question

LucasEdson-0136 avatar image
0 Votes"
LucasEdson-0136 asked LucasEdson-0136 answered

Azure Policy require Tag only for new items

I have not been able to find documentation on how to enforce a specific Tag when "Creating" Azure resources, without the policy firing off if a resource already exists and is being "Updated".

Essentially: Require Tag only with "create", not "update".

azure-policy
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Lucas, why is it a concern to allow tagging on updates?
I believe that is 'as designed' so if someone makes a change the tag is still retained.

0 Votes 0 ·

This is for a temporary governance solution.

New resources are to be tagged with a service ticket number for documentation purposes, however, there are many existing resources that need to get manually organized and changed.

Is it possible for an Azure Policy to be active for a "Create" event, and ignore an "Update" event, or did I misread that capability?

0 Votes 0 ·
AnuragSingh-MSFT avatar image
0 Votes"
AnuragSingh-MSFT answered AnuragSingh-MSFT commented

Hi @LucasEdson-0136,

Welcome to Microsoft Q&A! Thanks for posting the question.

I see that you are trying to enforce Azure Policy only while creating the resource and not when updating it. This is not possible with Azure Policy Policy and effects responsible for tag add/update are evaluated for both - Create and Update. There is no way to restrict it. ref: Modify effect on policy. These evaluations do not only remain active when creating/updating the resource but are evaluated at regular interval to check if all the resources, with policy enforced on them, are compliant or not. ref: Evaluation Triggeres

Therefore, I don't think Azure Policy would be best suited for your requirement. In case you are deplying the reource through CLI/PowerShell/ARM template, you may add the check in a custom script which checks the tags before submitting for deployment.

Please let me know if you have any questions.


Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@LucasEdson-0136, I wanted to check if you had a chance to review my answer above. Please let me know if you have any queries or concerns.

Please 'Accept as answer' if it helped so that it can help others in the community looking for help on similar topics.

0 Votes 0 ·
LucasEdson-0136 avatar image
0 Votes"
LucasEdson-0136 answered

I was definitely going to create custom script to check the tags before submitting, but I guess there's no way to differentiate between "Create" and "Update", they're treated as the same.

That's what I had found, but wanted to make sure.

Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.