Mar 13 2023 07:25 AM - edited Mar 13 2023 07:26 AM
Hello Azure community!
I'm configuring an Azure Policy to check presence of a tag on new and old ressources.
Checking the presence only was quite easy:
policy_rule = <<RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('TagName'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
RULE
With following parameters:
parameters = <<PARAMETERS
{
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"effect": {
"type": "String",
"defaultValue": "Audit",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "The effect determines what happens when the policy rule is evaluated to match"
}
}
}
PARAMETERS
But now I want that the policy rule also checks the case of the tagName parameters.
Ex: guess expected tagName is `RigorousMakeMeHappy`. Then, I want that ressources be configured with `RigorousMakeMeHappy` but not with `rigorousmakemehappy` or `rigorousMakeMeHappy` or `RIGOROUSMAKEMEHAPPY` etc.
And I struggled two days w/o success.
I tried, among others things, the following:
policy_rule = <<RULE
{
"if": {
"anyOf": [
{
"field": "tags",
"match": "[parameters('tagName')]"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
RULE
I tried to achieve with following documentations:
- https://learn.microsoft.com/en-us/azure/governance/policy/samples/pattern-fields
- https://stackoverflow.com/questions/59653416/multiple-name-pattern-and-parameter-definition
- https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure
Thanks for your precious help !
Mar 15 2023 01:07 AM
SolutionI've found the answer (or one of... but honestly I think it's the only one 😄) and, again, thanks for your time!
Here is the code:
policy_rule = <<RULE
{
"if": {
"allOf": [
{
"value": "[contains(string(field('tags')),parameters('tagName'))]",
"notMatch": "True"
},
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
RULE
Then, if you `tagName` is **RigorousMakesMeHappy** and whatever the tagValue is you will be compliant or not with:
RigorousMakesMeHappy: ✅ (compliant)
rigorousMakesMeHappy: ❌ (not compliant)
RigorousMakesMeHapPY: ❌
qsdfqsdfqsfd: ❌
yougettheidea: ❌
Mar 15 2023 01:07 AM
SolutionI've found the answer (or one of... but honestly I think it's the only one 😄) and, again, thanks for your time!
Here is the code:
policy_rule = <<RULE
{
"if": {
"allOf": [
{
"value": "[contains(string(field('tags')),parameters('tagName'))]",
"notMatch": "True"
},
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
RULE
Then, if you `tagName` is **RigorousMakesMeHappy** and whatever the tagValue is you will be compliant or not with:
RigorousMakesMeHappy: ✅ (compliant)
rigorousMakesMeHappy: ❌ (not compliant)
RigorousMakesMeHapPY: ❌
qsdfqsdfqsfd: ❌
yougettheidea: ❌