search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.98k stars 2.96k forks source link

Require a tag policy does not validate tags against az group create command parameter. #27562

Open sheeeng opened 11 months ago

sheeeng commented 11 months ago

Describe the bug

$policyDefinition = Get-AzPolicyDefinition -BuiltIn `
    | Where-Object {$_.Properties.DisplayName -eq 'Require a tag on resource groups'}

$policyParameterObject = @{ 'tagName' = 'CreationDate' }
$nonComplianceMessages = @( @{Message="CreationDate tag is required for resource groups."} )

$policyAssignmentParameters = @{
    Name = $REQUIRE_RESOURCE_GROUPS_CREATIONDATE_TAG
    Scope = "/subscriptions/$($azContext.Subscription.Id)"
    PolicyDefinition = $policyDefinition
    PolicyParameter = $policyParameterObject
    NonComplianceMessage = $nonComplianceMessages
}

. "$(Join-Path -Path $PSScriptRoot -ChildPath 'Set-PolicyAssignment.ps1')"
Set-PolicyAssignment @policyAssignmentParameters
az group create \
    --name "${RESOURCE_GROUP_NAME}" \
    --location "${RESOURCE_GROUP_LOCATION}" \
    --tags CreationDate=$(date --universal '+%Y-%m-%dT%H-%M-%S.%NZ')

Related command

az group create --tags KEY=VALUE

Errors

(RequestDisallowedByPolicy) Resource 'contoso-rg' was disallowed by policy. Reasons: 'CreationDate tag is required for resource groups.'. See error details for policy resource IDs.
Code: RequestDisallowedByPolicy
Message: Resource 'contoso-rg' was disallowed by policy. Reasons: 'CreationDate tag is required for resource groups.'. See error details for policy resource IDs.
Target: contoso-rg
Additional Information:Type: PolicyViolation
Info: {
    "evaluationDetails": {
        "evaluatedExpressions": [
            {
                "result": "True",
                "expressionKind": "Field",
                "expression": "type",
                "path": "type",
                "expressionValue": "Microsoft.Resources/subscriptions/resourcegroups",
                "targetValue": "Microsoft.Resources/subscriptions/resourceGroups",
                "operator": "Equals"
            },
            {
                "result": "True",
                "expressionKind": "Field",
                "expression": "tags[CreationDate]",
                "path": "tags[CreationDate]",
                "targetValue": "false",
                "operator": "Exists"
            }
        ],
        "reason": "CreationDate tag is required for resource groups."
    },
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/00000000-0000-0000-0000-000000000000",
    "policyDefinitionName": "00000000-0000-0000-0000-000000000000",
    "policyDefinitionDisplayName": "Require a tag on resource groups",
    "policyDefinitionEffect": "deny",
    "policyAssignmentId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/RequireResourceGroupsCreationDateTag",
    "policyAssignmentName": "RequireResourceGroupsCreationDateTag",
    "policyAssignmentScope": "/subscriptions/00000000-0000-0000-0000-000000000000",
    "policyAssignmentParameters": {
        "tagName": "CreationDate"
    },
    "policyExemptionIds": []
}

Issue script & Debug output

(RequestDisallowedByPolicy) Resource 'contoso-rg' was disallowed by policy. Reasons: 'CreationDate tag is required for resource groups.'. See error details for policy resource IDs.
Code: RequestDisallowedByPolicy
Message: Resource 'contoso-rg' was disallowed by policy. Reasons: 'CreationDate tag is required for resource groups.'. See error details for policy resource IDs.
Target: contoso-rg
Additional Information:Type: PolicyViolation
Info: {
    "evaluationDetails": {
        "evaluatedExpressions": [
            {
                "result": "True",
                "expressionKind": "Field",
                "expression": "type",
                "path": "type",
                "expressionValue": "Microsoft.Resources/subscriptions/resourcegroups",
                "targetValue": "Microsoft.Resources/subscriptions/resourceGroups",
                "operator": "Equals"
            },
            {
                "result": "True",
                "expressionKind": "Field",
                "expression": "tags[CreationDate]",
                "path": "tags[CreationDate]",
                "targetValue": "false",
                "operator": "Exists"
            }
        ],
        "reason": "CreationDate tag is required for resource groups."
    },
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/00000000-0000-0000-0000-000000000000",
    "policyDefinitionName": "00000000-0000-0000-0000-000000000000",
    "policyDefinitionDisplayName": "Require a tag on resource groups",
    "policyDefinitionEffect": "deny",
    "policyAssignmentId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/RequireResourceGroupsCreationDateTag",
    "policyAssignmentName": "RequireResourceGroupsCreationDateTag",
    "policyAssignmentScope": "/subscriptions/00000000-0000-0000-0000-000000000000",
    "policyAssignmentParameters": {
        "tagName": "CreationDate"
    },
    "policyExemptionIds": []
}

Expected behavior

The az group create with required tags should succeed without being restricted by the required a tag for resource group policy.

Environment Summary

{
  "azure-cli": "2.53.0",
  "azure-cli-core": "2.53.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "resource-graph": "2.1.0"
  }
}

Additional context

No response

yonzhan commented 11 months ago

Thank you for opening this issue, we will look into it.