    "value": "[resourceGroup().tags[parameters('tagName')]]"
}]

Here, the value being assigned to the tagName tag on the resource also uses the resourceGroup() function to get the value from the parent resource group. In this way, you can inherit tags from parent resource groups. If you already created the resource but didn't add the tag, this same policy definition and a remediation task can update existing resources.

Next steps