We recently created an Azure policy that enforces a certain set of Tags to be present on all resources. This policy blocks deployments that don't contain the required tags in the deployment. However, certain taggable resources, such as Vnets, don't have an option to add Tags during deployment unless you use an ARM template. It looks like Terraform also attempts to deploy the Vnet as a separate step before adding tags, which causes Terraform-deployed Vnets to fail even if the proper tags are provided. With Terraform, if a ARM template is provided, it will bypass this issue.
How can I get Terraform deploy resources such as Vnets without using an ARM template and without having to ditch the azure policy? Ideally, I'd like to be able to exclude Terraform-initiated resource deployments from the Azure Policy, but I can't find a way to differentiate Terraform deployments from normal Azure Web Portal deployments in Azure policy.
Some other Ideas:
- Use Terraform to create a temporary Tag on the Resource Group Specifying 'Exempt these resources'. Remove this tag once the Terraform script is done. Reference this tag in the Azure Policy and make deployments exempt if the Tag exists. This solution is OK but I'd prefer a more elegant one
- Use Terraform to add the Resource Group as an exemption to the Policy while executing, then revert after
- Update the policy to not require Tags on resources that do not support Tagging on initial deployment without ARM templates
Is there a more elegant solution other than the options mentioned above?