Modifying resource group tag depending on resource group name using Azure Policies

Question

I'm tasked with applying an Azure Policy that adds or replaces tags and their values on some resource groups. One of the tags, environment, is supposed to have a value equal to a part of the name of the resource group: if the resource group is called myResourceGroup-prod the environment tag needs to be "prod" or if the resource group is called deploy-dev-us the tag value needs to be "dev".

I've been able to develop the policy to the point where (I think) all the scopes are correctly set, as well as the parameter definition. I'm failing in the remediation task, where Azure seems to not be able to remediate the environment tag because it has multiple values (it's an array). Here is what I have:

    "parameters": {
        "Application_Owner": {
            "type": "String",
            "metadata": {
                "displayName": "Application Owner Tag",
                "description": "Application Owner Tag"
            },
            "defaultValue": "somemail@somecompany.com"
        },
        "Security Profile": {
            "type": "String",
            "metadata": {
                "displayName": "Security Profile",
                "description": "Security Profile"
            },
            "defaultValue": "Super Secure"
        },
        "Some ID": {
            "type": "String",
            "metadata": {
                "displayName": "Some ID",
                "description": "Some ID description"
            },
            "defaultValue": "randomID"
        },
        "Service Owner": {
            "type": "String",
            "metadata": {
                "displayName": "Service Owner",
                "description": "Service Owner"
            },
            "defaultValue": "somemail@somecompany.com"
        },
        "Project": {
            "type": "String",
            "metadata": {
                "displayName": "Project",
                "description": "Project name"
            },
            "defaultValue": "Project"
        },
        "Security OWNER": {
            "type": "String",
            "metadata": {
                "displayName": "Security OWNER",
                "description": "Security OWNER"
            },
            "defaultValue": "yetanotheremail@company.com"
        },
        "ENVIRONMENT": {
            "type": "Array",
            "metadata": {
                "displayName": "ENVIRONMENT",
                "description": "Development ENVIRONMENT: A, B, C, D, E or F"
            },
            "defaultValue": [
                "A",
                "B",
                "C",
                "D",
                "E",
                "F"
            ]
        }
    },
    "policyRule": {
        "if": {
            "anyOf": [
                {
                    "allOf": [
                        {
                            "anyOf": [
                                {
                                    "field": "tags['Security Profile']",
                                    "notEquals": "[parameters('Security Profile')]"
                                },
                                {
                                    "field": "tags['Application_Owner']",
                                    "notEquals": "[parameters('Application_Owner')]"
                                },
                                {
                                    "field": "tags['Some ID]",
                                    "notEquals": "[parameters('Some ID')]"
                                },
                                {
                                    "field": "tags['Service Owner']",
                                    "notEquals": "[parameters('Service Owner')]"
                                },
                                {
                                    "field": "tags['Service Owner']",
                                    "notEquals": "[parameters('Service Owner')]"
                                },
                                {
                                    "field": "tags['Security OWNER']",
                                    "notEquals": "[parameters('Security OWNER')]"
                                },
                                {
                                    "field": "tags['ENVIRONMENT']",
                                    "notIn": "[parameters('ENVIRONMENT')]"
                                }
                            ]
                        },
                        {
                            "field": "type",
                            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
                        },
                        {
                            "field": "name",
                            "Like": "resourceGroupType-*"
                        }
                    ]
                },
                {
                    "allOf": [
                        {
                            "field": "type",
                            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
                        },
                        {
                            "field": "name",
                            "Like": "resourceGroupType2-*"
                        },
                        {
                            "anyOf": [
                                {
                                    "field": "tags['Security Profile']",
                                    "notEquals": "[parameters('Security Profile')]"
                                },
                                {
                                    "field": "tags['Application_Owner']",
                                    "notEquals": "[parameters('Application_Owner')]"
                                },
                                {
                                    "field": "tags['Some ID]",
                                    "notEquals": "[parameters('Some ID')]"
                                },
                                {
                                    "field": "tags['Service Owner']",
                                    "notEquals": "[parameters('Service Owner')]"
                                },
                                {
                                    "field": "tags['Service Owner']",
                                    "notEquals": "[parameters('Service Owner')]"
                                },
                                {
                                    "field": "tags['Security OWNER']",
                                    "notEquals": "[parameters('Security OWNER')]"
                                },
                                {
                                    "field": "tags['ENVIRONMENT']",
                                    "notIn": "[parameters('ENVIRONMENT')]"
                                }
                            ]
                        }
                    ]
                }
            ]
        },
        "then": {
            "effect": "modify",
            "details": {
                "roleDefinitionIds": [
                    "/providers/microsoft.authorization/roleDefinitions/someroledefinitionID"
                ],
                "operations": [
                    {
                        "operation": "addOrReplace",
                        "field": "tags['Security Profile ']",
                        "value": "[parameters('Security Profile')]"
                    },
                    {
                        "operation": "addOrReplace",
                        "field": "tags['Application_Owner']",
                        "value": "[parameters('Application_Owner')]"
                    },
                    {
                        "operation": "addOrReplace",
                        "field": "tags['Some ID']",
                        "value": "[parameters('Some ID')]"
                    },
                    {
                        "operation": "addOrReplace",
                        "field": "tags['Service Owner']",
                        "value": "[parameters('Service Owner')]"
                    },
                    {
                        "operation": "addOrReplace",
                        "field": "tags['Project']",
                        "value": "[parameters('Project')]"
                    },
                    {
                        "operation": "addOrReplace",
                        "field": "tags['Security OWNER']",
                        "value": "[parameters('Security OWNER')]"
                    },
                    {
                        "operation": "addOrReplace",
                        "field": "tags['ENVIRONMENT']",
                        "value": "[parameters('ENVIRONMENT')]"
                    }
                ]
            }
        }
    }
}

This is able to check tag compliance with only the desired resource groups (a similar policy successfully denies creation of groups without those tags). Now what I need to do is further develop this code to be able to modify the non-compliant tags with the desired environment values depending on the resource group name. Any help would be greatly appreciated.

Thank you in advance.

I found a not so elegant workaround for this: The policy that does the remediation task does not check for environment but a second policy that denies resource group creation demands an environment tag. With this setup, we only need to specify an environment tag and the rest of the tags are automatically filled in. Not exactly what I wanted but it works. — Rodrigo Almeida, Mar 22 '22 at 12:10

Modifying resource group tag depending on resource group name using Azure Policies

0 Answers0