Related
I am trying to create a policy to assign multiple tags. While assigning this policy , the validation fails, if no tags or wrong tags defined in policy are assigned. However it doesn't validate the allof condition in the template, which means, if I assign any one tag, it validates and create the resource. Ideally it should check for all the eight tags mentioned. I am not clear with this policy template how to add an enforce additional tags within the single ARM Template. Below is the template
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "[concat('tags[', parameters('tagName1'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName2'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName3'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName4'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName5'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName6'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName7'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName8'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"tagName1": {
"type": "String",
"metadata": {
"displayName": "Tag name1",
"description": "Name of the tag to enforce"
}
},
"tagName2": {
"type": "String",
"metadata": {
"displayName": "Tag name2",
"description": "Name of the tag to enforce"
}
},
"tagName3": {
"type": "String",
"metadata": {
"displayName": "Tag name3",
"description": "Name of the tag to enforce"
}
},
"tagName4": {
"type": "String",
"metadata": {
"displayName": "Tag name4",
"description": "Name of the tag to enforce"
}
},
"tagName5": {
"type": "String",
"metadata": {
"displayName": "Tag name5",
"description": "Name of the tag to enforce"
}
},
"tagName6": {
"type": "String",
"metadata": {
"displayName": "Tag name6",
"description": "Name of the tag to enforce"
}
},
"tagName7": {
"type": "String",
"metadata": {
"displayName": "Tag name7",
"description": "Name of the tag to enforce"
}
},
"tagName8": {
"type": "String",
"metadata": {
"displayName": "Tag name8",
"description": "Name of the tag to enforce"
}
}
}
}```
Regards,
Sajith
A custom policy definition allows customers to define their own rules on resources in your Azure subscriptions. It is a part of the Azure Governance and management toolbox native to Azure.
If you are not clear with the policy template about how to add and enforce additional tags within the single ARM Template then, its actually pretty straight forward. You need to add the additional tags as Rules and Parameters.
The ARM template given below will help you to achieve your desired result.
{
"mode": "all",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not": {
"field": "[concat('tags[',parameters('tagName1'), ']')]",
"exists": "true"
}
},
{
"not": {
"field": "[concat('tags[',parameters('tagName2'), ']')]",
"exists": "true"
}
},
{
"not": {
"field": "[concat('tags[',parameters('tagName3'), ']')]",
"exists": "true"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"tagName1": {
"type": "String",
"metadata": {
"displayName": "Tag name1",
"description": "Name of the tag to enforce"
}
},
"tagName2": {
"type": "String",
"metadata": {
"displayName": "Tag name2",
"description": "Name of the tag to enforce"
}
},
"tagName3": {
"type": "String",
"metadata": {
"displayName": "Tag name3",
"description": "Name of the tag to enforce"
}
}
...
...
The next time someone deploys a resource group without the required tags in the subscription this policy is assigned to it will fail.
I would suggest to read these Azure Policy pattern: tags Microsoft document and Require Many Tags on Resource Groups via Azure Policy document for more information.
My resource groups has an environment tag where only specific values are allowed: "dev,test,prod". I want to enforce that with an Azure Policy which will deny all the resource group creation which doesn't have one of this "dev,test,prod" values in their environment tag. My policy code is as below:
{
"properties": {
"displayName": "Allowed tag values for Resource Groups",
"description": "This policy enables you to restrict the tag values for Resource Groups.",
"policyType": "Custom",
"mode": "Indexed",
"metadata": {
"version": "1.0.0",
"category": "Tags"
},
"parameters": {
"allowedTagValues": {
"type": "array",
"metadata": {
"description": "The list of tag values that can be specified when deploying resource groups",
"displayName": "Allowed tag values"
},
"defaultValue": [
"dev","test","prod"
]
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags[environment]",
"notIn": "[parameters('allowedTagValues')]"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx",
"name": "xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx"
}
This doesn't have any effect at all. I have tried this as well:
{
"not": {
"field": "tags[environment]",
"in": "[parameters('allowedTagValues')]"
}
}
Neither this does work.
Any suggestion?
You need to pass the tag values "dev","test","prod" as allowed values for the parameter listofallowedTags as shown below.
Based on your requirement we have created the below policy definition. we have tested this in our local environment which is working fine.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not": {
"field": "[concat('tags[', parameters('tagName'), ']')]",
"in": "[parameters('listofallowedtagValues')]"
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the audit policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
},
"defaultValue": "environment"
},
"listofallowedtagValues": {
"type": "Array",
"metadata": {
"displayName": "Tag Values",
"description": "Value of the tag, such as 'production'"
},
"allowedValues": [
"dev",
"test",
"prod"
]
}
}
}
Note: As you can see from the below image, the custom policy has been assigned to subscription.
Here are the some sample outputs for reference:
In the below example, we have passed environment tag a different value apart from those 3 values defined in listofallowedtagValues parameter & while deploying the resource group it got failed since it doesn't met policy requirement.
In the below example, we have passed environment tag value as test resource group deployment got succeeded as it met the policy requirements.
I am trying to understand how Management group policies works but deploying some policies.
I have this ARM template, which its purpose it to block specific resources from being created. Which, in my case works, but I would like to deny the creation of storage account only if specific sku.name is selected
this is the azure policy.
{
"properties": {
"displayName": "Not allowed resource types",
"policyType": "BuiltIn",
"mode": "All",
"description": "This policy enables you to specify the resource types that your organization cannot deploy.",
"parameters": {
"listOfResourceTypesNotAllowed": {
"type": "Array",
"metadata": {
"description": "The list of resource types that cannot be deployed.",
"displayName": "Not allowed resource types",
"strongType": "resourceTypes"
}
}
},
"policyRule": {
"if": {
"field": "type",
"in": "[parameters('listOfResourceTypesNotAllowed')]"
},
"then": {
"effect": "Deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
}
and this my parameters:
{
"listOfResourceTypesNotAllowed": {
"type": "Array",
"metadata": {
"description": "The list of resource types that cannot be deployed.",
"displayName": "Not allowed resource types",
"strongType": "resourceTypes"
},
"allowedValues": [
"Microsoft.DocumentDB/databaseAccounts",
"Microsoft.Storage/storageAccounts"
]
}
}
and my rules:
{
"if": {
"field": "type",
"in": "[parameters('listOfResourceTypesNotAllowed')]"
},
"then": {
"effect": "Deny"
}
}
Can anyone help me to understand how can this be achieved please?
Thank you so much for anyone who can spend some time to help me to understand this type of deployment
You can use the below policy defination for allowing only allowed sku types of storage accounts to be deployed in your subscription:
{
"properties": {
"displayName": "Storage accounts should be limited by allowed SKUs",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Restrict the set of storage account SKUs that your organization can deploy.",
"metadata": {
"version": "1.1.0",
"category": "Storage"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the audit policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"listOfAllowedSKUs": {
"type": "Array",
"metadata": {
"description": "The list of SKUs that can be specified for storage accounts.",
"displayName": "Allowed SKUs",
"strongType": "StorageSKUs"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"not": {
"field": "Microsoft.Storage/storageAccounts/sku.name",
"in": "[parameters('listOfAllowedSKUs')]"
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "7433c107-6db4-4ad1-b57a-a76dce0154a1"
}
Reference:
List of built-in policy definitions - Azure Policy | Microsoft Docs
Storage accounts should be limited by allowed SKUs- policy
Trying to create a policy tied to a subscription in Azure that will deny the create of a resource group without a specific "costCenter" tag. I have the following policy assigned to the subscription with the "coreTagName1" completed as "costCenter":
"properties": {
"displayName": "manual_test_1",
"policyType": "Custom",
"mode": "Indexed",
"description": "manual test for tag enforcement",
"metadata": {
"category": "test",
"createdBy": "#########",
"createdOn": "2020-04-02T12:27:39.2686671Z",
"updatedBy": "#########",
"updatedOn": "2020-04-02T12:35:32.5608728Z"
},
"parameters": {
"coreTagName1": {
"type": "String",
"metadata": {
"displayName": "tagName to enforce",
"description": "Name of the tag, such as costCenter"
}
}
},
"policyRule": {
"if": {
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"exists": "false",
"field": "[concat('tags[', parameters('coreTagName1'), ']')]"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/subscriptions/#########/providers/Microsoft.Authorization/policyDefinitions/########",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "#######"
}
But i can still create a Resource Group and not specify any tags at all. I feel like I am missing something fundamental in my approach but cant get my head round it yet.
as Jagrati mentioned. Please allow for sometime for the policy to run a compliance scan before checking for compliance results. (Typically wait time is 30 mins, but it depends heavily on scope and # of resources).
I can't figure out a way to assign multible accepted Variables on a single tag.
Say we have "Environment Tag"
I want the only accepted variables to be "Production, Testing, Pending"
However i've only been able to assign one Variable per Tag.
I've tried using pre-built policys and build around them. As i'm fairly new to policies.
I have a tag "Environment"
I've created the tag Environment on the sub, so it appears in the dropdown menu.
I've tried to create multible variables in the variable section, however i can only create one.
I can get it working with one variable, such as production, but if i assign more than one variable in the text box it just adds it as one value, i've tried seperation with ("',;:) Nothing seems to work.
{
"properties": {
"displayName": "Require tag and its value",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Enforces a required tag and its value. Does not apply to resource groups.",
"metadata": {
"category": "Tags"
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
}
},
"policyRule": {
"if": {
"not": {
"field": "[concat('tags[', parameters('tagName'), ']')]",
"equals": "[parameters('tagValue')]"
}
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "1e30110a-5ceb-460c-a204-c1c3969c6d62"
}
When inputting the TAG, and Variable
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
I'd like to know if it's possible to add a secondary tagvalue "Tagvalue1,2,3 ect"
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
"tagValue1": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'Testing'"
}
"tagValue2": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'Pending'"
}
All other Variables for this tag should be rejected.
However i'm unable to get it working.
i think you need to use the in property. from examples:
"parameters": {
"allowedLocations": {
"type": "array",
"metadata": {
"description": "The list of allowed locations for resources.",
"displayName": "Allowed locations",
"strongType": "location"
},
"defaultValue": [ "westus2" ],
"allowedValues": [
"eastus2",
"westus2",
"westus"
]
}
}
and then you can reference it:
{
"field": "location",
"in": "[parameters('allowedLocations')]"
}
You can take an example from Azure documentation site: https://learn.microsoft.com/en-us/azure/governance/policy/samples/enforce-tag-on-resource-groups
If you do not need any parameters for the policy:
{
"properties": {
"displayName": "Enforce tag Environment and its value on resource groups",
"description": "Enforces a required tag and its value on resource groups.",
"mode": "All",
"parameters": {
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyOf": [
{
"field": "tags[Environment]",
"notEquals": "Production"
},
{
"field": "tags[Environment]",
"notEquals": "Testing"
},
{
"field": "tags[Environment]",
"notEquals": "Pending"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
}
}
with parameters :
{
"properties": {
"displayName": "Enforce tag and its value on resource groups",
"description": "Enforces a required tag and its value on resource groups.",
"mode": "All",
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"description": "Name of the tag, such as costCenter"
}
},
"tagValue1": {
"type": "String",
"metadata": {
"description": "Value of the tag, such as production"
}
},
"tagValue2": {
"type": "String",
"metadata": {
"description": "Value of the tag, such as testing"
}
},
"tagValue3": {
"type": "String",
"metadata": {
"description": "Value of the tag, such as pending"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyOf" : [
{
"field": "[concat('tags[',parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue1')]"
},
{
"field": "[concat('tags[',parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue2')]"
},
{
"field": "[concat('tags[',parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue3')]"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
}
}
If you are creating a policy from the Azure Portal, you do not need to copy displayName and description inside properties:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"anyOf": [
{
"field": "tags[Environment]",
"notEquals": "Production"
},
{
"field": "tags[Environment]",
"notEquals": "Testing"
},
{
"field": "tags[Environment]",
"notEquals": "Pending"
}
]
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
I've gotten this far thanks to your amazing help, however upon validating new VM's i get the following error, despite which value i type: Pending, Testing or Production
{
"code": "InvalidTemplateDeployment",
"message": "The template deployment failed because of policy violation. Please see details for more information.",
"details": [
{
"code": "RequestDisallowedByPolicy",
"target": "tester123",
"message": "Resource 'tester123' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Enforce tag Environment\",\"id\":\"/subscriptions/f3434458-6c34-41bf-b159-04eff84fb1b8/providers/Microsoft.Authorization/policyAssignments/363b1c045401446eafdd29bf\"},\"policyDefinition\":{\"name\":\"Enforce tag Environment\",\"id\":\"/subscriptions/f3434458-6c34-41bf-b159-04eff84fb1b8/providers/Microsoft.Authorization/policyDefinitions/7be665bc-57a5-451d-b159-6cabcfd1042a\"}}]'.",
"additionalInfo": [
{
"type": "PolicyViolation",
"info": {
"policyDefinitionDisplayName": "Enforce tag Environment",
"evaluationDetails": {
"evaluatedExpressions": [
{
"result": "True",
"expressionKind": "Field",
"expression": "type",
"path": "type",
"expressionValue": "Microsoft.Compute/virtualMachines",
"targetValue": "Microsoft.Compute/virtualMachines",
"operator": "Equals"
},
{
"result": "True",
"expressionKind": "Field",
"expression": "tags[Environment]",
"path": "tags[Environment]",
"expressionValue": "Testing",
"targetValue": "Production",
"operator": "NotEquals"
}
]
},
"policyDefinitionId": "/subscriptions/f3434458-6c34-41bf-b159-04eff84fb1b8/providers/Microsoft.Authorization/policyDefinitions/7be665bc-57a5-451d-b159-6cabcfd1042a",
"policyDefinitionName": "7be665bc-57a5-451d-b159-6cabcfd1042a",
"policyDefinitionEffect": "deny",
"policyAssignmentId": "/subscriptions/f3434458-6c34-41bf-b159-04eff84fb1b8/providers/Microsoft.Authorization/policyAssignments/363b1c045401446eafdd29bf",
"policyAssignmentName": "363b1c045401446eafdd29bf",
"policyAssignmentDisplayName": "Enforce tag Environment",
"policyAssignmentScope": "/subscriptions/f3434458-6c34-41bf-b159-04eff84fb1b8",
"policyAssignmentParameters": {}
}
}
]
}
]
}
it would appear to me at least, that i fail because of wrong targetvalue. However I'd suppose that anyof the 3 options defined in policy definition would do?
Atleast i figured out how to only target this to our VM's, or at least i think i did.
There is a solution for restricting the values in basics called "allowedValues":
https://learn.microsoft.com/pl-pl/azure/governance/policy/concepts/definition-structure
https://learn.microsoft.com/pl-pl/azure/governance/policy/concepts/definition-structure#parameter-properties
"parameters": {
"allowedLocations": {
"type": "array",
"metadata": {
"description": "The list of allowed locations for resources.",
"displayName": "Allowed locations",
"strongType": "location"
},
"defaultValue": [ "westus2" ],
"allowedValues": [
"eastus2",
"westus2",
"westus"
]
}
}