I am trying to create a policy to assign multiple tags. While assigning this policy , the validation fails, if no tags or wrong tags defined in policy are assigned. However it doesn't validate the allof condition in the template, which means, if I assign any one tag, it validates and create the resource. Ideally it should check for all the eight tags mentioned. I am not clear with this policy template how to add an enforce additional tags within the single ARM Template. Below is the template
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "[concat('tags[', parameters('tagName1'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName2'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName3'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName4'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName5'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName6'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName7'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName8'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"tagName1": {
"type": "String",
"metadata": {
"displayName": "Tag name1",
"description": "Name of the tag to enforce"
}
},
"tagName2": {
"type": "String",
"metadata": {
"displayName": "Tag name2",
"description": "Name of the tag to enforce"
}
},
"tagName3": {
"type": "String",
"metadata": {
"displayName": "Tag name3",
"description": "Name of the tag to enforce"
}
},
"tagName4": {
"type": "String",
"metadata": {
"displayName": "Tag name4",
"description": "Name of the tag to enforce"
}
},
"tagName5": {
"type": "String",
"metadata": {
"displayName": "Tag name5",
"description": "Name of the tag to enforce"
}
},
"tagName6": {
"type": "String",
"metadata": {
"displayName": "Tag name6",
"description": "Name of the tag to enforce"
}
},
"tagName7": {
"type": "String",
"metadata": {
"displayName": "Tag name7",
"description": "Name of the tag to enforce"
}
},
"tagName8": {
"type": "String",
"metadata": {
"displayName": "Tag name8",
"description": "Name of the tag to enforce"
}
}
}
}```
Regards,
Sajith
A custom policy definition allows customers to define their own rules on resources in your Azure subscriptions. It is a part of the Azure Governance and management toolbox native to Azure.
If you are not clear with the policy template about how to add and enforce additional tags within the single ARM Template then, its actually pretty straight forward. You need to add the additional tags as Rules and Parameters.
The ARM template given below will help you to achieve your desired result.
{
"mode": "all",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not": {
"field": "[concat('tags[',parameters('tagName1'), ']')]",
"exists": "true"
}
},
{
"not": {
"field": "[concat('tags[',parameters('tagName2'), ']')]",
"exists": "true"
}
},
{
"not": {
"field": "[concat('tags[',parameters('tagName3'), ']')]",
"exists": "true"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"tagName1": {
"type": "String",
"metadata": {
"displayName": "Tag name1",
"description": "Name of the tag to enforce"
}
},
"tagName2": {
"type": "String",
"metadata": {
"displayName": "Tag name2",
"description": "Name of the tag to enforce"
}
},
"tagName3": {
"type": "String",
"metadata": {
"displayName": "Tag name3",
"description": "Name of the tag to enforce"
}
}
...
...
The next time someone deploys a resource group without the required tags in the subscription this policy is assigned to it will fail.
I would suggest to read these Azure Policy pattern: tags Microsoft document and Require Many Tags on Resource Groups via Azure Policy document for more information.
Related
Requirement - I need to restrict all the users to create any resource in particular Locations. So I have created a Custom Policy by combining two builtin policies which are "Allowed locations" and "Not allowed resource types"
Issue - I am unable to created most of the resources but able to create few of them like Resource Group, Function Apps, App Service, SQL Database which is unexpected.
Below is the policy I have created -
{
"properties": {
"displayName": "NotAllowedResourcesinRestrictedLocation",
"policyType": "Custom",
"mode": "Indexed",
"metadata": {
"version": "1.0.0",
"updatedBy": null,
"updatedOn": null
},
"parameters": {
"listOfResourceTypesNotAllowed": {
"type": "Array",
"metadata": {
"displayName": "Not allowed resource types",
"description": "The list of resource types that cannot be deployed.",
"strongType": "resourceTypes"
}
},
"listOfAllowedLocations": {
"type": "Array",
"metadata": {
"displayName": "Allowed locations",
"description": "The list of locations that can be specified when deploying resources.",
"strongType": "location"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"in": "[parameters('listOfResourceTypesNotAllowed')]"
},
{
"field": "location",
"notIn": "[parameters('listOfAllowedLocations')]"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
},
{
"value": "[field('type')]",
"exists": true
}
]
},
"then": {
"effect": "deny"
}
}
},
}
Please someone guide me on this.
Can anyone help me with creating a policy definition to inherit multiple or all tags from a subscription? I see the built-in policy that allows for a single tag to be inherited but I'm not sure how to modify that policy definition to include multiple tags.
Here is what the built-in definition looks like:
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
{
"value": "[subscription().tags[parameters('tagName')]]",
"notEquals": ""
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[subscription().tags[parameters('tagName')]]"
}
]
}
}
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
}
}
}
No easy way to inherit multiple tags with policy. You need add one by one like below..
"policyRule": {
"if": {
"anyOf": [
{
"exists": "false",
"field": "tags['tag1']"
},
{
"exists": "false",
"field": "tags['tag2']"
},
{
"exists": "false",
"field": "tags['tag3']"
}
]
},
"then": {
"details": {
"operations": [
{
"field": "tags['tag1']",
"operation": "add",
"value": "[subscription().tags['tag1']]"
},
{
"field": "tags['tag2']",
"operation": "add",
"value": "[subscription().tags['tag2']]"
},
{
"field": "tags['tag3']",
"operation": "add",
"value": "[subscription().tags['tag3']]"
}
],
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/*****"
]
},
"effect": "modify"
}
}
I've figure it out. See code below:
"properties": {
"displayName": "Add multiple tags to resource if missing",
"policyType": "Custom",
"mode": "Indexed",
"description": "Adds multiple tags with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed.",
"parameters": {
"tagName1": {
"type": "String",
"metadata": {
"displayName": "First Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName2": {
"type": "String",
"metadata": {
"displayName": "Second Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName3": {
"type": "String",
"metadata": {
"displayName": "Third Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName4": {
"type": "String",
"metadata": {
"displayName": "Forth Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName5": {
"type": "String",
"metadata": {
"displayName": "Fifth Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName6": {
"type": "String",
"metadata": {
"displayName": "Sixth Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName7": {
"type": "String",
"metadata": {
"displayName": "Seventh Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName8": {
"type": "String",
"metadata": {
"displayName": "Eighth Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName9": {
"type": "String",
"metadata": {
"displayName": "Ninth Tag Name",
"description": "Name of the tag, such as 'environment'"
}
}
},
"policyRule": {
"if": {
"anyOf": [
{
"field": "[concat('tags[', parameters('tagName1'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName2'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName3'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName4'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName5'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName6'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName7'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName8'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName9'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName1'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName1')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName2'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName2')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName3'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName3')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName4'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName4')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName5'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName5')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName6'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName6')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName7'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName7')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName8'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName8')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName9'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName9')]]"
}
]
}
}
}
}
}
My resource groups has an environment tag where only specific values are allowed: "dev,test,prod". I want to enforce that with an Azure Policy which will deny all the resource group creation which doesn't have one of this "dev,test,prod" values in their environment tag. My policy code is as below:
{
"properties": {
"displayName": "Allowed tag values for Resource Groups",
"description": "This policy enables you to restrict the tag values for Resource Groups.",
"policyType": "Custom",
"mode": "Indexed",
"metadata": {
"version": "1.0.0",
"category": "Tags"
},
"parameters": {
"allowedTagValues": {
"type": "array",
"metadata": {
"description": "The list of tag values that can be specified when deploying resource groups",
"displayName": "Allowed tag values"
},
"defaultValue": [
"dev","test","prod"
]
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags[environment]",
"notIn": "[parameters('allowedTagValues')]"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx",
"name": "xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx"
}
This doesn't have any effect at all. I have tried this as well:
{
"not": {
"field": "tags[environment]",
"in": "[parameters('allowedTagValues')]"
}
}
Neither this does work.
Any suggestion?
You need to pass the tag values "dev","test","prod" as allowed values for the parameter listofallowedTags as shown below.
Based on your requirement we have created the below policy definition. we have tested this in our local environment which is working fine.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not": {
"field": "[concat('tags[', parameters('tagName'), ']')]",
"in": "[parameters('listofallowedtagValues')]"
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the audit policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
},
"defaultValue": "environment"
},
"listofallowedtagValues": {
"type": "Array",
"metadata": {
"displayName": "Tag Values",
"description": "Value of the tag, such as 'production'"
},
"allowedValues": [
"dev",
"test",
"prod"
]
}
}
}
Note: As you can see from the below image, the custom policy has been assigned to subscription.
Here are the some sample outputs for reference:
In the below example, we have passed environment tag a different value apart from those 3 values defined in listofallowedtagValues parameter & while deploying the resource group it got failed since it doesn't met policy requirement.
In the below example, we have passed environment tag value as test resource group deployment got succeeded as it met the policy requirements.
I am trying to set up an Azure Policy to enforce multiple tags on a Resource Group upon creation. However, the policy is behaving in a weird manner such that the RG group will get created even when only one of the tags (tagName1) is added. I'm not exactly sure what is going wrong because as per my understanding allOf behaves as an AND operator and the RG group should only get created if all the tags have been added.
I need some guidance on how I can debug this. Thanks
My Policy:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "[concat('tags[', parameters('tagName1'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName2'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName3'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName4'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName5'), ']')]",
"exists": "false"
},
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"tagName1": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName2": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName3": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName4": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName5": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
}
}
}
The current condition will deny create/update request only if all tags (1-5) don't exist.
Use anyOf instead of allOf.
I can't figure out a way to assign multible accepted Variables on a single tag.
Say we have "Environment Tag"
I want the only accepted variables to be "Production, Testing, Pending"
However i've only been able to assign one Variable per Tag.
I've tried using pre-built policys and build around them. As i'm fairly new to policies.
I have a tag "Environment"
I've created the tag Environment on the sub, so it appears in the dropdown menu.
I've tried to create multible variables in the variable section, however i can only create one.
I can get it working with one variable, such as production, but if i assign more than one variable in the text box it just adds it as one value, i've tried seperation with ("',;:) Nothing seems to work.
{
"properties": {
"displayName": "Require tag and its value",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Enforces a required tag and its value. Does not apply to resource groups.",
"metadata": {
"category": "Tags"
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
}
},
"policyRule": {
"if": {
"not": {
"field": "[concat('tags[', parameters('tagName'), ']')]",
"equals": "[parameters('tagValue')]"
}
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "1e30110a-5ceb-460c-a204-c1c3969c6d62"
}
When inputting the TAG, and Variable
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
I'd like to know if it's possible to add a secondary tagvalue "Tagvalue1,2,3 ect"
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
"tagValue1": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'Testing'"
}
"tagValue2": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'Pending'"
}
All other Variables for this tag should be rejected.
However i'm unable to get it working.
i think you need to use the in property. from examples:
"parameters": {
"allowedLocations": {
"type": "array",
"metadata": {
"description": "The list of allowed locations for resources.",
"displayName": "Allowed locations",
"strongType": "location"
},
"defaultValue": [ "westus2" ],
"allowedValues": [
"eastus2",
"westus2",
"westus"
]
}
}
and then you can reference it:
{
"field": "location",
"in": "[parameters('allowedLocations')]"
}
You can take an example from Azure documentation site: https://learn.microsoft.com/en-us/azure/governance/policy/samples/enforce-tag-on-resource-groups
If you do not need any parameters for the policy:
{
"properties": {
"displayName": "Enforce tag Environment and its value on resource groups",
"description": "Enforces a required tag and its value on resource groups.",
"mode": "All",
"parameters": {
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyOf": [
{
"field": "tags[Environment]",
"notEquals": "Production"
},
{
"field": "tags[Environment]",
"notEquals": "Testing"
},
{
"field": "tags[Environment]",
"notEquals": "Pending"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
}
}
with parameters :
{
"properties": {
"displayName": "Enforce tag and its value on resource groups",
"description": "Enforces a required tag and its value on resource groups.",
"mode": "All",
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"description": "Name of the tag, such as costCenter"
}
},
"tagValue1": {
"type": "String",
"metadata": {
"description": "Value of the tag, such as production"
}
},
"tagValue2": {
"type": "String",
"metadata": {
"description": "Value of the tag, such as testing"
}
},
"tagValue3": {
"type": "String",
"metadata": {
"description": "Value of the tag, such as pending"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyOf" : [
{
"field": "[concat('tags[',parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue1')]"
},
{
"field": "[concat('tags[',parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue2')]"
},
{
"field": "[concat('tags[',parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue3')]"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
}
}
If you are creating a policy from the Azure Portal, you do not need to copy displayName and description inside properties:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"anyOf": [
{
"field": "tags[Environment]",
"notEquals": "Production"
},
{
"field": "tags[Environment]",
"notEquals": "Testing"
},
{
"field": "tags[Environment]",
"notEquals": "Pending"
}
]
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
I've gotten this far thanks to your amazing help, however upon validating new VM's i get the following error, despite which value i type: Pending, Testing or Production
{
"code": "InvalidTemplateDeployment",
"message": "The template deployment failed because of policy violation. Please see details for more information.",
"details": [
{
"code": "RequestDisallowedByPolicy",
"target": "tester123",
"message": "Resource 'tester123' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Enforce tag Environment\",\"id\":\"/subscriptions/f3434458-6c34-41bf-b159-04eff84fb1b8/providers/Microsoft.Authorization/policyAssignments/363b1c045401446eafdd29bf\"},\"policyDefinition\":{\"name\":\"Enforce tag Environment\",\"id\":\"/subscriptions/f3434458-6c34-41bf-b159-04eff84fb1b8/providers/Microsoft.Authorization/policyDefinitions/7be665bc-57a5-451d-b159-6cabcfd1042a\"}}]'.",
"additionalInfo": [
{
"type": "PolicyViolation",
"info": {
"policyDefinitionDisplayName": "Enforce tag Environment",
"evaluationDetails": {
"evaluatedExpressions": [
{
"result": "True",
"expressionKind": "Field",
"expression": "type",
"path": "type",
"expressionValue": "Microsoft.Compute/virtualMachines",
"targetValue": "Microsoft.Compute/virtualMachines",
"operator": "Equals"
},
{
"result": "True",
"expressionKind": "Field",
"expression": "tags[Environment]",
"path": "tags[Environment]",
"expressionValue": "Testing",
"targetValue": "Production",
"operator": "NotEquals"
}
]
},
"policyDefinitionId": "/subscriptions/f3434458-6c34-41bf-b159-04eff84fb1b8/providers/Microsoft.Authorization/policyDefinitions/7be665bc-57a5-451d-b159-6cabcfd1042a",
"policyDefinitionName": "7be665bc-57a5-451d-b159-6cabcfd1042a",
"policyDefinitionEffect": "deny",
"policyAssignmentId": "/subscriptions/f3434458-6c34-41bf-b159-04eff84fb1b8/providers/Microsoft.Authorization/policyAssignments/363b1c045401446eafdd29bf",
"policyAssignmentName": "363b1c045401446eafdd29bf",
"policyAssignmentDisplayName": "Enforce tag Environment",
"policyAssignmentScope": "/subscriptions/f3434458-6c34-41bf-b159-04eff84fb1b8",
"policyAssignmentParameters": {}
}
}
]
}
]
}
it would appear to me at least, that i fail because of wrong targetvalue. However I'd suppose that anyof the 3 options defined in policy definition would do?
Atleast i figured out how to only target this to our VM's, or at least i think i did.
There is a solution for restricting the values in basics called "allowedValues":
https://learn.microsoft.com/pl-pl/azure/governance/policy/concepts/definition-structure
https://learn.microsoft.com/pl-pl/azure/governance/policy/concepts/definition-structure#parameter-properties
"parameters": {
"allowedLocations": {
"type": "array",
"metadata": {
"description": "The list of allowed locations for resources.",
"displayName": "Allowed locations",
"strongType": "location"
},
"defaultValue": [ "westus2" ],
"allowedValues": [
"eastus2",
"westus2",
"westus"
]
}
}