I enabled Azure policy [Require a tag on resources], It is validating tags on resource creation as expected but it also evaluating existing resources and showing Non-compliant.
Definition
{
"properties": {
"displayName": "Require a tag on resources",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Enforces existence of a tag. Does not apply to resource groups.",
"metadata": {
"version": "1.0.1",
"category": "Tags"
},
"version": "1.0.1",
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
}
},
"policyRule": {
"if": {
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
"then": {
"effect": "deny"
}
},
"versions": [
"1.0.1"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "871b6d14-10aa-478d-b590-94f262ecfa99"
}
I have checked it will work on both existing resource and new resource. Is there any possibility to evaluate only on new resource?
No, not specifically new resources.
The first question is "how would you define new?" the second question is "why would you allow older/legacy resources to continue to violate your policy?"
- If this is for compliance then you will likely need a strict definition of what is included in the policy and what is not.
When implementing rules like this a common approach is to first resolve the existing resources to make sure they meet the new policy restrictions, you can evaluate the impact by setting the enforcement level to Audit. You might choose to use a script to automate the assignment of the tags to existing resources, a workaround would be to inject a [Legacy] tag on all existing resources.
Then, only enable the Deny enforcement once the legacy resources are tagged.
The other approach is to enforce the policy on a new/separate subscription or on specific resource groups. This allows a clear separation of before and after and aligns with a lot of other tools and reporting options in Azure. If your policy is for compliance reasons then this is especially useful, especially if there are other policies that should be associated with the same collection of resources.
Although not recommended, it is possible to create a policy around a Created Date Tag.
However, first you would need to create another policy that applies a 'Created Date' tag to the resources.
Please don't put created date in a Tag, even if you find advice in this and other articles on how to do it. Tags are not suited for managing unique values, tags are designed to categorise and group records together. In Azure the interface is designed to encourage tag re-use, if this list becomes bloated from too many unique date entries, then the tag system will become unusable for other genuine tag values.
This is an example of how to do it, but please do not. ;)
This would solve the problem for all new resources, but doesn't help retrospectively, you would still need to script a date for the previous resources and you can only retrieve the real date from the activity logs before they expire after 90days.