Create policy Azure with control ResourceGroup's Name and Tag
I'm blocked about a policy Azure. As you can see on the title, i want to deny the Resource Group's creation if the name start with "DEMO" and if all these tags (ApplicationName, ManagedBy, Classification) aren't present.
{
"mode": "All",
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"value": "[resourceGroup().name]",
"like": "DEMO*"
},
{
"anyOf": [
{
"field": "tags['ApplicationName']",
"exists": false
},
{
"field": "tags['ManagedBy']",
"exists": false
},
{
"field": "tags['Classification']",
"exists": false
}
]
}
]
},
"then": {
"effect": "deny"
}
}
}
Someone can tell me if something seem bad ?
With this code, actually, i can create my RG even if it starts with DEMO (exemple DEMO62) and one or multiple tags are missing. But, in the policy dashboard, it displays that it doesn't match the criteria, so it seems to works but after the creation .. so .. too late.
Thanks everybody
i also tried in this format :
"field": "tags",
"containsKey": "ApplicationName"
But same result
I tried to reproduce the same in my environment to Block Azure Resource Group Creation if aren't present.
If I tried to create any Resource Group with name DEMO without required tags, it won't allow to create the resource group.
Policy:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "name",
"like": "DEMO*"
},
{
"not": {
"field": "tags['ApplicationName']",
"equals": "testapp"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}