Azure Policy (tags)

%3CLINGO-SUB%20id%3D%22lingo-sub-1256154%22%20slang%3D%22en-US%22%3EAzure%20Policy%20(tags)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1256154%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20I%20am%20working%20on%20a%20policy%20that%20restricts%20tags%20to%20predefined%20values.%20As%20of%20now%2C%20i%20have%20that%20functionality%20but%20i%20also%20want%20to%20restrict%20the%20creation%20of%20adding%20new%20tags%20as%20well.%20I%20want%20the%20user%20to%20only%20have%20the%20ability%20to%20create%20tags%20from%20the%20predefined%20list%20of%20name%20and%20values%20otherwise%2C%20deny.%20Any%20assistance%20would%20be%20helpful%2C%20thanks%20in%20advance%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20what%20i%20have%20so%20far%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%7B%3C%2FP%3E%0A%3CP%3E%22mode%22%3A%20%22All%22%2C%3CBR%20%2F%3E%22policyRule%22%3A%20%7B%3CBR%20%2F%3E%22if%22%3A%20%7B%3CBR%20%2F%3E%22allOf%22%3A%20%5B%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22not%22%3A%20%7B%3CBR%20%2F%3E%22allOf%22%3A%20%5B%7B%3CBR%20%2F%3E%22field%22%3A%20%22tags%5B'OrgCode'%5D%22%2C%3CBR%20%2F%3E%22exists%22%3A%20%22true%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22field%22%3A%20%22tags%5B'OrgCode'%5D%22%2C%3CBR%20%2F%3E%22notIn%22%3A%20%22%5Bparameters('OrgCode')%5D%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%5D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22not%22%3A%20%7B%3CBR%20%2F%3E%22allOf%22%3A%20%5B%7B%3CBR%20%2F%3E%22field%22%3A%20%22tags%5B'Backuplevel'%5D%22%2C%3CBR%20%2F%3E%22exists%22%3A%20%22true%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22field%22%3A%20%22tags%5B'Backuplevel'%5D%22%2C%3CBR%20%2F%3E%22notIn%22%3A%20%22%5Bparameters('Backuplevel')%5D%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%5D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22not%22%3A%20%7B%3CBR%20%2F%3E%22allOf%22%3A%20%5B%7B%3CBR%20%2F%3E%22field%22%3A%20%22tags%5B'Environment'%5D%22%2C%3CBR%20%2F%3E%22exists%22%3A%20%22true%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22field%22%3A%20%22tags%5B'Environment'%5D%22%2C%3CBR%20%2F%3E%22notIn%22%3A%20%22%5Bparameters('Environment')%5D%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%5D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22not%22%3A%20%7B%3CBR%20%2F%3E%22field%22%3A%20%22tags.AppID%22%2C%3CBR%20%2F%3E%22exists%22%3A%20%22true%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%5D%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22then%22%3A%20%7B%3CBR%20%2F%3E%22effect%22%3A%20%22deny%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22parameters%22%3A%20%7B%3CBR%20%2F%3E%22OrgCode%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22Array%22%2C%3CBR%20%2F%3E%22metadata%22%3A%20%7B%3CBR%20%2F%3E%22description%22%3A%20%22Provides%20a%20charge%20code%20or%20cost%20center%20to%20attribute%20the%20bill%20for%20the%20resources%20too.%20Tag%20value%3A%20Cost%20Center.%20Example%3A%20team%40domain.com%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22allowedValues%22%3A%20%5B%3CBR%20%2F%3E%3CBR%20%2F%3E%228510%22%2C%3CBR%20%2F%3E%226000%22%2C%3CBR%20%2F%3E%228310%22%3CBR%20%2F%3E%5D%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22Backuplevel%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22Array%22%2C%3CBR%20%2F%3E%22metadata%22%3A%20%7B%3CBR%20%2F%3E%22description%22%3A%20%22Provides%20information%20on%20department%20or%20team%20is%20responsible%20for%20administering%2Fsupporting%20the%20application.%20Tag%20value%3A%20Team%20name%2Femail.%20Example%3A%201506548%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22allowedValues%22%3A%20%5B%3CBR%20%2F%3E%22azzu-vim-cpp-1%22%2C%3CBR%20%2F%3E%22azu-vim-cpp-2%22%2C%3CBR%20%2F%3E%22azu-vim-cpp-3%22%2C%3CBR%20%2F%3E%22azu-vim-cpp-4%22%2C%3CBR%20%2F%3E%22azu-mssql-cpp-1%22%2C%3CBR%20%2F%3E%22azu-mssql-cpp-2%22%2C%3CBR%20%2F%3E%22azu-mssql-cpp-3%22%2C%3CBR%20%2F%3E%22azu-mssql-cpp-4%22%2C%3CBR%20%2F%3E%22azu-odb-cpp-1%22%2C%3CBR%20%2F%3E%22azu-odb-cpp-2%22%2C%3CBR%20%2F%3E%22azu-odb-cpp-3%22%2C%3CBR%20%2F%3E%22azu-odb-cpp-4%22%2C%3CBR%20%2F%3E%22azu-no-backup%22%3CBR%20%2F%3E%3CBR%20%2F%3E%5D%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%3CBR%20%2F%3E%22Environment%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22Array%22%2C%3CBR%20%2F%3E%22metadata%22%3A%20%7B%3CBR%20%2F%3E%22description%22%3A%20%22Provides%20information%20on%20what%20the%20resource%20group%20is%20used%20for%20(useful%20for%20maintenance%2C%20policy%20enforcement%2C%20chargeback%2C%20etc.)%20Tag%20value%3A%20Dev%2C%20QA%2C%20Stage%2C%20Test%2C%20Prod.%20Example%3A%20Prod%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22allowedValues%22%3A%20%5B%3CBR%20%2F%3E%3CBR%20%2F%3E%22Production%22%2C%3CBR%20%2F%3E%22Test%22%2C%3CBR%20%2F%3E%22Stage%22%2C%3CBR%20%2F%3E%22DR%22%3CBR%20%2F%3E%5D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1256154%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Policy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1380784%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Policy%20(tags)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1380784%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F596615%22%20target%3D%22_blank%22%3E%40Lagrahammicrosftcom%3C%2FA%3E%20Azure%20Policy%20can't%20do%20that%20right%20now%2C%20anyhow%2C%20even%20if%20you%20could%2C%20that%20wouldn't%20be%20recommended.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20several%20resources%20in%20Azure%20that%20use%20hidden%20tags%20to%20function%20properly.%20Blocking%20tags%20outside%20of%20the%20ones%20predefined%20by%20Policy%20would%20mean%20those%20resources%20will%20fail%20to%20be%20created%2C%20even%20if%20all%20the%20required%20tags%20entered%20by%20user%20are%20present.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2251749%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Policy%20(tags)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2251749%22%20slang%3D%22en-US%22%3EWould%20also%20advise%20to%20be%20very%20careful%20using%20the%20Deny%20effect%20for%20tag%20governance%20and%20instead%20recommend%20using%20Modify%20effect..%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20find%20some%20examples%20of%20tag%20governance%20with%20Modify%20effect%20here%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fglobalbao%2Fterraform-azurerm-policy%2Fblob%2Fmaster%2Fmodules%2Fpolicy-definitions%2Fmain.tf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fglobalbao%2Fterraform-azurerm-policy%2Fblob%2Fmaster%2Fmodules%2Fpolicy-definitions%2Fmain.tf%3C%2FA%3E%3C%2FLINGO-BODY%3E
Microsoft

Hello, I am working on a policy that restricts tags to predefined values. As of now, i have that functionality but i also want to restrict the creation of adding new tags as well. I want the user to only have the ability to create tags from the predefined list of name and values otherwise, deny. Any assistance would be helpful, thanks in advance

 

This what i have so far:

 

{

"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"not": {
"allOf": [{
"field": "tags['OrgCode']",
"exists": "true"
},
{
"field": "tags['OrgCode']",
"notIn": "[parameters('OrgCode')]"
}
]
}
},
{
"not": {
"allOf": [{
"field": "tags['Backuplevel']",
"exists": "true"
},
{
"field": "tags['Backuplevel']",
"notIn": "[parameters('Backuplevel')]"
}
]
}
},
{
"not": {
"allOf": [{
"field": "tags['Environment']",
"exists": "true"
},
{
"field": "tags['Environment']",
"notIn": "[parameters('Environment')]"
}
]
}
},
{
"not": {
"field": "tags.AppID",
"exists": "true"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"OrgCode": {
"type": "Array",
"metadata": {
"description": "Provides a charge code or cost center to attribute the bill for the resources too. Tag value: Cost Center. Example: team@domain.com"
},
"allowedValues": [

"8510",
"6000",
"8310"
]
},
"Backuplevel": {
"type": "Array",
"metadata": {
"description": "Provides information on department or team is responsible for administering/supporting the application. Tag value: Team name/email. Example: 1506548"
},
"allowedValues": [
"azzu-vim-cpp-1",
"azu-vim-cpp-2",
"azu-vim-cpp-3",
"azu-vim-cpp-4",
"azu-mssql-cpp-1",
"azu-mssql-cpp-2",
"azu-mssql-cpp-3",
"azu-mssql-cpp-4",
"azu-odb-cpp-1",
"azu-odb-cpp-2",
"azu-odb-cpp-3",
"azu-odb-cpp-4",
"azu-no-backup"

]
},

"Environment": {
"type": "Array",
"metadata": {
"description": "Provides information on what the resource group is used for (useful for maintenance, policy enforcement, chargeback, etc.) Tag value: Dev, QA, Stage, Test, Prod. Example: Prod"
},
"allowedValues": [

"Production",
"Test",
"Stage",
"DR"
]
}
}
}

 

2 Replies

@Lagrahammicrosftcom Azure Policy can't do that right now, anyhow, even if you could, that wouldn't be recommended.

 

There are several resources in Azure that use hidden tags to function properly. Blocking tags outside of the ones predefined by Policy would mean those resources will fail to be created, even if all the required tags entered by user are present.

Would also advise to be very careful using the Deny effect for tag governance and instead recommend using Modify effect..

You can find some examples of tag governance with Modify effect here:

https://github.com/globalbao/terraform-azurerm-policy/blob/master/modules/policy-definitions/main.tf