Azure Policy: Append multiple tags

Howdy, here is an example of the custom Azure Policy that is based on Append policy action that automatically adds additional fields to the requested resource during creation or update. A common example is adding tags on resources such as costCenter or specifying allowed IPs for a storage resource. This policy appends specified tags and values on resources, so you can easily group them in order to get their consumption and costs, for example. Although the policy has default tags name and values, you can provide your own during the policy assignment.

TIP: Different versions of json files for PowerShell and deploying policy with Portal are available in my Github repo

This sample is for deploying policy with Azure Portal:

{
    "mode": "Indexed",
    "parameters": {
        "tagName1": {
            "type": "String",
            "metadata": {
                "displayName": "Tag Name1",
                "description": "Name of the tag, such as 'environment'"
            },
            "defaultValue": "environment"
        },
        "tagValue1": {
            "type": "String",
            "metadata": {
                "displayName": "Tag Name1 Value",
                "description": "Value of the tag, such as 'production'"
            },
            "defaultValue": "production"
        },
        "tagName2": {
            "type": "String",
            "metadata": {
                "displayName": "Tag Name2",
                "description": "Name of the tag, such as 'service'"
            },
            "defaultValue": "service"
        },
        "tagValue2": {
            "type": "String",
            "metadata": {
                "displayName": "TagName2 Value",
                "description": "Value of the tag, such as 'webapps'"
            },
            "defaultValue": "webapps"
        },
        "tagName3": {
            "type": "String",
            "metadata": {
                "displayName": "Tag Name3",
                "description": "Name of the tag, such as 'project'"
            },
            "defaultValue": "project"
        },
        "tagValue3": {
            "type": "String",
            "metadata": {
                "displayName": "Tag Name3 Value",
                "description": "Value of the tag, such as 'POC'"
            },
            "defaultValue": "POC"
        }
    },
    "policyRule": {
        "if": {
            "allOf": [
                {
                    "field": "[concat('tags[', parameters('tagName1'), ']')]",
                    "exists": "false"
                },
                {
                    "field": "[concat('tags[', parameters('tagName2'), ']')]",
                    "exists": "false"
                },
                {
                    "field": "[concat('tags[', parameters('tagName3'), ']')]",
                    "exists": "false"
                }
            ]
        },
        "then": {
            "effect": "append",
            "details": [
                {
                    "field": "[concat('tags[', parameters('tagName1'), ']')]",
                    "value": "[parameters('tagValue1')]"
                },
                {
                    "field": "[concat('tags[', parameters('tagName2'), ']')]",
                    "value": "[parameters('tagValue2')]"
                },
                {
                    "field": "[concat('tags[', parameters('tagName3'), ']')]",
                    "value": "[parameters('tagValue3')]"
                }
            ]
        }
    }
}

To assign the policy by using PowerShell:

# Create the Policy Definition (Subscription scope)
$policyrules = "https://raw.githubusercontent.com/rlevchenko/stuff/master/Azure/Policy/PS/appendtags-rules.json"
$policyparams = "https://raw.githubusercontent.com/rlevchenko/stuff/master/Azure/Policy/PS/appendtags-parameters.json"
$definition = New-AzPolicyDefinition -Name 'Append Multiple Tags' -Policy $policyrules  -Parameter $policyparams -Mode Indexed

# Set the scope to a resource group; may also be a resource, subscription, or management group
$scope = Get-AzResourceGroup -Name 'mvphero'

# Create the Policy Assignment
New-AzPolicyAssignment -Name 'Apply multiple tags' -DisplayName 'Apply tags and their default values' -Scope $scope.ResourceId -PolicyDefinition $definition

And this is how it looks from Azure Portal during the policy assignment:

The tags added by policy on NSG resource:

Azure Security Center: How to Protect Your Datacenter with Next Generation Security Free Webinar by Altaro

Security is a major concern for IT admins and if you’re responsible for important workloads hosted in Azure, you need to know your security is as tight as possible. In this free webinar, presented by Thomas Maurer, Senior Cloud Advocate on the Microsoft Azure Engineering Team, and Microsoft MVP Andy Syrewicze, you will learn how to use Azure Security Center to ensure your cloud environment is fully protected.

The webinar covers:

  • Azure Security Center introductions
  • Deployment and first steps
  • Best practices
  • Integration with other tools
  • And more!

Being an Altaro-hosted webinar, expect this webinar to be packed full of actionable information presented via live demos so you can see the theory put into practice before your eyes. Also, Altaro put a heavy emphasis on interactivity, encouraging questions from attendees and using engaging polls to get instant feedback on the session. To ensure as many people as possible have this opportunity, Altaro present the webinar live twice so pick the best time for you and don’t be afraid to ask as many questions as you like!

There are certain topics in the IT administration world which are optional, but security is not one of them. Ensuring your security knowledge if ahead of the curve is an absolute necessity and becoming increasingly important as we are all becoming exposed to more and more online threats every day. If you are responsible for important workloads hosted in Azure, this webinar is a must.

Webinar:        Azure Security Center:

How to Protect Your Datacenter with Next Generation Security

Date:               Tuesday, 30th July

Time:              Webinar presented live twice on the day. Choose your preferred time:

  • 2pm CEST / 5am PDT / 8am EDT
  • 7pm CEST / 10am PDT / 1pm EDT

Save your seat