Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure Policy weird behaviour while creating resource group without tag #22070

Closed
qureshiaquib opened this issue Jan 10, 2019 · 10 comments
Closed

Azure Policy weird behaviour while creating resource group without tag #22070

qureshiaquib opened this issue Jan 10, 2019 · 10 comments
Assignees
@femsulu
Labels
azure-policy/svc cxp Pri2 product-question triaged

Comments

@qureshiaquib
Copy link

qureshiaquib commented Jan 10, 2019
edited by Karishma-Tiwari-MSFT

I've applied Azure policy which forces the user to assign a tag while creating a Resource Group.
When i create a new VM and then fill in all the fields, i create a new Resource Group in the same wizard and then click review and create button. This time azure policy is triggered properly and blocks me as the newly created RG is not created with tag.
But when I go to resource group policy and click on Add to create a new RG. that time i don't fill Tags then too policy doesn't get trigger. I'm little surprise why the first time this policy is working but not the second time.
PowerShell works fine, but there is some issues with Azure Portal.

{
"if": {
"allOf": [
{
"field": "tags",
"exists": "false"
},
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
}
]
},
"then": {
"effect": "deny"
}
}

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
@Karishma-Tiwari-MSFT
Copy link
Member

@aquibqureshi26 Thanks for your question. Please provide us with the link to the documentation you are referring to so we can better assist.

@Karishma-Tiwari-MSFT Karishma-Tiwari-MSFT self-assigned this Jan 10, 2019
@qureshiaquib
Copy link
Author

hey karishma, this is related to Azure Policy for resource group.

using this policy, it gets triggered properly when I'm using powershell. but there is some flaw in the Azure portal.

@Karishma-Tiwari-MSFT
Copy link
Member

@aquibqureshi26 I have updated the issue with the document link. please confirm this is the doc you have been following.
We are currently investigating and will update you shortly.

@qureshiaquib
Copy link
Author

yes. You can replicate the issue in your lab as well.

@pilor
Copy link
Contributor

pilor commented Jan 10, 2019

Your policy is checking to see if the "tags" property exists. This property can exist even if tags are not being set on the resource. (i.e. "tags": {}). Policy doesn't have a good mechanism right now for this scenario where you don't care about WHAT tag is present, just that there is any tag present. The more typical scenario is checking if a specific tag exists.

However, in the next month or two you will be able to use syntax similar to { "value": "[length(field('tags'))]", "equals": 0 } which will allow you to accomplish your goal.

@DCtheGeek
Copy link
Contributor

Thanks @pilor!

@aquibqureshi26 Please let us know if that didn't answer your question. A request such as this is typically better suited for a support case. If you have feedback or questions about the docs, please feel free to open another issue here. If you have suggestions, please check out the Governance UserVoice. Thanks!

@MicrosoftDocs/azure-cxp-triage #please-close

@qureshiaquib
Copy link
Author

@pilor thanks for sharing it.

I've tried to create policy which check specific tags but it is not working. can you please take a quick look.

{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyof": [
{
"field": "tags.Env",
"exists": false
},
{
"field": "tags.use",
"exists": false
}
]
}
]
},
"then": {
"effect": "deny"
}
}

https://stackoverflow.com/questions/54137098/azure-policy-deny-if-one-of-the-tag-not-present-in-the-resource-group-name

@pilor
Copy link
Contributor

pilor commented Jan 10, 2019

I'll take a look and respond on stackoverflow.

@qureshiaquib
Copy link
Author

Hi Chris,
Thanks for providing me a workaround and it is working. Can is that possible to compare with both tag name and values in azure policy? I've tried with the Not method and there is some issues.

{
"mode": "all",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not":{
{
"field": "tags.Env",
"equals" : "Prod"
},
{
"field": "tags.OS",
"equals" : "windows"
}
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}

@mo-badreldin
Copy link

If someone still searching for a solution who to block creation of resource groups without tags. This policy rule below worked for me. I tested it using the portal

The conditions in the anyOf explained:
First condition block resource groups being created while creating another resource.
Second condition block directly creating resource groups without a tag

"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyOf": [
{
"field": "tags",
"exists": "false"
},
{
"value": "[length(field('tags'))]",
"equals": 0
}
]
}
]
},
"then": {
"effect": "deny"
}
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@femsulu femsulu

Labels
azure-policy/svc cxp Pri2 product-question triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@pilor @DCtheGeek @Karishma-Tiwari-MSFT @PRMerger20 @mimckitt @femsulu @qureshiaquib @mo-badreldin