Search code examples
azuretagspolicynotnullazure-policy

Azure Policy check for an empty value

I need an Azure Policy for tagging. I want that a user needs to define a tag when a Resource Groups is created. The Policy should also check that the tagvaule is not empty.

i have tried the following:

{
  "properties": {
    "displayName": "Require a tag Billto and a value that is not empty",
    "policyType": "Custom",
    "mode": "All",
    "description": "Enforces a required tag and its value on resource groups.",
    "metadata": {
      "category": "Tags",
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'Billto'"
        }
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag, such as 'Costcenter'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
          },
          {
            "value": "[concat('tags[', parameters('tagValue'), ']')]",
            "equals": ""
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }

can someone help me and give me the right code? Thanks Thomas

Solution

  • This policy definition will deny resource groups which have an empty value for the given tag, or are missing the tag altogether:

    {
  "properties": {
    "mode": "All",
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'Billto'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "anyOf": [
              {
                "field": "[concat('tags[', parameters('tagName'), ']')]",
                "exists": false
              },
              {
                "field": "[concat('tags[', parameters('tagName'), ']')]",
                "equals": ""
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

    Breaking it down:

    1. parameters('tagName') resolves to the value of the parameter tagName. For the rest of this example, we'll use Billto as the tag name.
    2. "field": "[concat('tags[', parameters('tagName'), ']')]" resolves to "field": "tags[Billto]"
    3. "field": "tags[Billto]" will get the value of the Billto tag.
    4. If the resource doesn't have a Billto tag, The Billto tag won't have a value, so the "exists" : false will be true and the policy will deny. If the Billto tag's value is empty, then "equals": "" will be true, and the policy will deny.