Azure Custom Tag Policy, Exclude resource type
Question
I did an azure custom policy that discover object not compliant, with custom missing tag, on my subscription.
I got to much error from this policy becouse it discover also oms agent, extension etc..
Here the json:
{
"mode": "All",
"policyRule": {
"if": {
"anyOf": [
{
"field": "tags['TAG1']",
"exists": false
},
{
"field": "tags['TAG2']",
"exists": false
}
]
},
"then": {
"effect": "audit"
}
},
"parameters": {}
}
it search all resources and audit it if they are not with that tag.
Is possibile to specified exclusion for specific resources type? For example Microsoft.Compute/virtualMachines/extensions etc...
Thanks
2 answers
solution1
1 ACCPTED 2020-05-06 14:17:26
This way you can mention all the resource types in "notEquals" operator for which you do not want to check for tags.
{
"if": {
"allOf": [
{
"field": "type",
"notEquals": "Microsoft.Security/assessments"
},
{
"field": "type",
"notEquals": "Microsoft.Compute/VirtualMachines"
},
{
"anyOf": [
{
"field": "tags['TAG1']",
"exists": false
},
{
"field": "tags['TAG2']",
"exists": false
}
]
}
]
},
"then": {
"effect": "audit"
}
}
solution2
0 2020-05-08 15:50:46
Thanks it works: I'm trying to add other exclusion for type like below but i got error:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"not": {
"field": "type",
"equals": "Microsoft.Security/assessments"
},
{
"field": "type",
"equals": "Microsoft.Compute/VirtualMachines"
}
},
{
"anyOf": [
{
"field": "tags['TAG1']",
"exists": false
},
{
"field": "tags['TAG2']",
"exists": false
}
]
}
]
},
"then": {
"effect": "audit"
}
},
"parameters": {}
}
is possible to exclude more object in the same policy??
solution3
0 2022-01-12 08:28:49
Using "mode": "indexed" instead of "mode": "All" will only match resources that support location and tags.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.