How to enforce a Tag value on an optional Tag

Andreas Tratter 20 Reputation points
2024-02-12T15:37:04.9466667+00:00

hello, I want to create an Azure Policy to define the value of a tag, but the tag itself should be optional and not mandatory. Does anybody know if this is possible?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
799 questions
0 comments
Accepted answer
  1. Ryan Hill 26,146 Reputation points Microsoft Employee
    2024-02-16T16:28:05.3+00:00

    @Andreas Tratter I've added a new answer to address the issues you found.

    {
  "properties": {
    "displayName": "Enforce Predefined Environment Tag Rule",
    "policyType": "Custom",
    "mode": "All",
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        },
        "defaultValue": "environment"
      },
      "listofallowedtagValues": {
        "type": "Array",
        "metadata": {
          "displayName": "Tag Values",
          "description": "Value of the tag, such as 'production'"
        },
        "defaultValue": [
          "Development",
          "Test",
          "Production"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": true
          },
          {
            "not": {
              "field": "[concat('tags[', parameters('tagName'), ']')]",
              "in": "[parameters('listofallowedtagValues')]"
            }
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx",
  "name": "xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx",
  "type": "Microsoft.Authorization/policyDefinitions",
}

    Create the assignment as

    Azure Policy Assigment

    And when you add the customer tag, it should result in

    Azure Resource Group Tag Validation

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Ryan Hill 26,146 Reputation points Microsoft Employee
    2024-02-15T00:11:40.78+00:00

    Hi @Andreas Tratter
    I take you're using something like New-AzTag to create the predefined tags. If you want to enforce specific tag values, you could look at doing something like the following:

    {
  "properties": {
    "displayName": "Allowed tag values for Resource Groups",
    "description": "This policy restricts the tag values for Resource Groups.",
    "policyType": "Custom",
    "mode": "Indexed",
    "metadata": {
      "version": "1.0.0",
      "category": "Tags"
    },
    "parameters": {
      "allowedTagValues": {
        "type": "array",
        "metadata": {
          "description": "The list of tag values that can be specified when deploying resource groups",
          "displayName": "Allowed tag values"
        },
        "defaultValue": [
          "Development",
          "Test",
          "Production"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "field": "tags[Environment]",
            "notIn": "[parameters('allowedTagValues')]"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx",
  "name": "xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx"
}

    What this policy does limit the values for a tag named Environment. But I don't believe Policy supports getting that tag list dynamically. Meaning, that you would have to get those tags and incorporate them into the list. I also found a similar question over on a stackoverflow that you can reference as well.

    1 person found this answer helpful.