Designing Tagging Strategy for Microsoft Azure - Part 7 - Enforcing tagging standards with Azure Policies

@20aman    Oct 20, 2021

This blog is a part of the Designing Tagging Strategy for Microsoft Azure series. You can find the Index of this series here: Designing Tagging Strategy for Microsoft Azure.

Enforce the tagging standards

As discussed in the previous blogs, if you have any standards you want to enforce for the tagging you can do that directly within the Azure policy as well. E.g. for the ApplicationOwner Tag i.e. the owner of the application related to the resource deployed should be an email id. You can enforce this easily via an Azure policy.

You can also have naming conventions that you can enforce. Or you can have a set of values that you can have the tag value adhere to.

Sample 1 - Set of Allowed Values

You can specify allowed values for a tag. If the value provided is not from the list of values then the resource creation can be denied through the Azure policy. E.g. the below policy sample enforces the tag Environment's value to be only from the below list of allowed values. Note that the policy does not enforces the tag itself. It enforces that if the tag is specified then the allowed values can only be one of the below:

  • dev
  • test
  • prod

Policy sample:

{
    "mode": "Indexed",
    "policyRule": {
      "if": {
        "not": {
            "field": "tags['Environment']",
          "in": [
            "dev",
            "test",
            "prod"
          ]
        }
      },
      "then": {
        "effect": "deny"
      }
    },
    "parameters": {}
  }

Sample 2 - Allowing only an Email Id

You can also use wildcards and patterns within the Azure policy to enforce the naming standards etc. within the tags. E.g. if you want the tag for ApplicationOwner to be only an email id then you can easily do that by using "like" comparison to a text like "b>*@domain.com"

The below sample not only enforces the ApplicationOwner tag, but enforces it to have "xxxx@harvestingcloud.com" format, where xxxx could be anything as denoted by the "*" wildcard character in the policy below.

Policy sample:

{
    "mode": "Indexed",
    "policyRule": {
      "if": {
        "not": {
          "allOf": [
            {
              "field": "tags['ApplicationOwner']",
              "exists": "true"
            },
            {
              "field": "tags['ApplicationOwner']",
              "like": "*@harvestingclouds.com"
            }
          ]
        }
      },
      "then": {
        "effect": "deny"
      }
    },
    "parameters": {}
  }

Complete Policy Samples on GitHub

You can find the complete policy samples on the GitHub in my policy samples repository here: AzurePolicySamples - Tagging.





Comments powered by Disqus