Azure Policy weird behaviour while creating resource group without tag

Question

I've applied Azure policy which forces the user to assign a tag while creating a Resource Group.

When i create a new VM and then fill in all the fields, i create a new Resource Group in the same wizard and then click review and create button. This time azure policy is triggered properly and blocks me as the newly created RG is not created with tag.

But when I go to resource group policy and click on Add to create a new RG. that time i don't fill Tags then too policy doesn't get trigger. I'm little surprise why the first time this policy is working but not the second time.

{
  "if": {
    "allOf": [
      {
        "field": "tags",
        "exists": "false"
      },
      {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions/resourceGroups"
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

On my side, the policy sometime works, sometime not work, so strange. — Joy Wang, Jan 10 '19 at 06:48
@joy when you goto resource group and create a new RG. does it sometimes blocks you because of the policy? because in my case when i goto the RG blade and create a RG without tag, it is successfully created. When i create a new VM with new RG then the policy blocks the VM deployment as the new RG is without tag. — aquib.qureshi, Jan 10 '19 at 07:08
In the RG blade, specific the RG name, then not click `Next:Tags`, just click `Review + Create`, the policy works. If I click the `Next:Tags` first, then click the `Review + Create`, the policy will not work. — Joy Wang, Jan 10 '19 at 07:13
I have also tried a bulit-in policy `Enforce tag and its value on resource groups`, it also sometime works, sometime not work. It seems like a bug. — Joy Wang, Jan 10 '19 at 07:15
@joy, i tried creating the RG without clicking Next:tags but still policy isn't working. There is some bug in this policy or Resource Group — aquib.qureshi, Jan 10 '19 at 08:09

score 2 · Answer 1 · answered Jan 17 '19 at 02:29

The discrepancy you are experiencing is caused by differences in the JSON representation of the resource group.

Depending on what you click in the portal, the resource group JSON may not have a tags property, e.g.:

{
    "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/foo",
    "name": "foo",
    "location": "eastus",
    "properties": {
        "provisioningState": "Succeeded"
    }
}

Other times it may be created with an empty tags property, e.g:

{
    "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/foo",
    "name": "foo",
    "location": "eastus",
    "properties": {
        "provisioningState": "Succeeded"
    },
    "tags": {}
}

The "exists": "false" condition in your policy rule will only trigger if the "tags" property is either missing or null, so a resource group with "tags": {} will bypass your policy even though it doesn't have any tags.

score 0 · Accepted Answer · answered Jan 10 '19 at 09:14

0

Seems figure it out, it is not related to the Azure policy, your policy should work fine, it may be a bug of the blade of creating the resource group in the portal.

I try to create a resource group via powershell several times, the policy works fine.

My test policy:

If it is necessary, you could open an issue in the Github.

answered Jan 10 '19 at 09:14

Joy Wang

39,905
3
30
54

thank Joy, I will keep this thread open so that others can have a look at it – aquib.qureshi Jan 10 '19 at 10:38
joy, If this is a bug. is it possible to build a policy which checks predefined set of tags and while creating RG if user has not specified any of the tags present in the policy then policy will block it. – aquib.qureshi Jan 10 '19 at 14:36
@aquib.rocks Maybe you can, but if it is the bug with the portal, whatever the policy you created, I think it will not work fine. – Joy Wang Jan 11 '19 at 02:20
1

The bug is because even if we do not specify the tag then too the property exist as blank hence our policy is not blocking the RG deployment. I've worked on the policy and specified the tag name and now Azure Policy is blocking me and only allowing the tag name which I've specified. I wanted values as well hence I've worked on it but it is getting failed. Can you please have a look at the below forum query https://stackoverflow.com/questions/54137098/azure-policy-deny-if-one-of-the-tag-not-present-in-the-resource-group-name – aquib.qureshi Jan 11 '19 at 13:12

Azure Policy weird behaviour while creating resource group without tag

2 Answers2