Joshua
Reputation: 29
Azure indexed policy not being applied to resource group
I'm writing some azure policies that force certain tags to be in place, as well as inheriting tags from a subscription to a resource group. However, when these policies are set to indexed mode (as recommended by azure) they aren't applied when creating a resource group, only on resources themselves. When the mode is set to All however, the policies work on the resource group. Is there something I'm doing wrong? I don't want to set the mode to All because that could cause conflicts with resources that don't support tagging right?
Upvotes: 1
Views: 548
Answers (1)
Joshua
Reputation: 29
I solved it myself by setting the mode to All, but only denying an action if the field is set to resource group.
{
"properties": {
"displayName": "Require a tag on resources",
"policyType": "Custom",
"mode": "All",
"description": "Enforces existence of a the project tag",
"metadata": {
"version": "1.0.1",
"category": "Tags"
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [ {
"field": "[concat('tags[', 'project', ']')]",
"exists": "false"
},
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
}
]
},
"then": {
"effect": "deny"
}
}
}
}Upvotes: 0
Related Questions
- Resource was disallowed by policy
- azure policy : only allow certain tag values in azure resources group tag
- How to apply Azure resource locks to Resource Groups via Policy
- Azure Policy to enfore naming convention on resource group has no effect
- Azure policy to enforce naming convention on resource group has no effect
- Getting and creating stored access policy on a container results in a 404, resource not found
- Azure Custom Policy: Resource Must Not Have Unknown Tag - How?
- Appending tag policy isn't working for some resources
- Azure Policy weird behaviour while creating resource group without tag
- Azure Policy Deny :if one of the tag not present in the resource group name