Require Many Tags on Resource Groups via Azure Policy

Azure Policy can be used to enforce rules and effects on resources in your Azure subscriptions. It is a part of the Azure Governance and management toolbox native to Azure. I actually wrote a blog post all about Azure Policy here as a part of my native cloud management in azure blog series.

In this blog post I want to dig into Requiring Tags on Resource Groups via Azure Policy. There is a sample policy ARM Template to accomplish this here:

https://docs.microsoft.com/en-us/azure/governance/policy/samples/enforce-tag-on-resource-groups . What is not clear with the this policy template is how to add an enforce additional tags within the single ARM Template. This is important as you don’t want to have multiple templates to enforce multiple tags.

Well its actually pretty straight forward. You need to add the additional tags as Rules and Parameters. For example:

{
"not": {
"field": "[concat('tags[',parameters('Environment'), ']')]",
"exists": "true"
}
},

and

"Environment": {
"type": "String",
"metadata": {
"description": "Provides information on what the resource group is used for (useful for maintenance, policy enforcement, chargeback, etc.) Tag value: Dev, QA, Stage, Test, Prod. Example: Prod"
}
},

Be sure you add a parameter for every rule. Also in the example I gave I removed the “equals”: “[parameters(‘tagValue’)]” from the rules because I did not want to populate the tag value. I simply needed to require the tag and leave the value open for the person creating the resource to fill in. Here is the full example Policy ARM Template here:

{
  "mode": "all",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "not": {
            "field": "[concat('tags[',parameters('BillTo'), ']')]",
            "exists": "true"
          }
        },
        {
            "not": {
              "field": "[concat('tags[',parameters('Functional Area'), ']')]",
              "exists": "true"
            }
          },
          {
            "not": {
              "field": "[concat('tags[',parameters('Environment'), ']')]",
              "exists": "true"
            }
          },
          {
            "not": {
              "field": "[concat('tags[',parameters('AppOwner'), ']')]",
              "exists": "true"
            }
          }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {
    "BillTo": {
      "type": "String",
      "metadata": {
        "description": "Provides a charge code or cost center to attribute the bill for the resources too. Tag value: Cost Center. Example: team@domain.com"
      }
    },
    "Functional Area": {
        "type": "String",
        "metadata": {
          "description": "Provides information on department or team is responsible for administering/supporting the application. Tag value: Team name/email. Example: 1506548"
        }
      },
      "Environment": {
        "type": "String",
        "metadata": {
          "description": "Provides information on what the resource group is used for (useful for maintenance, policy enforcement, chargeback, etc.) Tag value: Dev, QA, Stage, Test, Prod. Example: Prod"
        }
      },
      "AppOwner": {
        "type": "String",
        "metadata": {
          "description": "The Business app owner to contact. Tag value: Business App owners’ email. Example: name@domain.com"
        }
      }
  }
}

After you create the Policy definition using the ARM template it will look like this:

When you assign the policy you will need to complete the parameters:

The next time someone deploys a resource group without the required tags in the subscription this policy is assigned to it will fail.

Thanks for reading!

Print Friendly, PDF & Email

Leave a Reply