Reputation: 91
Azure Policy for tag creation when a Resource Group is created is not working
I have created below Azure Policy with "modify" effect and "addorreplace" operation.
I am creating resource group, Policy definition, Policy assignment and role assignment via terraform. I want TAGs to be applied as soon as resource group is created and policy is applied ( so basically resource group will be created with the TAGs as Policy assignment is resource group level).
Below is the policy definition:
{
"properties": {
"displayName": "Subscription Tags",
"policyType": "Custom",
"mode": "All",
"description": "",
"metadata": {
"category": "General",
"createdBy": "a8cf4bcb-fa6d-4ace-ae63-fbeee97299d4",
"createdOn": "2021-08-26T11:27:02.358131Z",
"updatedBy": null,
"updatedOn": null
},
"parameters": {
"SubscriptionOwner": {
"type": "String",
"metadata": {
"description": "Subscription Owner",
"displayName": "Subscription Owner"
}
},
"SubscriptionOwnerTagName": {
"type": "String",
"metadata": {
"description": "Subscription Owner Tag Name",
"displayName": "Subscription Owner Tag Name"
}
},
"resourceType": {
"type": "String",
"metadata": {
"description": "resourceType",
"displayName": "Resource Type"
}
}
},
"policyRule": {
"if": {
"allof": [
{
"equals": "Microsoft.Resources/subscriptions/resourceGroups",
"field": "type"
},
{
"anyOf": [
{
"anyOf": [
{
"exists": "false",
"field": "[concat('tags[', parameters('SubscriptionOwnerTagName'), ']')]"
},
{
"allOf": [
{
"exists": "true",
"field": "[concat('tags[', parameters('SubscriptionOwnerTagName'), ']')]"
},
{
"field": "[concat('tags[', parameters('SubscriptionOwnerTagName'), ']')]",
"notEquals": "[parameters('SubscriptionOwner')]"
}
]
}
]
}
]
}
]
},
"then": {
"details": {
"operations": [
{
"field": "[concat('tags[', parameters('SubscriptionOwnerTagName'), ']')]",
"operation": "addOrReplace",
"value": "[parameters('SubscriptionOwner')]"
},
{
"field": "[concat('tags[', parameters('resourceType'), ']')]",
"operation": "addOrReplace",
"value": "[resourceGroup().id]"
}
],
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
]
},
"effect": "modify"
}
}
},
"id": "/subscriptions/6e268af1-b2a7-44a7-9a1a-9025889dbe5d/providers/Microsoft.Authorization/policyDefinitions/MyCustomPolicy",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "MyCustomPolicy"
}
Problem is, TAGs are not getting created with the resource group and compliance say "non-compliant". I have to create a remediation task and once I run the task, the tags get created.
I am unable to find the cause as document says TAGs should be created once the resource is created. Only existing resources needs remediation task.
Any help.
Upvotes: 0
Views: 838
Answers (1)
Reputation: 2489
- New or updated resources within scope of an existing assignment become available in about 15 minutes.
- A new policy or initiative assignment takes about 30 minutes to be applied.
https://learn.microsoft.com/en-us/azure/governance/policy/troubleshoot/general#cause-1
Upvotes: 0
Related Questions
- azure policy : only allow certain tag values in azure resources group tag
- Need to deploy the Azure Policy for the Tags only for the VM
- Azure Policy to enfore naming convention on resource group has no effect
- Azure policy to enforce naming convention on resource group has no effect
- azure policy to only allow specific tags to be created
- Azure Custom Policy: Resource Must Not Have Unknown Tag - How?
- Appending tag policy isn't working for some resources
- Azure Policy weird behaviour while creating resource group without tag
- Azure Policy Deny :if one of the tag not present in the resource group name
- azure arm policy to deny resource group without tags