Azure Policy: Append multiple tags


Howdy, here is an example of the custom Azure Policy that is based on Append policy action that automatically adds additional fields to the requested resource during creation or update. A common example is adding tags on resources such as costCenter or specifying allowed IPs for a storage resource. This policy appends specified tags and values on resources, so you can easily group them in order to get their consumption and costs, for example. Although the policy has default tags name and values, you can provide your own during the policy assignment.

TIP: Different versions of json files for PowerShell and deploying policy with Portal are available in my Github repo

This sample is for deploying policy with Azure Portal:

{
    "mode": "Indexed",
    "parameters": {
        "tagName1": {
            "type": "String",
            "metadata": {
                "displayName": "Tag Name1",
                "description": "Name of the tag, such as 'environment'"
            },
            "defaultValue": "environment"
        },
        "tagValue1": {
            "type": "String",
            "metadata": {
                "displayName": "Tag Name1 Value",
                "description": "Value of the tag, such as 'production'"
            },
            "defaultValue": "production"
        },
        "tagName2": {
            "type": "String",
            "metadata": {
                "displayName": "Tag Name2",
                "description": "Name of the tag, such as 'service'"
            },
            "defaultValue": "service"
        },
        "tagValue2": {
            "type": "String",
            "metadata": {
                "displayName": "TagName2 Value",
                "description": "Value of the tag, such as 'webapps'"
            },
            "defaultValue": "webapps"
        },
        "tagName3": {
            "type": "String",
            "metadata": {
                "displayName": "Tag Name3",
                "description": "Name of the tag, such as 'project'"
            },
            "defaultValue": "project"
        },
        "tagValue3": {
            "type": "String",
            "metadata": {
                "displayName": "Tag Name3 Value",
                "description": "Value of the tag, such as 'POC'"
            },
            "defaultValue": "POC"
        }
    },
    "policyRule": {
        "if": {
            "allOf": [
                {
                    "field": "[concat('tags[', parameters('tagName1'), ']')]",
                    "exists": "false"
                },
                {
                    "field": "[concat('tags[', parameters('tagName2'), ']')]",
                    "exists": "false"
                },
                {
                    "field": "[concat('tags[', parameters('tagName3'), ']')]",
                    "exists": "false"
                }
            ]
        },
        "then": {
            "effect": "append",
            "details": [
                {
                    "field": "[concat('tags[', parameters('tagName1'), ']')]",
                    "value": "[parameters('tagValue1')]"
                },
                {
                    "field": "[concat('tags[', parameters('tagName2'), ']')]",
                    "value": "[parameters('tagValue2')]"
                },
                {
                    "field": "[concat('tags[', parameters('tagName3'), ']')]",
                    "value": "[parameters('tagValue3')]"
                }
            ]
        }
    }
}

To assign the policy by using PowerShell:

# Create the Policy Definition (Subscription scope)
$policyrules = "https://raw.githubusercontent.com/rlevchenko/stuff/master/Azure/Policy/PS/appendtags-rules.json"
$policyparams = "https://raw.githubusercontent.com/rlevchenko/stuff/master/Azure/Policy/PS/appendtags-parameters.json"
$definition = New-AzPolicyDefinition -Name 'Append Multiple Tags' -Policy $policyrules  -Parameter $policyparams -Mode Indexed

# Set the scope to a resource group; may also be a resource, subscription, or management group
$scope = Get-AzResourceGroup -Name 'mvphero'

# Create the Policy Assignment
New-AzPolicyAssignment -Name 'Apply multiple tags' -DisplayName 'Apply tags and their default values' -Scope $scope.ResourceId -PolicyDefinition $definition

And this is how it looks from Azure Portal during the policy assignment:

The tags added by policy on NSG resource:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s