azure policy deny changes on resources with source:terraform tag

Question

I want to deniy changes on resources with the tag "source":"terraform" in the azure ui, because these resources will be managed with terraform and should not be changed in the ui.

1. question: Is a policy the right way to do that?

2. question: Why is my current policy not working?

{
  "mode": "All",
  "policyRule": {
    "if": {
      "anyOf": [
        {
          "field": "tags['source']",
          "exists": "true"
        },
        {
          "field": "tags['source']",
          "equals": "terraform"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

I added this policy to my subscription "test-subscription-123" and after that I changed a resource with the tag "source":"terraform" in that subscription in the azure ui and it was still possible. But I want my policy to deny that.

3. question Will my policy (when its finally working) deny Terraform from changing my resources too? If yes, I need to adapt my policy I guess.

Thanks in advance!

Answer 1

azure policy deny changes on resources with source:terraform tag

Here is the updated policy to deny changes on resources if the tag matched "source":"terraform" , it will deny all changes on the resource.

    {
      "mode": "All",
      "policyRule": {
        "if": {
          "allOf": [
            {
              "field": "tags['source']",
              "exists": "true"
            },
            {
              "field": "tags['source']",
              "equals": "terraform"
            }
          ]
        },
        "then": {
          "effect": "deny"
        }
      },
      "parameters": {}
    }

The policy is preventing changes when attempting to modify the VM size.

Output:

The policy denies the creation of an address space in the virtual network when attempting to create one.