Hello community 🙋♂️!
I’m configuring an Azure Policy to check presence of a tag on new and old ressources.
Checking the presence only was quite easy:
policy_rule = <<RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('TagName'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
RULE
With following parameters:
parameters = <<PARAMETERS
{
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"effect": {
"type": "String",
"defaultValue": "Audit",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "The effect determines what happens when the policy rule is evaluated to match"
}
}
}
PARAMETERS
But now I want that the policy rule also checks the case of the tagName parameters.
Ex: guess expected tagName is RigorousMakeMeHappy. Then, I want that ressources be configured with RigorousMakeMeHappy but not with rigorousmakemehappy or rigorousMakeMeHappy or RIGOROUSMAKEMEHAPPY etc.
And I struggled two days w/o success.
I tried, among others things, the following:
policy_rule = <<RULE
{
"if": {
"anyOf": [
{
"field": "tags",
"match": "[parameters('tagName')]"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
RULE
I tried to achieve with following documentations:
- https://learn.microsoft.com/en-us/azure/governance/policy/samples/pattern-fields
- Multiple Name Pattern and Parameter definition
- https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure
Thanks for your precious help !
EDIT: @SiddheshDesai
I should be more specific, I want ONLY the Key matching case sensitive my pattern:
With this code:
policy_rule = <<RULE
{
"if": {
"allOf": [
{
"not": {
"field": "[concat('tags[', parameters('tagName'), ']')]",
"match": "[parameters('tagName')]"
}
},
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
It’s not working:
Create VM with Tag RigorousMakeMeHappy and value qsdsqfsdf
And result is:
Validation not OK because we are trying to match the value of the KV pair
If I change the tag in this way:
Create VM with Tag RigorousMakeMeHappy and value RigorousMakeMeHappy
Result is:
Validation OK because we are matching the value of the KV pair
2
Answers
RigorousMakesMeHappywhateveryouaddtomatchingpattern@SiddheshDesai: I've found the answer (or one of... but honestly I think it's the only one 😄) and, again, thanks for your time!
Here is the code:
Then, if you
tagNameis RigorousMakesMeHappy and whatever the tagValue is you will be compliant or not with:I tried below Azure Policy definition to audit the Resources in the Azure subscription if the tag name RigorousMakeMeHappy is not present it will be marked as a non-compliant resource with case sensitivity:-
Policy definition:-
Output:-
animalrg, girraferg, siliconrg098 and valleyrg resource group does not contain
RigorousMakeMeHappy so its marked as non-compliant, Refer below:-
animalrg tag:-
girraferg tag:-
valleyrg tag:-
siliconrg098 tag:-
Where as siliconrg resource group contains RigorousMakeMeHappy thus its marked as compliant, Refer below:-