'How do you restrict an azure resource from being deployed within a resource group with a tag applied to a resource group?
I've configured the policy as follows. It is not functioning and I am asking for some help. How do you configure this azure policy rule to deny a storage account from being created in a resource group based on the tag value?
"policyRule": {
"if": {
"allOf": [
{
"anyOf": [
{
"field": "type",
"equals": "Microsoft.resources/subscriptions/resourcegroups"
},
{
"field": "type",
"equals": "Microsoft.storage/storageaccounts"
}
]
},
{
"field": "tags.RestrictStorage",
"equals": "true"
}
]
},
"then": {
"effect": "deny"
}
}
Solution 1:[1]
allofis an equivalent of the logical operatorANDwhileanyOfis an equivalent ofORoperator .
Since you want to restrict the creating of storage account under certain resource group based on the tags added it will look something like this :
"policyRule":
{
"if":
{
"allOf":
[
{
"allOf":
[
{
"field":"type",
"equals":"Microsoft.storage/storageaccounts"
},
{
"field":"type",
"type":"Microsoft.resources/subscriptions/resourcegroups"
}
]
},
{
"field": "tags.RestrictStorage",
"equals": "true"
}
]
},
"then":
{
"effect": "deny"
}
}
Refer:
Details of the policy definition structure - Azure Policy | Microsoft Docs
Tutorial: Create a custom policy definition - Azure Policy | Microsoft Docs
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | MohitGanorkar-MT |