Require multiple Tag names for Azure Resource Group
I have the following use case: I would like to have Azure policy, requiring to have two mandatory tags: Environment and Project for resource groups. There should not be the possibility to create a new resource group without those two tags and the already created resource groups, that do not have the two tags, should show as non-compliant. So far it sounds like a straight forward scenario, but I am not getting the expected result and it is getting harder and harder to keep my sanity, so please advise.
I have reviewed multiple threads in Stack Overflow, as well as this Microsoft article: How to build an audit Azure Policy with multiple parameters .
I use the following code:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags['Environment']",
"exists": "false"
},
{
"field": "tags['Project']",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
Note: I have removed the parameters in the process of troubleshooting, and replaced them with values for simplification. The result was the same when using parameters', instead of explicit values.
My understanding is that allOf should act as a logical AND and should require all the conditions to be in place - To be a resource group, to have tag Environment and to have tag Project.
So what is the result? When creating a new resource group, the validation does not allow you to continue without providing tags for Environment and Project:
Note: You may see that there is the same policy name for the tag requirements and this is the only policy assignment ... everywhere! This is my personal test tenant, so there is no possibility for other policy assignments that I am not aware of.
The thing is that it allows me to continue further with only one tag provided:
- Only Environment
- Only Project
If we look at the compliance status, you may see that the resource group is marked as compliant by the policy:
but it has only a single tag - Project, without the tag Environment... and still marked as compliant.
So after this long walk-trough, my question is - How to make mandatory to have those two tags - Environment and Project. There could be other tags, but those two should be required and not allowing new resource groups to be created without providing them, and the old resource groups to be marked as non-compliant, if both are missing.
What I am missing that it does not work, as expected?
I have also used the code from the article ... 1:1 ... copy - paste, again I was able to continue only with single tag.
Please support.
I have followed other examples from Stack overflow, as official Microsoft article. Even the suggested example from the Microsoft article was not working as expected, or at least based on my expectation.
Your AllOf condition here indicates to the policy engine to detect an uncompliance resource if all conditions are met. Meaning that:
- You are currently scanning a RG
- The current RG does not have Environment tag
- The current RG does not have a Project tag
We can phrase it as : "My item is uncompliant if this a RG which does not have an Environment AND does not have a Tag project".
If any of this condition is met (example one tag exist), the resource is then tagged as Compliant because it does not meet your overall condition.
You want to add an AnyOf condition here to make sure it breaks if one or the other tag does not exist. To phrase it the following way : "My item is uncompliant if this a RG which does not have an Environment OR does not have a Tag project".
Code:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyOf": [
{
"field": "tags['Environment']",
"exists": "false"
},
{
"field": "tags['Project']",
"exists": "false"
}
]
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?