Create a Azure Policy definition to "Allow Only Certain Tag Values in Azure Resources Group Tags". Follow the steps below to create one in your azure environment.
Step 1: Login to Azure Portal and access Policy from Azure Global Search
Step 2: From left section under Authoring, select Definitions
Step 3: From Definitions page section, click on + policy definition to create a policy definition for "Allow only Certain Tag Values in Azure Resources Group Tags"
Step 4: Now fill the policy definitions details
- Definition Location: Select target scope
- Name: "Allow only Defined Tag Values in Azure Resources Group Tags"
- Description: "Allow only Certain Tag Values in Azure Resources Group Tags - Scope/TagName"
- Category: leave default
- Policy Rule: Copy paste the below "Allow only Defined Tag Values in Azure Resources Group Tags" Policy JSON code and click on 'save' the changes.
Note: Each resource or resource group can have a maximum of 15 tags. The tag name is limited to 512 characters, and the tag value is limited to 256 characters.
JSON Policy Rule:
{ "mode": "All", "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Resources/subscriptions/resourceGroups" }, { "not": { "field": "[concat('tags[', parameters('tagName'), ']')]", "in": "[parameters('listofallowedtagValues')]" } } ] }, "then": { "effect": "[parameters('effect')]" } }, "parameters": { "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the audit policy" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Deny" }, "tagName": { "type": "String", "metadata": { "displayName": "Tag Name", "description": "Name of the tag, such as 'DataType'" }, "defaultValue": "DataType" }, "listofallowedtagValues": { "type": "Array", "metadata": { "displayName": "Tag Values", "description": "Value of the tag, such as 'Internal', 'Restricted', 'Confidential', 'N/A'" }, "allowedValues": [ "N/A", "Internal", "Restricted", "Confidential", "Critical" ] } } }
Step 5: Once the definition is created. To Assign Policy Definition to select target scope, click on 'Assign' >> Selection your target scope either tenant/subscription/resource and Policy enforcement to Enabled.
Step 6: Next, for Parameters >> select your Tag Values and then click on 'Review and Create'.
That it! Now the created policy will be applied at select scope and it will restrict un-allowed values.