How to check if any required tags are blank Azure Policy
Question
I am trying to create an azure policy that audits vms. Conditions I want to satisfy is that the vm has all of the tags specified by parameter and that all of those corresponding tags contain a value. The first condition I have working with below. However for determining if they are blank or not is a bit more challenging as looks like you can not use current() in the field key.
{
"parameters": {
"requiredTags": {
"type": "Array",
"metadata": {
"displayName": "Required Tags",
"description": "The list of tags that should exist on the virtual machine"
}
}
},
"policyRule": {
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Compute/VirtualMachines"
},
{
"count": {
"value": "[parameters('requiredTags')]",
"where": {
"field": "tags",
"containsKey": "[current()]"
}
},
"notEquals": "[length(parameters('requiredTags'))]"
},
{
"count": {
"value": "[parameters('requiredTags')]",
"where": {
"field": "[concat('tags[', current(), ']')]",
"notEquals": ""
}
},
"notEquals": "[length(parameters('requiredTags'))]"
}
]
},
"then": {
"effect": "audit"
}
}
}
1 answers
solution1
0 2023-01-28 01:35:31
This was very tricky to say at least, and it seems like no such policy exists out there. Nevertheless, I believe that the 2 options below will do the trick - at least it did so when I tested it.
Option 1:
{
"not": {
"value": "[contains(string(field('tags')), '\"\"')]",
"equals": true
}
}
Option 2:
{
"value": "[indexOf(string(field('tags')), '\"\"')]",
"greaterOrEquals": 0
}
Description:
Option 1:
Use contains to check wheather an object contains a key or a string contains a substring.
The container contains nested parameters.
string converts the specified value to a string. In this case, the specified value is the field = tags , which are objects, not an array. In this case, the specified value is the field = tags, which are objects , not an array . Example of 2 tags, "tagnumber1" with the value "value1" and "tagnumber2" with an empty value:
"{\"tagnumber1\":\"value1\",\"tagnumber2\":\"\"}"
Note that the empty value is \"\" - this is our itemToFind .
Option 2:
Use the indexOf to return the first position of a value within a string.
The stringToSearch contains nested parameters.
The stringToFind is empty.
string converts the specified value to a string. In this case, the specified value is the field = tags , which are objects , not an array .
Example of 2 tags, "tagnumber1" with the value "value1" and "tagnumber2" with an empty value:
"{\"tagnumber1\":\"value1\",\"tagnumber2\":\"\"}"
Note that the empty value is \"\" .
Therefore, we must search for that \"\" as this represents the empty value in the object. The index is zero-based. If the item is not found, -1 is returned. An integer represents the first index of the item, so by looking at "greaterOrEquals": 0 it will only return that is the item is found - meaning a tag value is empty.
Links:
- https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#fields
- https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions
- https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-expressions#escape-characters
- https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-arm-template#resource-format-1
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.