'ARM templates and validation of mandatory tag values against AAD
I want to create policies using an ARM template for newly created resources that have automatically pre-populated or validated tags such as CreatedBy or BusinessOwner, and their values will include the names of the users who created them or who are responsible for the budget allocated to the Azure resource.
I would like the policy to specify that if a resource is created and a tag value is set, that value is validated against AAD users. It would be best if the ARM buildin function existed and the template looked something like this:
CreatedBy
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "tags['CreatedBy']",
"exists": "false"
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "tags['CreatedBy']",
"value": "[GetAADUsername()]"
}
]
}
},
"parameters": {}
}
According to the list of functions that are currently supported for ARM templates, this is not possible, see. https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions.
But I want to ask if anyone has solved it and does not have a solution for defining policies for these basic tags and that their values are not just ad hoc strings, but verified values against real objects in AAD.
Thank you.
Solution 1:[1]
Currently , Its not possible to add Created by or Updated by based on Azure AD UPN using Azure Policy.
As an alternative you can use Azure Event Hubs and Azure Functions to create the tags in order to manage the subscription resources based on who created it or modified it .
You can follow this Azure Community Blog by Anthony Watherston on how to tag resourced with a creator tag or you can refer this Github Repo created by Tom Hollander on how to add tags like createdBy, ModifiedBy, createdDate and ModifiedDate.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | AnsumanBal-MT |