Tag: require tag on resources

Posted on by 1 Comment

Azure policy require specific tags on resources

Azure policies can help you control your azure management especially when it comes to best practices. A nice to have policy for your setup would be to require tags on specific resources in order to organize better your infrastructure.

Tag resources, resource groups, and subscriptions for logical organization – Azure Resource Manager | Microsoft Learn

First you will need to create your policy. By searching for Policy on Azure you should select Definitions and then Add policy definition.

In this scenario we will examine how we can request for specific tags on resource creation. The policy uses anyOf keyword which means that if any of the tags are not set then the effect will be deny. The tags that I request are: created-by, Team, Application, TBD. All those tags should be set before creating the resource. The tag should be spelled correctly and policy will not work for different deviations of the worlds. For example createdBy is different from created-by. 

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "anyOf": [
        {
          "field": "[concat('tags[', parameters('tag_createdBy'), ']')]",
          "exists": "false"
        },
        {
          "field": "[concat('tags[', parameters('tag_team'), ']')]",
          "exists": "false"
        },
        {
          "field": "[concat('tags[', parameters('tag_tbd'), ']')]",
          "exists": "false"
        },
        {
          "field": "[concat('tags[', parameters('tag_application'), ']')]",
          "exists": "false"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {
    "tag_createdBy": {
      "type": "String",
      "metadata": {
        "displayName": "created-by",
        "description": "example: Gerasimos Alexiou"
      }
    },
    "tag_team": {
      "type": "String",
      "metadata": {
        "displayName": "Team",
        "description": "example: DevOps"
      }
    },
    "tag_tbd": {
      "type": "String",
      "metadata": {
        "displayName": "TBD",
        "description": "example: (to be deleted) true or false"
      }
    },
    "tag_application": {
      "type": "String",
      "metadata": {
        "displayName": "Application",
        "description": "example: Grafana,Teamcity"
      }
    }
  }
}

After the creation of the policy you will need to assign it on a specific location/resource-group/subscription. In the parameters dialog you will need to provide the evaluation parameters. For the sake of simplicity I provided the same name for policy parameters and azure parameters. In the end Azure will request from the user the specific parameters, created-by, Team, TBD, Application.

We can test the behavior by creating a new resource with missing tags.

When TBD tag is missing, the validation will fail and the deployment cannot start until the tags are created.

After providing all the tags

The validation will pass and the deployment will be successful.