Designing Tagging Strategy for Microsoft Azure - Part 2 - Enforcing Tags at the Resource level

@20aman    Oct 04, 2021

This blog is a part of the Designing Tagging Strategy for Microsoft Azure series. You can find the Index of this series here: Designing Tagging Strategy for Microsoft Azure.

In the last post, we looked at the importance of tagging in Azure and various tagging strategies. You can view that post here: Designing Tagging Strategy for Microsoft Azure - Part 1 - Basics. In this post, we are looking at policies and various nuances in implementing the first strategy i.e. enforcing tags at the resource level.

Requiring Tags on a resource

You can require a tag on a resource by using the below Azure policy. This is an extension of the in-built policy that requires one tag. This extends it to two tags and shows you how you can add even more tags using just one policy.

"policyRule": {
  "if": {
        "anyOf": [
          {
            "field": "tags['ApplicationOwner']",
            "exists": "false"
          },
          {
            "field": "tags['DepartmentName']",
            "exists": "false"
          }
        ]
  },
  "then": {
    "effect": "deny"
  }
}

The above policy requires two tags:

  1. ApplicationOwner - Person responsible for the resource
  2. DepartmentName - Name of the department to which the resource belongs

Requiring a Tag and also enforcing a format

Let's assume that you require the ApplicationOwner tag. But you also want to ensure that the user trying to deploy it are using an email id. E.g. if the domain is HarvestingClouds.com then the email id will look something like xxxx@harvestingclouds.com, where "xxxx" could be anything. In policy you will match this by using the "" wildcard character. The match should be then with "@harvestingclouds.com". The policy will look something like below:

"policyRule": {
  "if": {
    "not": {
      "allOf": [
        {
          "field": "tags['ApplicationOwner']",
          "exists": "true"
        },
        {
          "field": "tags['ApplicationOwner']",
          "like": "*@harvestingclouds.com"
        }
      ]
    }
  },
  "then": {
    "effect": "deny"
  }
}

Complete Policy Samples on GitHub

You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Tagging/.





Comments powered by Disqus