Require a tag policy does not validate tags against az group create command parameter. #27562
Description
Describe the bug
- Assign a custom policy definition for Azure Policy that requires a tag for resource group.
$policyDefinition = Get-AzPolicyDefinition -BuiltIn `
| Where-Object {$_.Properties.DisplayName -eq 'Require a tag on resource groups'}
$policyParameterObject = @{ 'tagName' = 'CreationDate' }
$nonComplianceMessages = @( @{Message="CreationDate tag is required for resource groups."} )
$policyAssignmentParameters = @{
Name = $REQUIRE_RESOURCE_GROUPS_CREATIONDATE_TAG
Scope = "/subscriptions/$($azContext.Subscription.Id)"
PolicyDefinition = $policyDefinition
PolicyParameter = $policyParameterObject
NonComplianceMessage = $nonComplianceMessages
}
. "$(Join-Path -Path $PSScriptRoot -ChildPath 'Set-PolicyAssignment.ps1')"
Set-PolicyAssignment @policyAssignmentParameters- Create a resource group with the required tags.
az group create \
--name "${RESOURCE_GROUP_NAME}" \
--location "${RESOURCE_GROUP_LOCATION}" \
--tags CreationDate=$(date --universal '+%Y-%m-%dT%H-%M-%S.%NZ')Related command
az group create --tags KEY=VALUE
Errors
(RequestDisallowedByPolicy) Resource 'contoso-rg' was disallowed by policy. Reasons: 'CreationDate tag is required for resource groups.'. See error details for policy resource IDs.
Code: RequestDisallowedByPolicy
Message: Resource 'contoso-rg' was disallowed by policy. Reasons: 'CreationDate tag is required for resource groups.'. See error details for policy resource IDs.
Target: contoso-rg
Additional Information:Type: PolicyViolation
Info: {
"evaluationDetails": {
"evaluatedExpressions": [
{
"result": "True",
"expressionKind": "Field",
"expression": "type",
"path": "type",
"expressionValue": "Microsoft.Resources/subscriptions/resourcegroups",
"targetValue": "Microsoft.Resources/subscriptions/resourceGroups",
"operator": "Equals"
},
{
"result": "True",
"expressionKind": "Field",
"expression": "tags[CreationDate]",
"path": "tags[CreationDate]",
"targetValue": "false",
"operator": "Exists"
}
],
"reason": "CreationDate tag is required for resource groups."
},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/00000000-0000-0000-0000-000000000000",
"policyDefinitionName": "00000000-0000-0000-0000-000000000000",
"policyDefinitionDisplayName": "Require a tag on resource groups",
"policyDefinitionEffect": "deny",
"policyAssignmentId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/RequireResourceGroupsCreationDateTag",
"policyAssignmentName": "RequireResourceGroupsCreationDateTag",
"policyAssignmentScope": "/subscriptions/00000000-0000-0000-0000-000000000000",
"policyAssignmentParameters": {
"tagName": "CreationDate"
},
"policyExemptionIds": []
}
Issue script & Debug output
(RequestDisallowedByPolicy) Resource 'contoso-rg' was disallowed by policy. Reasons: 'CreationDate tag is required for resource groups.'. See error details for policy resource IDs.
Code: RequestDisallowedByPolicy
Message: Resource 'contoso-rg' was disallowed by policy. Reasons: 'CreationDate tag is required for resource groups.'. See error details for policy resource IDs.
Target: contoso-rg
Additional Information:Type: PolicyViolation
Info: {
"evaluationDetails": {
"evaluatedExpressions": [
{
"result": "True",
"expressionKind": "Field",
"expression": "type",
"path": "type",
"expressionValue": "Microsoft.Resources/subscriptions/resourcegroups",
"targetValue": "Microsoft.Resources/subscriptions/resourceGroups",
"operator": "Equals"
},
{
"result": "True",
"expressionKind": "Field",
"expression": "tags[CreationDate]",
"path": "tags[CreationDate]",
"targetValue": "false",
"operator": "Exists"
}
],
"reason": "CreationDate tag is required for resource groups."
},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/00000000-0000-0000-0000-000000000000",
"policyDefinitionName": "00000000-0000-0000-0000-000000000000",
"policyDefinitionDisplayName": "Require a tag on resource groups",
"policyDefinitionEffect": "deny",
"policyAssignmentId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/RequireResourceGroupsCreationDateTag",
"policyAssignmentName": "RequireResourceGroupsCreationDateTag",
"policyAssignmentScope": "/subscriptions/00000000-0000-0000-0000-000000000000",
"policyAssignmentParameters": {
"tagName": "CreationDate"
},
"policyExemptionIds": []
}
Expected behavior
The az group create with required tags should succeed without being restricted by the required a tag for resource group policy.
Environment Summary
{
"azure-cli": "2.53.0",
"azure-cli-core": "2.53.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"resource-graph": "2.1.0"
}
}Additional context
No response
Metadata
Metadata
Assignees
Labels
az resource/group/lock/tag/deployment/policy/managementapp/account management-groupAuto assign by botThe command of the issue is owned by Azure CLI teamIssues that are reported by GitHub users external to the Azure organization.The issue doesn't require a change to the product in order to be resolved. Most issues start as that