Can anyone help me with creating a policy definition to inherit multiple or all tags from a subscription? I see the built-in policy that allows for a single tag to be inherited but I'm not sure how to modify that policy definition to include multiple tags.
Here is what the built-in definition looks like:
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
{
"value": "[subscription().tags[parameters('tagName')]]",
"notEquals": ""
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[subscription().tags[parameters('tagName')]]"
}
]
}
}
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
}
}
}
CodePudding user response:
No easy way to inherit multiple tags with policy. You need add one by one like below..
"policyRule": {
"if": {
"anyOf": [
{
"exists": "false",
"field": "tags['tag1']"
},
{
"exists": "false",
"field": "tags['tag2']"
},
{
"exists": "false",
"field": "tags['tag3']"
}
]
},
"then": {
"details": {
"operations": [
{
"field": "tags['tag1']",
"operation": "add",
"value": "[subscription().tags['tag1']]"
},
{
"field": "tags['tag2']",
"operation": "add",
"value": "[subscription().tags['tag2']]"
},
{
"field": "tags['tag3']",
"operation": "add",
"value": "[subscription().tags['tag3']]"
}
],
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/*****"
]
},
"effect": "modify"
}
}
CodePudding user response:
I've figure it out. See code below:
"properties": {
"displayName": "Add multiple tags to resource if missing",
"policyType": "Custom",
"mode": "Indexed",
"description": "Adds multiple tags with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed.",
"parameters": {
"tagName1": {
"type": "String",
"metadata": {
"displayName": "First Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName2": {
"type": "String",
"metadata": {
"displayName": "Second Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName3": {
"type": "String",
"metadata": {
"displayName": "Third Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName4": {
"type": "String",
"metadata": {
"displayName": "Forth Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName5": {
"type": "String",
"metadata": {
"displayName": "Fifth Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName6": {
"type": "String",
"metadata": {
"displayName": "Sixth Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName7": {
"type": "String",
"metadata": {
"displayName": "Seventh Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName8": {
"type": "String",
"metadata": {
"displayName": "Eighth Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagName9": {
"type": "String",
"metadata": {
"displayName": "Ninth Tag Name",
"description": "Name of the tag, such as 'environment'"
}
}
},
"policyRule": {
"if": {
"anyOf": [
{
"field": "[concat('tags[', parameters('tagName1'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName2'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName3'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName4'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName5'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName6'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName7'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName8'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName9'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName1'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName1')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName2'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName2')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName3'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName3')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName4'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName4')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName5'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName5')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName6'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName6')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName7'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName7')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName8'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName8')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName9'), ']')]",
"value": "[resourceGroup().tags[parameters('tagName9')]]"
}
]
}
}
}
}
}