问题
I want to write an Azure ARM Policy to deny the creation of Resource Groups if they don't have Tags. This is my current policy rule:
{
"$schema": "http://schema.management.azure.com/schemas/2015-10-01-preview/policyDefinition.json",
"if": {
"allOf": [
{
"field": "tags",
"exists": false
},
{
"field": "type",
"like": "resourceGroup*"
}
]
},
"then": {
"effect": "deny"
}
}
This doesn't prevent the creation of RGs without tags.
If I change the policy rule to:
{
"$schema": "http://schema.management.azure.com/schemas/2015-10-01-preview/policyDefinition.json",
"if": {
"field": "tags",
"exists": false
},
"then": {
"effect": "deny"
}
}
Then ALL resources (including RGs) are denied if they don't have tags.
So I conclude it's part of the "field type is like resourcegroup*" condition, but I cannot find the correct syntax to make it work the way I want.
Is this possible, and what is the correct syntax?
(The reason I don't care if other resource type are created without tags is we have an Azure Automation runbook that grabs the tags for an RG, and then applies those to the child resources - which is also why I want to make sure people create the parent RG with tags in the first place).
回答1:
Give this policy definition a try:
"if": {
"allOf": [
{
"field": "tags",
"exists": "false"
},
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
}
]
},
"then": {
"effect": "deny"
}
Note: I had to wait a few minutes for it to work consistently.
来源:https://stackoverflow.com/questions/48216764/azure-arm-policy-to-deny-resource-group-without-tags