I am trying to create an Azure Policy, where resources have tags that should be within an list of allowed values. If the tag is not specified, it should be inherited from the resource group.
I tried with this, but it returns the following error when I try to assign: "Creating policy assignment 'Ensure and Validate Tag Inheritance with Allowed Values - provisionType' in 'X' failed. The policy definition 'Y' rule is invalid. The 'field' property cannot be empty."
The Policy Definition looks like this:
{
"mode": "Indexed",
"policyRule": {
"if": {
"anyOf": [
{
"allOf": [
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
{
"field": "[resourceGroup().tags[parameters('tagName')]]",
"notEquals": ""
}
]
},
{
"allOf": [
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "true"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"notIn": "[parameters('listofallowedtagValues')]"
}
]
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f"
],
"operations": [
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName')]]"
}
]
}
}
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "The name of the tag, such as 'environment'."
}
},
"listofallowedtagValues": {
"type": "Array",
"metadata": {
"displayName": "Allowed Tag Values",
"description": "The list of allowed values for the tag."
}
}
}
}
Any ideas on how I can solve this?
Thanks!
Here is the updated policy, it checks if the specified tag does not exist, and if so, the policy then modifies the resource to
inheritthe tag from theresource group.After applying the policy, the resources have been remediated to inherit the tag from the resource group.