CODEWITHSUNDEEP
azure
Frank
Frank

Reputation: 41

Azure policy to require a certain Tag be created, but not with a default value?

Is there a way to create an Azure policy that requires a Tag exist on a resource when it's created, but not check for a specific value? All the examples I've seen are for "check if tag X is there, and has value Y".

I want to simply let the user know "you need to put tag X on this resource" because the value is user-defined so I can't enforce a specific value.

For example - I need "BillingCode" on every resource, but only the person creating the resource knows their correct billing code since it's different for each person or project.

Upvotes: 3

Views: 3840

Answers (2)

sapphiremirage
sapphiremirage

Reputation: 505

You need the exists operator.

For example:

{
    "policyRule": {
        "if": {
            "field": "[concat('tags[',parameters('tagName'), ']')]",
            "exists": "false"
        },
        "then": {
            "effect": "deny"
        }
    },
    "parameters": {
        "tagName": {
            "type": "String",
            "metadata": {
                "description": "Name of the tag, such as costCenter"
            }
        }
    }
}

Upvotes: 1

Josh
Josh

Reputation: 4438

You can use subscription policies to accomplish this. They will prevent deployment of Azure resources unless certain rules are met.

Below example taken from here. You could modify this example by using the notMatch operator instead of the direct match below. More operators here.

{
   "properties": {
      "displayName": "Enforce tag and its value on resource groups",
      "description": "Enforces a required tag and its value on resource groups.",
      "mode": "All",
      "parameters": {
         "tagName": {
            "type": "String",
            "metadata": {
               "description": "Name of the tag, such as costCenter"
            }
         },
         "tagValue": {
            "type": "String",
            "metadata": {
               "description": "Value of the tag, such as headquarter"
            }
         }
      },
      "policyRule": {
         "if": {
            "allOf": [
               {
                  "field": "type",
                  "equals": "Microsoft.Resources/subscriptions/resourceGroups"
               },
               {
                  "not": {
                     "field": "[concat('tags[',parameters('tagName'), ']')]",
                     "equals": "[parameters('tagValue')]"
                  }
               }
            ]
         },
         "then": {
            "effect": "deny"
         }
      }
   }
}

Upvotes: 1

Related Questions