Forum Discussion

cclem12055's avatar
cclem12055
Copper Contributor
Jan 18, 2022

Create a Deny policy based on subscription tag

Hello,

 

I want to create a policy that can deny the creation of the resource "public IP" on the subscriptions that have a specific tag "connected".

 

I have tried the specific policy for "auditing", but I have no idea how to do it on "Deny" as the "existencecondition" field does not exists.

 

Is there a way to do it?

 

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions"
        },
        {
          "field": "[concat('tags[', parameters('tagName'), ']')]",
          "notEquals": "[parameters('tagValue')]"
        }
      ]
    },
    "then": {
      "effect": "auditIfNotExists",
      "details": {
        "type": "Microsoft.Network/networkInterfaces",
        "existenceCondition": {
          "not": {
            "field": "Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id",
            "notLike": "*"
          }
        }
      }
    }
  },
  "parameters": {
    "tagName": {
      "type": "String",
      "metadata": {
        "displayName": "Tag Name",
        "description": "Name of the tag, such as 'environment'"
      },
      "defaultValue": "connected"
    },
    "tagValue": {
      "type": "String",
      "metadata": {
        "displayName": "Tag Value",
        "description": "Value of the tag, such as 'production'"
      },
      "defaultValue": "yes"
    }
  }
}
 
Thank you!
Clement
No RepliesBe the first to reply

Resources