I've created an Azure Policy, i wanted to deny the resource group creation if user doesn't specify tag with key "Env" or "use"
But when i create the resource group with Env tag it blocks me, it only allows me when i add both the tag which is env and use.
As per my understanding "anyof" in azure policy is used as "OR" but my code isn't behaving the same wa
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyof": [
{
"field": "tags.Env",
"exists": false
},
{
"field": "tags.use",
"exists": false
}
]
}
]
},
"then": {
"effect": "deny"
}
}
Based on the Chris's suggestion I've worked on the tag name and values but it is giving me an error in the policy and it is not taking the "NOT"
{
"mode": "all",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not":{
{
"field": "tags.Env",
"equals" : "Prod"
},
{
"field": "tags.OS",
"equals" : "windows"
}
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
Right now, like you mentioned, the policy is evaluating if "tags.Env doesn't exist OR tags.use doesn't exist". If either tag does not exist you will be denied.
What you want is to deny if "tags.Env doesn't exist AND tags.use doesn't exist". That would imply that they are both missing which is what you are trying to prevent.
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags.Env",
"exists": false
},
{
"field": "tags.use",
"exists": false
}
]
},
"then": {
"effect": "deny"
}
}