SOLVED

Checking that old and new ressources are configured with a tag with specific case

Copper Contributor

Hello Azure community!

 

I'm configuring an Azure Policy to check presence of a tag on new and old ressources.

 

Checking the presence only was quite easy:

 

policy_rule = <<RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('TagName'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
RULE

 


With following parameters:

 

parameters = <<PARAMETERS
{
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"effect": {
"type": "String",
"defaultValue": "Audit",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "The effect determines what happens when the policy rule is evaluated to match"
}
}
}
PARAMETERS

 

 

But now I want that the policy rule also checks the case of the tagName parameters.

 

Ex: guess expected tagName is `RigorousMakeMeHappy`. Then, I want that ressources be configured with `RigorousMakeMeHappy` but not with `rigorousmakemehappy` or `rigorousMakeMeHappy` or `RIGOROUSMAKEMEHAPPY` etc.

 

And I struggled two days w/o success.

 

I tried, among others things, the following:

 

policy_rule = <<RULE
{
"if": {
"anyOf": [
{
"field": "tags",
"match": "[parameters('tagName')]"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
RULE

 

 

I tried to achieve with following documentations:

- https://learn.microsoft.com/en-us/azure/governance/policy/samples/pattern-fields
- https://stackoverflow.com/questions/59653416/multiple-name-pattern-and-parameter-definition
- https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure

Thanks for your precious help !

1 Reply
best response confirmed by gregory_esnaud (Copper Contributor)
Solution

I've found the answer (or one of... but honestly I think it's the only one 😄) and, again, thanks for your time!

Here is the code:

policy_rule = <<RULE
{
 "if": {
  "allOf": [
  {
    "value": "[contains(string(field('tags')),parameters('tagName'))]",
    "notMatch": "True"
  },
  {
    "field": "type",
    "equals": "Microsoft.Compute/virtualMachines"
  }
  ]
},
  "then": {
    "effect": "[parameters('effect')]"
  }
}
RULE

 

Then, if you `tagName` is **RigorousMakesMeHappy** and whatever the tagValue is you will be compliant or not with:

 

  • RigorousMakesMeHappy: ✅ (compliant)
  • rigorousMakesMeHappy: ❌ (not compliant)
  • RigorousMakesMeHapPY: ❌
  • qsdfqsdfqsfd: ❌
  • yougettheidea: ❌

 

1 best response

Accepted Solutions
best response confirmed by gregory_esnaud (Copper Contributor)
Solution

I've found the answer (or one of... but honestly I think it's the only one 😄) and, again, thanks for your time!

Here is the code:

policy_rule = <<RULE
{
 "if": {
  "allOf": [
  {
    "value": "[contains(string(field('tags')),parameters('tagName'))]",
    "notMatch": "True"
  },
  {
    "field": "type",
    "equals": "Microsoft.Compute/virtualMachines"
  }
  ]
},
  "then": {
    "effect": "[parameters('effect')]"
  }
}
RULE

 

Then, if you `tagName` is **RigorousMakesMeHappy** and whatever the tagValue is you will be compliant or not with:

 

  • RigorousMakesMeHappy: ✅ (compliant)
  • rigorousMakesMeHappy: ❌ (not compliant)
  • RigorousMakesMeHapPY: ❌
  • qsdfqsdfqsfd: ❌
  • yougettheidea: ❌

 

View solution in original post