AZURE POLICY MANY TAGS ON RESOURCE GROUPS

Posted on May 17, 2019

Azure Policy can be used to enforce rules and effects on resources in Azure subscriptions. It is a part of the Azure Governance and management toolbox native to Azure.

In this blog post, I want to dig into Requiring Tags on Resource Groups via Azure Policy. There is a sample policy ARM Template to accomplish this here:

https://docs.microsoft.com/en-us/azure/governance/policy/samples/enforce-tag-on-resource-groups . What is not clear with the this policy template is how to add an enforce additional tags within the single ARM Template. This is important as you don’t want to have multiple templates to enforce multiple tags.

Well its actually pretty straight forward. You need to add the additional tags as Rules and Parameters. Here is the full example Policy ARM Template here:

{}{
“mode”: “all”,
“policyRule”: {
“if”: {
“allOf”: [
{
“field”: “type”,
“equals”: “Microsoft.Resources/subscriptions/resourceGroups”
},
{
“not”: {
“field”: “[concat(‘tags[‘,parameters(‘Project’), ‘]’)]”,
“exists”: “true”
}
},
{
“not”: {
“field”: “[concat(‘tags[‘,parameters(‘Functional Area’), ‘]’)]”,
“exists”: “true”
}
},
{
“not”: {
“field”: “[concat(‘tags[‘,parameters(‘Environment’), ‘]’)]”,
“exists”: “true”
}
},
{
“not”: {
“field”: “[concat(‘tags[‘,parameters(‘AppOwner’), ‘]’)]”,
“exists”: “true”
}
}
]
},
“then”: {
“effect”: “deny”
}
},
“parameters”: {
“BillTo”: {
“type”: “String”,
“metadata”: {
“description”: “Provides a project to attribute the bill for the resources too. Tag value: Project Cost Center. Example: nkcode@nkcode.xyz”
}
},
“Functional Area”: {
“type”: “String”,
“metadata”: {
“description”: “Provides information on department or team is responsible for administering/supporting the application. Tag value: Team name/email. Example: web”
}
},
“Environment”: {
“type”: “String”,
“metadata”: {
“description”: “Provides information on what the resource group is used for (useful for maintenance, policy enforcement, chargeback, etc.) Tag value: Dev, QA, Stage, Test, Prod. Example: Prod”
}
},
“AppOwner”: {
“type”: “String”,
“metadata”: {
“description”: “The Business app owner to contact. Tag value: Business App owners’ email. Example: nkadmin@nkcode.xyz”
}
}
}
}