Custom azure policy for vm selection using notlike for tags

Kestutis Murauskas 20 Reputation points
2023-01-22T19:16:21.0666667+00:00

Hello,
I am debugging azure policy and still get wrong compliance status.
For example I have two azure arc VM with tags:
ClientCode: ggg and Environment: dev
ClientCode: hhh and Environment: acc

My policy should pick up that servers as compliant, but shows still inon-compliant. I have tried a lot of different approaches, but could not make it work. It those two tags are not like described ones, the policy should mark vm as compliant.

{
    "properties": {
        "displayName": "test tag exclude",
        "policyType": "Custom",
        "mode": "Indexed",
        "description": "Test tag matching",
        "metadata": {
            "version": "0.0.1-preview",
            "category": "Tags",
            "preview": true
        },
        "parameters": {
            "tagValuesExclude": {
                "type": "Array",
                "metadata": {
                    "displayName": "Tags on machines to exclude",
                    "description": "The list of tags that need to be excluded for getting target machines (case sensitive). Example: [ {\"key\": \"tagKey1\", \"value\": \"value1*\"}, {\"key\": \"tagKey2\", \"value\": \"value2*\"}]."
                },
                "defaultValue": [
                    {"key":"ClientCode", "value":"aaa*"},
                    {"key":"Environment", "value":"prd*"}
                ]
            }
        },
        "policyRule": {
            "if": {
                        "count": {
                            "value": "[parameters('tagValuesExclude')]",
                            "name": "tagExclude",
                            "where": {
                                "field": "tags['current('tagExclude').key']",
                                "notLike": "[current('tagExclude').value]"
                            }
                        },
                        "equals": "[length(parameters('tagValuesExclude'))]"
            },
            "then": {
                "effect": "audit"
            }
        }
    }
}
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
799 questions
0 comments
Accepted answer
  1. Roderick Bant 2,046 Reputation points
    2023-01-22T21:28:56.8+00:00

    Hi thanks for your question at Q&A. I understand that you are working on an Azure Policy to enforce certain tag name/value pairs not being present.

    When developing policies the approach a usually take is to keep policies simple by not attempting to make them to generic when its easier to write a more purpose fit policy instead. In this case the approach I would take is to create to 2 separate parameters for the ClientCode and Environment and use those parameters to check for the specific tags instead of trying to find them dynamically.

    If you need to make sure of multiple combinations of these ClientCode/Environment pairs you can make a policy assignment for each unique combination.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more