Question posted in 
A current challenge in a Subscription Vending environment, is that we rely on Tags on Subscriptions for certain data to be fed back in to other systems, for instance for CMDB entries or cost calculation.
What we are trying to do is to enforce a Policy which prevents the Tags with a certain prefix from being deleted, or altered for that matter.
With the Policy Effect ‘DenyAction’, I would assume that the following Policy would prevent Tags from being deleted, while still being able to create them:
{
"mode": "Indexed",
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Resources/tags"
},
"then": {
"effect": "DenyAction",
"details": {
"actionNames": [
"delete"
],
"cascadeBehaviors": {
"resourceGroup": "deny"
}
}
}
},
"parameters": {}
}
Unfortunately, this does not provide us with the expected outcome.
And if we try to look for a certain value it contains (I also tried ‘match, or specify an Array of predefined Tags that contain those prefixes with ‘in’ or ‘like’ etc.):
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/tags"
},
{
"field": "tags",
"contains": "prefix"
}
]
},
"then": {
"effect": "DenyAction",
"details": {
"actionNames": [
"delete"
],
"cascadeBehaviors": {
"resourceGroup": "deny"
}
}
}
},
"parameters": {}
}
It doesn’t work as expected. I can not find any limitations in the MS Docs which refer to the resourceType ‘Tags’ not being able to work together with the ‘DenyAction’. I’ve also tried to specify the ‘field: "name"’ for Tags, as that is what it refers to in the Portal as well, but no luck.
Does any of you have worked with similar use cases and has a solution for this? It would be greatly appreciated!
2
Answers
As it turns out, this is not possible for this specific action within Azure Policy. Microsoft has also explained that a 'notAction' in a Custom RBAC for tag deletion is not possible as well. This is a limitation of the platform.
Next step:
I will focus on configuring an auto-remediation pipeline which sets the Tags on subscriptions on a specific interval (say 2,4,6 times a day) to ensure the tags are always there. This does not prevent tampering or deletion of the Tags, but eventually still satisfies the requirement.
AFAIK, restricting delete action on resources based on tags is not possible,
Alternativelyyou can restrict the resource deletion by using RBAC, and List Azure deny assignmentsYou can create a custom role to block only the delete action on
resourcesat the subscription level. With the below condition, you can perform all operations except delete operations. For more information, refer to Create or update Azure custom roles.The policy will only work if you specify the resources, such as
"Microsoft.Storage/storageAccounts", and you also need to specify the tag name as below.After assigning the policy, it denies the delete action on storage account.
Policy Compliance
Reference: DenyAction Effect in Azure Policy
Azure Policy definitions denyAction effect