Forum Discussion
Azure resource group tag requirement exception?
Good day to you all, we have a policy in place requiring all new resources groups created to have 6 tags added and populated. Currently we have an application allowing elastic cloud provisioning of assets that uses the API to create a resource group and then populate said group with temporary assets. Typically via the API the resource group is created and then the tags are added but the policy is blocking this due to the 2 step process. Is there a way to create an exception to the policy in order to allow this app to create its resource groups that are temporary in nature say by enforcing an audit on the, versus a deny or something?
any advise is most appreciated.
- hspintoMicrosoft
If you know the name of the temporary resource groups, have you tried to add exclusions or exemptions?
Understand scope in Azure Policy - Azure Policy | Microsoft Docs
If the resource group name cannot be anticipated, I am afraid you cannot add an exception to something that is unknown.
- david_miletteCopper Contributor
hspinto Good question. I’d have to look into this with the vendor. Thry are built on the fly but maybe (hopefully) have a template structure to naming.
- ibnmbodjiSteel Contributor
Hi
You can go the policy definition or Initiative you will see a Create exemption button
- Click on Create exemption
- Define Exemption scope as the Resource group
- Give an Exemption name, category and description
- Define the exemption expiration settings
- Select the policy definitions scope (If it is an iniative by default all the policy definitions are selected . )
- Review and Create the exemption- david_miletteCopper ContributorThx team the product when creating its resource group will create it with this format: MF_TESTRUN_RESOURCEGROUP_XXXXX_YYYYY where XXXXX is a random number and YYYY is the test scenario name requiring the resource group and assets. So I would suppose I'd need to create an exception around this template/mask. Is this feasible? Thx for all your help!
- ibnmbodjiSteel ContributorThe resource group should exist before creating the exemption so deployment will be blocked if the effect is set to deny .
You can either see another effect to avoid the deny
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects
Or deploy resources in another subscription