azure-policy

Enforcing Azure Policy Tag value in email format


I'm trying to build an Azure Tagging policy at the resource group level in which the value of the tag must be in email format and end with 'contoso.com'. The plan is to use a copy of the built-in MSFT policies and specify the tag name at assignment for each tag.

I've tried many permutations of the below code and it's not working. As I understand it, the match operator is not based off of RegEx so I'm using the Like operator. However, the * is not firing as expected. Any thoughts or solutions on this would be much appreciated.

The referenced code will enforce the required tag of 'CreatedBy' however does not enforce the value in email format. For example, if I feed the value of '12345', it accepts and created the resource group.

    {
      "mode": "All",
      "policyRule": {
      "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "field": "[concat('tags[', parameters('tagName'), ']')]",
          "exists": false
        },
        {
          "field": "tags['CreatedBy']",
          "notLike": "*@contoso.com"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {
    "tagName": {
      "type": "String",
      "metadata": {
        "displayName": "Tag Name",
        "description": "Name of the tag, such as 'environment'"
      }
    }
  }
}

Solution

  • Have a look at the policy I created here: https://github.com/Azure/Community-Policy/blob/main/policyDefinitions/Tags/validate-email-tag-on-subscription/azurepolicy.json

    You would just have to amend that to be resourceGroups instead of Microsoft.Resources/subscriptions.