Azure resource group tag requirement exception?

%3CLINGO-SUB%20id%3D%22lingo-sub-2212406%22%20slang%3D%22en-US%22%3EAzure%20resource%20group%20tag%20requirement%20exception%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2212406%22%20slang%3D%22en-US%22%3E%3CP%3EGod%20day%20to%20you%20all%2C%20we%20have%20a%20policy%20in%20place%20requiring%20all%20new%20resources%20groups%20created%20to%20have%206%20tags%20added%20and%20populated.%20Currently%20we%20have%20an%20application%20allowing%20elastic%20cloud%20provisioning%20of%20assets%20that%20uses%20the%20API%20to%20create%20a%20resource%20group%20and%20then%20populate%20said%20group%20with%20temporary%20assets.%20Typically%20via%20the%20API%20the%20resource%20group%20is%20created%20and%20then%20the%20tags%20are%20added%20but%20the%20policy%20is%20blocking%20this%20due%20to%20the%202%20step%20process.%26nbsp%3BIs%20there%20a%20way%20to%20create%20an%20exception%20to%20the%20policy%20in%20order%20to%20allow%20this%20app%20to%20create%20its%20resource%20groups%20that%20are%20temporary%20in%20nature%20say%20by%20enforcing%20an%20audit%20on%20the%2C%20versus%20a%20deny%20or%20something%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eany%20advise%20is%20most%20appreciated.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2213854%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20resource%20group%20tag%20requirement%20exception%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2213854%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F998381%22%20target%3D%22_blank%22%3E%40david_milette%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20know%20the%20name%20of%20the%20temporary%20resource%20groups%2C%20have%20you%20tried%20to%20add%20exclusions%20or%20exemptions%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fpolicy%2Fconcepts%2Fscope%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUnderstand%20scope%20in%20Azure%20Policy%20-%20Azure%20Policy%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20the%20resource%20group%20name%20cannot%20be%20anticipated%2C%20I%20am%20afraid%20you%20cannot%20add%20an%20exception%20to%20something%20that%20is%20unknown.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Good day to you all, we have a policy in place requiring all new resources groups created to have 6 tags added and populated. Currently we have an application allowing elastic cloud provisioning of assets that uses the API to create a resource group and then populate said group with temporary assets. Typically via the API the resource group is created and then the tags are added but the policy is blocking this due to the 2 step process. Is there a way to create an exception to the policy in order to allow this app to create its resource groups that are temporary in nature say by enforcing an audit on the, versus a deny or something?

 

any advise is most appreciated. 

8 Replies

@david_milette 

 

If you know the name of the temporary resource groups, have you tried to add exclusions or exemptions?

 

Understand scope in Azure Policy - Azure Policy | Microsoft Docs

 

If the resource group name cannot be anticipated, I am afraid you cannot add an exception to something that is unknown.

@hspinto Good question. I’d have to look into this with the vendor. Thry are built on the fly but maybe (hopefully) have a template structure to naming.

Hi
You can go the policy definition or Initiative you will see a Create exemption button
- Click on Create exemption
- Define Exemption scope as the Resource group
- Give an Exemption name, category and description
- Define the exemption expiration settings
- Select the policy definitions scope (If it is an iniative by default all the policy definitions are selected . )
- Review and Create the exemption

Thx team the product when creating its resource group will create it with this format: MF_TESTRUN_RESOURCEGROUP_XXXXX_YYYYY where XXXXX is a random number and YYYY is the test scenario name requiring the resource group and assets. So I would suppose I'd need to create an exception around this template/mask. Is this feasible? Thx for all your help!
The resource group should exist before creating the exemption so deployment will be blocked if the effect is set to deny .
You can either see another effect to avoid the deny
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects
Or deploy resources in another subscription
Indeed, that is what we are seing. Thx for the clarification.
As our app implementation was using the .Net API we managed to code this to finally work. Thx for all your assistance!

@david_milette 

Hi 

It can be interesting to see what it's look like . 

Thanks