I want to deniy changes on resources with the tag "source":"terraform" in the azure ui, because these resources will be managed with terraform and should not be changed in the ui.
question: Is a policy the right way to do that?
question: Why is my current policy not working?
{ "mode": "All", "policyRule": { "if": { "anyOf": [ { "field": "tags['source']", "exists": "true" }, { "field": "tags['source']", "equals": "terraform" } ] }, "then": { "effect": "deny" } }, "parameters": {} }
I added this policy to my subscription "test-subscription-123" and after that I changed a resource with the tag "source":"terraform" in that subscription in the azure ui and it was still possible. But I want my policy to deny that.
- question Will my policy (when its finally working) deny Terraform from changing my resources too? If yes, I need to adapt my policy I guess.
Thanks in advance!
Here is the updated policy to deny changes on resources if the tag matched "source":"terraform" , it will deny all changes on the resource.
The policy is preventing changes when attempting to modify the
VM size.Output:
The policy denies the creation of an address space in the virtual network when attempting to create one.