Describe the bug
- Assign a custom policy definition for Azure Policy that requires a tag for resource group.
$policyDefinition = Get-AzPolicyDefinition -BuiltIn `
| Where-Object {$_.Properties.DisplayName -eq 'Require a tag on resource groups'}
$policyParameterObject = @{ 'tagName' = 'CreationDate' }
$nonComplianceMessages = @( @{Message="CreationDate tag is required for resource groups."} )
$policyAssignmentParameters = @{
Name = $REQUIRE_RESOURCE_GROUPS_CREATIONDATE_TAG
Scope = "/subscriptions/$($azContext.Subscription.Id)"
PolicyDefinition = $policyDefinition
PolicyParameter = $policyParameterObject
NonComplianceMessage = $nonComplianceMessages
}
. "$(Join-Path -Path $PSScriptRoot -ChildPath 'Set-PolicyAssignment.ps1')"
Set-PolicyAssignment @policyAssignmentParameters
- Create a resource group with the required tags.
az group create \
--name "${RESOURCE_GROUP_NAME}" \
--location "${RESOURCE_GROUP_LOCATION}" \
--tags CreationDate=$(date --universal '+%Y-%m-%dT%H-%M-%S.%NZ')Related command
az group create --tags KEY=VALUE
Errors
(RequestDisallowedByPolicy) Resource 'contoso-rg' was disallowed by policy. Reasons: 'CreationDate tag is required for resource groups.'. See error details for policy resource IDs.
Code: RequestDisallowedByPolicy
Message: Resource 'contoso-rg' was disallowed by policy. Reasons: 'CreationDate tag is required for resource groups.'. See error details for policy resource IDs.
Target: contoso-rg
Additional Information:Type: PolicyViolation
Info: {
"evaluationDetails": {
"evaluatedExpressions": [
{
"result": "True",
"expressionKind": "Field",
"expression": "type",
"path": "type",
"expressionValue": "Microsoft.Resources/subscriptions/resourcegroups",
"targetValue": "Microsoft.Resources/subscriptions/resourceGroups",
"operator": "Equals"
},
{
"result": "True",
"expressionKind": "Field",
"expression": "tags[CreationDate]",
"path": "tags[CreationDate]",
"targetValue": "false",
"operator": "Exists"
}
],
"reason": "CreationDate tag is required for resource groups."
},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/00000000-0000-0000-0000-000000000000",
"policyDefinitionName": "00000000-0000-0000-0000-000000000000",
"policyDefinitionDisplayName": "Require a tag on resource groups",
"policyDefinitionEffect": "deny",
"policyAssignmentId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/RequireResourceGroupsCreationDateTag",
"policyAssignmentName": "RequireResourceGroupsCreationDateTag",
"policyAssignmentScope": "/subscriptions/00000000-0000-0000-0000-000000000000",
"policyAssignmentParameters": {
"tagName": "CreationDate"
},
"policyExemptionIds": []
}
Issue script & Debug output
(RequestDisallowedByPolicy) Resource 'contoso-rg' was disallowed by policy. Reasons: 'CreationDate tag is required for resource groups.'. See error details for policy resource IDs.
Code: RequestDisallowedByPolicy
Message: Resource 'contoso-rg' was disallowed by policy. Reasons: 'CreationDate tag is required for resource groups.'. See error details for policy resource IDs.
Target: contoso-rg
Additional Information:Type: PolicyViolation
Info: {
"evaluationDetails": {
"evaluatedExpressions": [
{
"result": "True",
"expressionKind": "Field",
"expression": "type",
"path": "type",
"expressionValue": "Microsoft.Resources/subscriptions/resourcegroups",
"targetValue": "Microsoft.Resources/subscriptions/resourceGroups",
"operator": "Equals"
},
{
"result": "True",
"expressionKind": "Field",
"expression": "tags[CreationDate]",
"path": "tags[CreationDate]",
"targetValue": "false",
"operator": "Exists"
}
],
"reason": "CreationDate tag is required for resource groups."
},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/00000000-0000-0000-0000-000000000000",
"policyDefinitionName": "00000000-0000-0000-0000-000000000000",
"policyDefinitionDisplayName": "Require a tag on resource groups",
"policyDefinitionEffect": "deny",
"policyAssignmentId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/RequireResourceGroupsCreationDateTag",
"policyAssignmentName": "RequireResourceGroupsCreationDateTag",
"policyAssignmentScope": "/subscriptions/00000000-0000-0000-0000-000000000000",
"policyAssignmentParameters": {
"tagName": "CreationDate"
},
"policyExemptionIds": []
}
Expected behavior
The az group create with required tags should succeed without being restricted by the required a tag for resource group policy.
Environment Summary
{
"azure-cli": "2.53.0",
"azure-cli-core": "2.53.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"resource-graph": "2.1.0"
}
}Additional context
No response
Describe the bug
az group create \ --name "${RESOURCE_GROUP_NAME}" \ --location "${RESOURCE_GROUP_LOCATION}" \ --tags CreationDate=$(date --universal '+%Y-%m-%dT%H-%M-%S.%NZ')Related command
az group create --tags KEY=VALUE
Errors
Issue script & Debug output
Expected behavior
The
az group createwith required tags should succeed without being restricted by the required a tag for resource group policy.Environment Summary
{ "azure-cli": "2.53.0", "azure-cli-core": "2.53.0", "azure-cli-telemetry": "1.1.0", "extensions": { "resource-graph": "2.1.0" } }Additional context
No response