Tags are an important part of
managing, organizing, and governing your Azure resources. Azure Policy makes it possible to
configure tags on your new and existing resources at scale with the
modify effect and
remediation tasks.
Sample 1: Parameterize tags
This policy definition uses two parameters, tagName and tagValue to set what the policy
assignment is looking for on resource groups. This format allows the policy definition to be used
for any number of tag name and tag value combinations, but only maintain a single policy definition.
Note
While this policy definition pattern is similar to the one in
Pattern: Parameters - Sample #1, this sample
uses modeAll and targets resource groups.
{
"properties": {
"displayName": "Add or replace a tag on resource groups",
"mode": "All",
"description": "Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task.",
"metadata": {
"category": "Tags"
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
}
},
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue')]"
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [{
"operation": "addOrReplace",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[parameters('tagValue')]"
}]
}
}
}
}
}
Sample 1: Explanation
"properties": {
"displayName": "Add or replace a tag on resource groups",
"mode": "All",
"description": "Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task.",
"metadata": {
"category": "Tags"
},
In this sample, mode is set to All since it targets a resource group. In most cases, mode
should be set to Indexed when working with tags. For more information, see
modes.
In this portion of the policy definition, concat combines the parameterized tagName parameter
and the tags['name'] format to tell field to evaluate that tag for the parameter tagValue.
As notEquals is used, if tags[tagName] doesn't equal tagValue, the modify effect
is triggered.
Here, the same format for using the parameterized tag values is used by the addOrReplace
operation to create or update the tag to the desired value on the evaluated resource group.
Sample 2: Inherit tag value from resource group
This policy definition uses the parameter tagName to determine which tag's value to inherit from
the parent resource group.
{
"properties": {
"displayName": "Inherit a tag from the resource group",
"mode": "Indexed",
"description": "Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.",
"metadata": {
"category": "Tags"
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
}
},
"policyRule": {
"if": {
"allOf": [{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"notEquals": "[resourceGroup().tags[parameters('tagName')]]"
},
{
"value": "[resourceGroup().tags[parameters('tagName')]]",
"notEquals": ""
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [{
"operation": "addOrReplace",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName')]]"
}]
}
}
}
}
}
Sample 2: Explanation
"properties": {
"displayName": "Inherit a tag from the resource group",
"mode": "Indexed",
"description": "Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.",
"metadata": {
"category": "Tags"
},
In this sample, mode is set to Indexed since it doesn't target a resource group or
subscription even though it gets the value from a resource group. For more information, see
modes.
The policyRule.if uses concat like Sample #1 to evaluate the
tagName's value, but uses the resourceGroup() function to compare it to the value of the same
tag on the parent resource group. The second clause here checks that the tag on the resource group
has a value and isn't null.
Here, the value being assigned to the tagName tag on the resource also uses the
resourceGroup() function to get the value from the parent resource group. In this way, you can
inherit tags from parent resource groups. If you already created the resource but didn't add the
tag, this same policy definition and a remediation task can
update existing resources.
Manage multiple Azure environment deployments of your JSON Azure Resource Manager templates (ARM templates) by using functions, variables, tags, and parameter files.