Forum Discussion

gregory_esnaud's avatar
gregory_esnaud
Copper Contributor
Mar 13, 2023

Checking that old and new ressources are configured with a tag with specific case

Hello Azure community!

 

I'm configuring an Azure Policy to check presence of a tag on new and old ressources.

 

Checking the presence only was quite easy:

 

policy_rule = <<RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('TagName'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
RULE

 


With following parameters:

 

parameters = <<PARAMETERS
{
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"effect": {
"type": "String",
"defaultValue": "Audit",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "The effect determines what happens when the policy rule is evaluated to match"
}
}
}
PARAMETERS

 

 

But now I want that the policy rule also checks the case of the tagName parameters.

 

Ex: guess expected tagName is `RigorousMakeMeHappy`. Then, I want that ressources be configured with `RigorousMakeMeHappy` but not with `rigorousmakemehappy` or `rigorousMakeMeHappy` or `RIGOROUSMAKEMEHAPPY` etc.

 

And I struggled two days w/o success.

 

I tried, among others things, the following:

 

policy_rule = <<RULE
{
"if": {
"anyOf": [
{
"field": "tags",
"match": "[parameters('tagName')]"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
RULE

 

 

I tried to achieve with following documentations:

- https://learn.microsoft.com/en-us/azure/governance/policy/samples/pattern-fields
- https://stackoverflow.com/questions/59653416/multiple-name-pattern-and-parameter-definition
- https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure

Thanks for your precious help !

  • I've found the answer (or one of... but honestly I think it's the only one 😄) and, again, thanks for your time!

    Here is the code:

    policy_rule = <<RULE
    {
     "if": {
      "allOf": [
      {
        "value": "[contains(string(field('tags')),parameters('tagName'))]",
        "notMatch": "True"
      },
      {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      }
      ]
    },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
    RULE

     

    Then, if you `tagName` is **RigorousMakesMeHappy** and whatever the tagValue is you will be compliant or not with:

     

    • RigorousMakesMeHappy: ✅ (compliant)
    • rigorousMakesMeHappy: ❌ (not compliant)
    • RigorousMakesMeHapPY: ❌
    • qsdfqsdfqsfd: ❌
    • yougettheidea: ❌

     

  • gregory_esnaud's avatar
    gregory_esnaud
    Copper Contributor

    I've found the answer (or one of... but honestly I think it's the only one 😄) and, again, thanks for your time!

    Here is the code:

    policy_rule = <<RULE
    {
     "if": {
      "allOf": [
      {
        "value": "[contains(string(field('tags')),parameters('tagName'))]",
        "notMatch": "True"
      },
      {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      }
      ]
    },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
    RULE

     

    Then, if you `tagName` is **RigorousMakesMeHappy** and whatever the tagValue is you will be compliant or not with:

     

    • RigorousMakesMeHappy: ✅ (compliant)
    • rigorousMakesMeHappy: ❌ (not compliant)
    • RigorousMakesMeHapPY: ❌
    • qsdfqsdfqsfd: ❌
    • yougettheidea: ❌

     

Resources