Closed lassehastrup closed 1 year ago
Thanks for the feedback - and for including the correlation ID in the issue.
Unfortunately, the scenario as you described (adding a deny assignment to tags) will not work currently, due to the way tags are designed. The good news is - work is already underway to make this possible in the future.
In the meantime, we will change Stacks so it doesn't try to create deny assignments for tags. That should allow the stack to complete end-to-end.
Let us know if you have any further questions on this. (I'll close this issue once that change is successfully deployed.)
The fix has been successfully deployed to all regions.
Overview When deploying a deploymentStack using Powershell with a bicep file containing the Microsoft.Resources/tags resource and with the DenySettingMode set to 'DenyDelete' the deployment will fail:
Expected behavior I would expect the tags to receive the specified lock on the resource. The reason we use this is that we have 'default' tags specified on our LandingZones but we would still like our customers to add theier own resources.
Repro Environment Host OS: macOS 13.1 22C65 arm64 Powershell Version: 7.3.3
The bicep code where we get the existing tags:
@description('Get existing subscription tags and output them. Used to merge tags from blueprint with existing tags') resource existingTags 'Microsoft.Resources/tags@2021-04-01' existing = { name: 'default' }
Subscription Tags:
"subscriptionTags": { "value": { "Environment": "Dev" } },
Union on tags:
resource res_tags 'Microsoft.Resources/tags@2021-04-01' = { name: 'default' properties: { tags: union(existingTags, subscriptionTags) } }
Powershell script to deploy:
Error received: