Reputation: 1511
Check for null value in Azure Policy
My requirement is to set TAGS to resource groups. I have to make sure anyone who creates Resource Groups should provide appropriate tags and values. I want to use Azure Policy to enforce checking that a TAG should not have NULL value. I am using the below Policy definition, but it seems not to be working properly. That is, it is allowing me to create resource groups with TAG having null values. Example: Environment = "" --> This tag should not be allowed and RG group creation should fail.
Policy Definition:
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "true"
},
{
"value": "[concat('tags[', parameters('tagName'), ']')]",
"equals": ""
}
]
},
"then": {
"effect": "deny"
}
}
}
Upvotes: 1
Views: 2261
Answers (2)
Reputation: 1262
Option 1:
{
"not": {
"value": "[contains(string(field('tags')), '\"\"')]",
"equals": true
}
}
Option 2:
{
"value": "[indexOf(string(field('tags')), '\"\"')]",
"greaterOrEquals": 0
}
Description:
Option 1:
Use contains to check wheather an object contains a key or a string contains a substring.
The container contains nested parameters.
string converts the specified value to a string. In this case, the specified value is the field = tags, which are objects, not an array. In this case, the specified value is the field = tags, which are objects, not an array.
Example of 2 tags, "tagnumber1" with the value "value1" and "tagnumber2" with an empty value:
"{\"tagnumber1\":\"value1\",\"tagnumber2\":\"\"}"
Note that the empty value is \"\" - this is our itemToFind.
Option 2:
Use the indexOf to return the first position of a value within a string.
The stringToSearch contains nested parameters.
The stringToFind is empty.
string converts the specified value to a string. In this case, the specified value is the field = tags, which are objects, not an array.
Example of 2 tags, "tagnumber1" with the value "value1" and "tagnumber2" with an empty value:
"{\"tagnumber1\":\"value1\",\"tagnumber2\":\"\"}"
Note that the empty value is \"\".
Therefore, we must search for that \"\" as this represents the empty value in the object.
The index is zero-based. If the item is not found, -1 is returned. An integer represents the first index of the item, so by looking at "greaterOrEquals": 0 it will only return that is the item is found - meaning a tag value is empty.
Links:
- https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#fields
- https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions
- https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-expressions#escape-characters
- https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-arm-template#resource-format-1
Upvotes: 0
Reputation: 204
This policy only enforces the tagName not the tagValue. To enforce both follow this built in: Require a tag and its value on resource groups
Upvotes: 1
Related Questions
- Azure Bicep: setting a null value if the property doesn't exist
- Azure B2C Preconditions and checking for empty strings
- ExistenceCondition in Azure Policy?
- Azure Policy check for an empty value
- How do I retry if field is null in an Azure Logic App
- azure policy if condition, can not have 2 resource types?
- How to do a 'null' check in 'if' condition action of Azure Logic App
- How to check for null in variable in policy as it throw error - Index was outside the bounds of the array
- Azure policy how do I have a field equal null?
- How to deal with Null for custom condition in Azure Pipeline?