I want to create an Azure Policy for storage accounts. During the creation of a storage account, it will count the number of storage accounts in the subscription which has a specific tag (like env:dev). If the number of this count exceeds 10, It should deny the creation of that storage account.
How I can count the number of storage account which has certain tag inside an Azure Policy declaration?
That is not something you can do using Azure Policy.
Even though the approach seems valid, the count operator is meant to be used with [*] aliases - see official documentation. One could think of scanning Microsoft.Subscription aliases, but running the command az provider show --namespace Microsoft.Subscription --expand "resourceTypes/aliases" --query "resourceTypes[].aliases[].name", what you get as an output is so far not extensive :
[
"Microsoft.Subscription/SubscriptionDefinitions/subscriptionId",
"Microsoft.Subscription/SubscriptionDefinitions/subscriptionDisplayName",
"Microsoft.Subscription/SubscriptionDefinitions/offerType",
"Microsoft.Subscription/SubscriptionDefinitions/etag",
"Microsoft.Subscription/aliases/subscriptionId"
]
Also, the way the policy engine works wouldn't allow you to count the number of instances meeting a particular rule : each ARM component is scanned individually and compared to the rules defined in the policy. You cannot see "all Storage Accounts in a given scope" - each one is scanned without the whole picture being seen at any point. That is why I started with looking if the Subscription object had something like a Resources [*] alias.