Azure Policy: Inheriting a Tag and Its Value from Subscription to Resource Groups

Bombbe 1,616 Reputation points
2024-01-05T12:37:51.27+00:00

Is it possible to create an Azure policy that can automatically inherit a tag and its value (no matter what the value are) from the subscription to the resource group? The tag is always the same, for instance, Application, but the value can change depending on different application name. I want to put this policy as high as possible in our management group so that it can automatically inherit the Application tag and its value to all the different subscriptions through a single policy (tag and value would always be on the subscription level). I don't want to specify something like "Inherit Application tag with Value Application1" because it would drive us to use many more policies. We have an application per subscription, and this solution would work for us.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
820 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SwathiDhanwada-MSFT 18,466 Reputation points
    2024-01-11T16:20:33.1766667+00:00

    @Bombbe Here is policy definition where the subscription tag value will be inherited to resource groups based on the tag name.

    {
	"properties": {
		"displayName": "Inherit a tag from the subscription to Resource Group",
		"policyType": "Custom",
		"mode": "All",
		"description": "Adds or replaces the specified tag and value from the containing subscription when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task.",
		"parameters": {
			"tagName": {
				"type": "String",
				"metadata": {
					"displayName": "Tag Name",
					"description": "Name of the tag, such as 'environment'"
				}
			}
		},
		"policyRule": {
			"if": {
				"allOf": [
					{
						"field": "[concat('tags[', parameters('tagName'), ']')]",
						"notEquals": "[subscription().tags[parameters('tagName')]]"
					},
					{
						"value": "[subscription().tags[parameters('tagName')]]",
						"notEquals": ""
					}
				]
			},
			"then": {
				"effect": "modify",
				"details": {
					"roleDefinitionIds": [
						"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
					],
					"operations": [
						{
							"operation": "addOrReplace",
							"field": "[concat('tags[', parameters('tagName'), ']')]",
							"value": "[subscription().tags[parameters('tagName')]]"
						}
					]
				}
			}
		}
	},
	"id": "/providers/Microsoft.Authorization/policyDefinitions/100c504b-a675-4441-8c44-96e485d14559",
	"type": "Microsoft.Authorization/policyDefinitions",
	"name": "100c504b-a675-4441-8c44-96e485d14559"
}