Reputation: 41
azure policy to only allow specific tags to be created
I need to configure an azure policy to make sure that azure contributors create resources using a very specific set of "allowed" tags. example of allowed tags: application,owner,environment,description,team
if some creates a resource and use the tag "env", the policy will kick in and deny the creation of the resource because "env" is not one of the allowed tags.
Is this possible in azure?
Upvotes: 1
Views: 1810
Answers (1)
Reputation: 1136
Here is an example of a policy rule that would require all of your listed tags on ALL resources in the assigned scope. (This maybe too much, test it and find out)
"policyRule": {
"if": {
"anyOf": [
{
"field": "tags['application']",
"exists": false
},
{
"field": "tags['owner']",
"exists": false
},
{
"field": "tags['environment']",
"exists": false
},
{
"field": "tags['description']",
"exists": false
},
{
"field": "tags['team']",
"exists": false
}
]
},
"then": {
"effect": "deny"
}
}
Here is an example that will narrow it down to a resource type. Like VMs only.
"policyRule": {
"if": {
"allOf":[
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"anyOf": [
{
"field": "tags['application']",
"exists": false
},
{
"field": "tags['owner']",
"exists": false
},
{
"field": "tags['environment']",
"exists": false
},
{
"field": "tags['description']",
"exists": false
},
{
"field": "tags['team']",
"exists": false
}
]
]
},
"then": {
"effect": "deny"
}
}
See my comments attached to the main question. This policy could be too restrictive since some Azure resources have built-in default tags. Those tags will also be held to this compliance rule, so be careful if you are implementing this on a large organization, you could inadvertently handicap some users.
If you want to narrow it down to a resource group you can do that in your policy assignment, however if you want to do it in your definition you can use the resource type Microsoft.Resources/subscriptions/resourceGroups
Also check out some other tag related policies that come built-in with Azure. https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
Upvotes: 1
Related Questions
- azure policy : only allow certain tag values in azure resources group tag
- Need to deploy the Azure Policy for the Tags only for the VM
- Azure Custom Tag Policy, Exclude resource type
- Azure API Management - apply policy only if tag is set
- How to Create and Apply a Tagging Policy in azure
- Can I assign or add tags to an Azure Policy, Initiative or Azure Policy Assignments?
- Azure Custom Policy: Resource Must Not Have Unknown Tag - How?
- Appending tag policy isn't working for some resources
- Azure policy to require a certain Tag be created, but not with a default value?
- azure arm policy to deny resource group without tags