cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure Policy (tags)

Lagrahammicrosftcom
Microsoft

‎Mar 26 2020 09:19 AM - edited ‎Mar 26 2020 09:21 AM

‎Mar 26 2020 09:19 AM - edited ‎Mar 26 2020 09:21 AM

Azure Policy (tags)

Hello, I am working on a policy that restricts tags to predefined values. As of now, i have that functionality but i also want to restrict the creation of adding new tags as well. I want the user to only have the ability to create tags from the predefined list of name and values otherwise, deny. Any assistance would be helpful, thanks in advance

 

This what i have so far:

 

{

"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"not": {
"allOf": [{
"field": "tags['OrgCode']",
"exists": "true"
},
{
"field": "tags['OrgCode']",
"notIn": "[parameters('OrgCode')]"
}
]
}
},
{
"not": {
"allOf": [{
"field": "tags['Backuplevel']",
"exists": "true"
},
{
"field": "tags['Backuplevel']",
"notIn": "[parameters('Backuplevel')]"
}
]
}
},
{
"not": {
"allOf": [{
"field": "tags['Environment']",
"exists": "true"
},
{
"field": "tags['Environment']",
"notIn": "[parameters('Environment')]"
}
]
}
},
{
"not": {
"field": "tags.AppID",
"exists": "true"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"OrgCode": {
"type": "Array",
"metadata": {
"description": "Provides a charge code or cost center to attribute the bill for the resources too. Tag value: Cost Center. Example: team@domain.com"
},
"allowedValues": [

"8510",
"6000",
"8310"
]
},
"Backuplevel": {
"type": "Array",
"metadata": {
"description": "Provides information on department or team is responsible for administering/supporting the application. Tag value: Team name/email. Example: 1506548"
},
"allowedValues": [
"azzu-vim-cpp-1",
"azu-vim-cpp-2",
"azu-vim-cpp-3",
"azu-vim-cpp-4",
"azu-mssql-cpp-1",
"azu-mssql-cpp-2",
"azu-mssql-cpp-3",
"azu-mssql-cpp-4",
"azu-odb-cpp-1",
"azu-odb-cpp-2",
"azu-odb-cpp-3",
"azu-odb-cpp-4",
"azu-no-backup"

]
},

"Environment": {
"type": "Array",
"metadata": {
"description": "Provides information on what the resource group is used for (useful for maintenance, policy enforcement, chargeback, etc.) Tag value: Dev, QA, Stage, Test, Prod. Example: Prod"
},
"allowedValues": [

"Production",
"Test",
"Stage",
"DR"
]
}
}
}

 

Labels:
2,619 Views
0 Likes
2 Replies
Reply
2 Replies
dsv591

‎May 11 2020 01:16 PM

‎May 11 2020 01:16 PM

Re: Azure Policy (tags)

@Lagrahammicrosftcom Azure Policy can't do that right now, anyhow, even if you could, that wouldn't be recommended.

 

There are several resources in Azure that use hidden tags to function properly. Blocking tags outside of the ones predefined by Policy would mean those resources will fail to be created, even if all the required tags entered by user are present.

1 Like
Reply
Jesse Loudon

‎Apr 02 2021 06:43 PM

‎Apr 02 2021 06:43 PM

Re: Azure Policy (tags)

Would also advise to be very careful using the Deny effect for tag governance and instead recommend using Modify effect..

You can find some examples of tag governance with Modify effect here:

https://github.com/globalbao/terraform-azurerm-policy/blob/master/modules/policy-definitions/main.tf
0 Likes
Reply