I am looking to configure policy to audit resource groups that contains resources, whether have the particular tag or not. If the resource group does not have any resources, then there is no need to audit. My requirement is only to perform audit for tags, if the resource group contains resources. Is it a possible scenario for creating policy?
0
votes
3 Answers
0
votes
0
votes
Assuming it is fair to say that your requirement is to audit for resources and not the resource groups, you can achieve this by using the built-in policy definition "Require a tag on resources" and set it to "audit" instead of "deny".
EDIT:
Considering your clarification, you can perform the reverse check - meaning a check on resources, inspecting their resource groups:
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"notEquals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not": {
"field": "[resourceGroup().tags[parameters('tagName')]]",
"exists": "false"
}
}
]
},
"then": {
"effect": "audit"
}
}
Here we are checking that we are not looking at a resource group directly. Then, we check if the parent resource group does not have the specified tag (notExists).
/MMT
0
votes
I thing the understanding is wrong. The policy which you posted will review all the resource groups. But my requirement is just to audit the resource group only of it has resources. Don't want to audit the empty resource groups (the one which don't have any resources in it). Hope it clears my requirement.
