Azure Policy weird behaviour while creating resource group without tag

1
votes

I've applied Azure policy which forces the user to assign a tag while creating a Resource Group.

When i create a new VM and then fill in all the fields, i create a new Resource Group in the same wizard and then click review and create button. This time azure policy is triggered properly and blocks me as the newly created RG is not created with tag.

But when I go to resource group policy and click on Add to create a new RG. that time i don't fill Tags then too policy doesn't get trigger. I'm little surprise why the first time this policy is working but not the second time.

{
  "if": {
    "allOf": [
      {
        "field": "tags",
        "exists": "false"
      },
      {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions/resourceGroups"
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}
2
azureazure-resource-managerazure-resource-group
last time I checked policies didnt work on RG level at all? - 4c74356b41
On my side, the policy sometime works, sometime not work, so strange. - Joy Wang-MSFT
@joy when you goto resource group and create a new RG. does it sometimes blocks you because of the policy? because in my case when i goto the RG blade and create a RG without tag, it is successfully created. When i create a new VM with new RG then the policy blocks the VM deployment as the new RG is without tag. - aquib.qureshi
In the RG blade, specific the RG name, then not click Next:Tags, just click Review + Create, the policy works. If I click the Next:Tags first, then click the Review + Create, the policy will not work. - Joy Wang-MSFT
I have also tried a bulit-in policy Enforce tag and its value on resource groups, it also sometime works, sometime not work. It seems like a bug. - Joy Wang-MSFT

2 Answers

2
votes

The discrepancy you are experiencing is caused by differences in the JSON representation of the resource group.

Depending on what you click in the portal, the resource group JSON may not have a tags property, e.g.:

{
    "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/foo",
    "name": "foo",
    "location": "eastus",
    "properties": {
        "provisioningState": "Succeeded"
    }
}

Other times it may be created with an empty tags property, e.g: 

{
    "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/foo",
    "name": "foo",
    "location": "eastus",
    "properties": {
        "provisioningState": "Succeeded"
    },
    "tags": {}
}

The "exists": "false" condition in your policy rule will only trigger if the "tags" property is either missing or null, so a resource group with "tags": {} will bypass your policy even though it doesn't have any tags.

0
votes

Seems figure it out, it is not related to the Azure policy, your policy should work fine, it may be a bug of the blade of creating the resource group in the portal.

I try to create a resource group via powershell several times, the policy works fine.

enter image description here

My test policy:

enter image description here

If it is necessary, you could open an issue in the Github.