In today’s cloud-driven world, maintaining governance and control over your resources is paramount. One of the simplest yet most effective ways to ensure proper management, organization, and billing of cloud resources is through consistent tagging. Azure Policy provides a powerful mechanism to enforce and validate tags across your Azure environment. In this blog, we’ll guide you through the process of creating and assigning policies to enforce and validate tags, and we’ll explore how to create exemptions when needed.

Enforcing and Validating Tags: Why It Matters

Tagging resources in Azure is more than just a best practice—it’s a critical component of cloud governance. Tags help you organize your resources, manage costs, and apply policies effectively. By enforcing tag requirements and validating tag values, you can ensure that your resources are consistently labeled and compliant with organizational standards.

Step 1: Defining Policies for Tag Enforcement and Validation

To start, we need to define two custom Azure Policies:

Require Tags on Resources: This policy ensures that specific tags are present on all resources. If any of the required tags are missing, resource creation is denied. This policy checks for the existence of specific tags, such as workloadName, createdBy, env, isSandbox, and workloadId. If any of these tags are missing, the resource creation process is blocked.

{
  "properties": {
    "displayName": "Require tags on resources",
    "policyType": "Custom",
    "mode": "Indexed",
    "metadata": {
      "version": "1.0.1",
      "createdBy": "<your-email>",
      "createdOn": "2024-05-03T22:39:03.0165939Z",
      "updatedBy": "<your-email>",
      "updatedOn": "2024-05-03T23:44:39.4335464Z"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "field": "tags[workloadName]",
            "exists": "false"
          },
          {
            "field": "tags[createdBy]",
            "exists": "false"
          },
          {
            "field": "tags[env]",
            "exists": "false"
          },
          {
            "field": "tags[isSandbox]",
            "exists": "false"
          },
          {
            "allOf": [
              {
                "field": "tags[isSandbox]",
                "equals": "0"
              },
              {
                "field": "tags[workloadId]",
                "exists": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

Validate Tags on Resources: This policy ensures that the tags applied to resources have valid values. For example, the env tag should only have values like dev, test, or prod. This policy ensures that only valid values are assigned to specific tags, helping you maintain consistency across your resources.

{
  "properties": {
    "displayName": "Validate tags on resources",
    "policyType": "Custom",
    "mode": "Indexed",
    "metadata": {
      "version": "1.0.1",
      "createdBy": "<your-email>",
      "createdOn": "2024-05-03T22:42:30.2835993Z",
      "updatedBy": "<your-email>",
      "updatedOn": "2024-05-03T23:32:17.8707776Z"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "field": "tags[env]",
            "notIn": [
              "dev",
              "test",
              "prod"
            ]
          },
          {
            "field": "tags[isSandbox]",
            "notIn": [
              "0",
              "1"
            ]
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

Step 2: Assigning Policies with Scope Definition

Once you’ve defined the policies, the next step is to assign them to specific scopes. The scope can be at the subscription, resource group, or individual resource level. Here’s how to do it:

1. Open the Azure Policy service in the Azure portal.
2. Go to Assignments and click Assign Policy.
3. Choose the subscription or resource group where the policy will be enforced.
4. Under Policy Definition, select the custom policy you defined earlier.
5. Define the scope by selecting the subscription or resource group.
6. Click Assign.

Assigning policies at the appropriate scope ensures that only resources within that scope must comply with the defined tags.

Step 3: Creating Policy Exemptions

In some cases, certain resources may need to be exempt from specific policies. Azure Policy allows you to create exemptions directly from the policy assignments.

Why Do We Need Exemptions?

Exemptions are useful when certain resources, such as those in experimental or short-term projects, need to bypass tag validation without affecting overall governance.

Steps to Create an Exemption:

1. Go to the Azure Policy service in the Azure portal.
2. Navigate to Policy Assignments.
3. Select the policy assignment for which you want to create an exemption.
4. Click on the Create Exemption button.
5. Define the scope where the exemption applies (e.g., specific resource group or resource).
6. Add a description and justification for the exemption.
7. Click Create.

Real-World Example: Exempting a Short-Term Project

Suppose you have a resource group dedicated to a short-term project that doesn’t adhere to the standard tagging conventions used in production. You can create an exemption for this resource group, allowing the project to proceed without disrupting overall policy compliance.

Conclusion

Azure Policy is a vital tool for enforcing and validating tags across your Azure environment, ensuring that resources are well-organized and compliant with your governance standards. By defining custom policies, assigning them to the appropriate scopes, and creating exemptions when necessary, you can maintain control while allowing the flexibility needed for special cases.