-
Notifications
You must be signed in to change notification settings - Fork 21.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure Policy weird behaviour while creating resource group without tag #22070
Comments
@aquibqureshi26 Thanks for your question. Please provide us with the link to the documentation you are referring to so we can better assist. |
hey karishma, this is related to Azure Policy for resource group. using this policy, it gets triggered properly when I'm using powershell. but there is some flaw in the Azure portal. |
@aquibqureshi26 I have updated the issue with the document link. please confirm this is the doc you have been following. |
yes. You can replicate the issue in your lab as well. |
Your policy is checking to see if the "tags" property exists. This property can exist even if tags are not being set on the resource. (i.e. "tags": {}). Policy doesn't have a good mechanism right now for this scenario where you don't care about WHAT tag is present, just that there is any tag present. The more typical scenario is checking if a specific tag exists. However, in the next month or two you will be able to use syntax similar to { "value": "[length(field('tags'))]", "equals": 0 } which will allow you to accomplish your goal. |
Thanks @pilor! @aquibqureshi26 Please let us know if that didn't answer your question. A request such as this is typically better suited for a support case. If you have feedback or questions about the docs, please feel free to open another issue here. If you have suggestions, please check out the Governance UserVoice. Thanks! @MicrosoftDocs/azure-cxp-triage #please-close |
@pilor thanks for sharing it. I've tried to create policy which check specific tags but it is not working. can you please take a quick look. { |
I'll take a look and respond on stackoverflow. |
Hi Chris, { |
If someone still searching for a solution who to block creation of resource groups without tags. This policy rule below worked for me. I tested it using the portal The conditions in the anyOf explained: "policyRule": { |
I've applied Azure policy which forces the user to assign a tag while creating a Resource Group.
When i create a new VM and then fill in all the fields, i create a new Resource Group in the same wizard and then click review and create button. This time azure policy is triggered properly and blocks me as the newly created RG is not created with tag.
But when I go to resource group policy and click on Add to create a new RG. that time i don't fill Tags then too policy doesn't get trigger. I'm little surprise why the first time this policy is working but not the second time.
PowerShell works fine, but there is some issues with Azure Portal.
{
"if": {
"allOf": [
{
"field": "tags",
"exists": "false"
},
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
}
]
},
"then": {
"effect": "deny"
}
}
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: