Emanuele
Reputation: 359
Azure Custom Tag Policy, Exclude resource type
I did an azure custom policy that discover object not compliant, with custom missing tag, on my subscription.
I got to much error from this policy becouse it discover also oms agent, extension etc..
Here the json:
{
"mode": "All",
"policyRule": {
"if": {
"anyOf": [
{
"field": "tags['TAG1']",
"exists": false
},
{
"field": "tags['TAG2']",
"exists": false
}
]
},
"then": {
"effect": "audit"
}
},
"parameters": {}
}
it search all resources and audit it if they are not with that tag.
Is possibile to specified exclusion for specific resources type? For example Microsoft.Compute/virtualMachines/extensions etc...
Thanks
Upvotes: 0
Views: 2188
Answers (2)
AndreiMS
Reputation: 26
Using "mode": "indexed" instead of "mode": "All" will only match resources that support location and tags.
Upvotes: 1
Jagrati Modi
Reputation: 2088
This way you can mention all the resource types in "notEquals" operator for which you do not want to check for tags.
{
"if": {
"allOf": [
{
"field": "type",
"notEquals": "Microsoft.Security/assessments"
},
{
"field": "type",
"notEquals": "Microsoft.Compute/VirtualMachines"
},
{
"anyOf": [
{
"field": "tags['TAG1']",
"exists": false
},
{
"field": "tags['TAG2']",
"exists": false
}
]
}
]
},
"then": {
"effect": "audit"
}
}
Upvotes: 1
Related Questions
- azure policy : only allow certain tag values in azure resources group tag
- Need to deploy the Azure Policy for the Tags only for the VM
- Azure API Management - apply policy only if tag is set
- azure policy to only allow specific tags to be created
- Azure Custom Policy: Resource Must Not Have Unknown Tag - How?
- Azure Policy Assignment - Exclude Resource Type(s)
- Appending tag policy isn't working for some resources
- Azure Policy - ARM to exclude Resource Group
- Azure Policy Deny :if one of the tag not present in the resource group name
- azure arm policy to deny resource group without tags