I did an azure custom policy that discover object not compliant, with custom missing tag, on my subscription.
I got to much error from this policy becouse it discover also oms agent, extension etc..
Here the json:
{
"mode": "All",
"policyRule": {
"if": {
"anyOf": [
{
"field": "tags['TAG1']",
"exists": false
},
{
"field": "tags['TAG2']",
"exists": false
}
]
},
"then": {
"effect": "audit"
}
},
"parameters": {}
}
it search all resources and audit it if they are not with that tag.
Is possibile to specified exclusion for specific resources type? For example Microsoft.Compute/virtualMachines/extensions etc...
Thanks
This way you can mention all the resource types in "notEquals" operator for which you do not want to check for tags.
{
"if": {
"allOf": [
{
"field": "type",
"notEquals": "Microsoft.Security/assessments"
},
{
"field": "type",
"notEquals": "Microsoft.Compute/VirtualMachines"
},
{
"anyOf": [
{
"field": "tags['TAG1']",
"exists": false
},
{
"field": "tags['TAG2']",
"exists": false
}
]
}
]
},
"then": {
"effect": "audit"
}
}