locked
Using resourcegroup.name() in tag value when RG is created but does stays blank RRS feed

  • Question

  • I am using the syntax in a tag value 

    "value""[first(split(resourceGroup().name, '-'))]"

    to capture a certain part of the resource group name in a tag value but when RG is created it is blank.

    I can then run a remediation task and it populates properly.

    Why does it not populate when RG is created?

    Tuesday, May 5, 2020 4:58 PM

Answers

  • Hi jtp64,

    Below policy creates RGs by automatically adding the company tag value (with first section of RG name) as expected.

    {

      "mode""All",

      "policyRule": {

        "if": {

          "allOf": [

            {

              "field""type",

              "equals""Microsoft.Resources/subscriptions/resourceGroups"

            },

            {

              "value""[resourceGroup().managedby]",

              "notContains""providers/Microsoft."

            }

          ]

        },

        "then": {

          "effect""modify",

          "details": {

            "roleDefinitionIds": [

              "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"

            ],

            "operations": [

              {

                "operation""addOrReplace",

                "field""[concat('tags[', parameters('tag_company'), ']')]",

                "value""[first(split(field('name'), '-'))]"

              }

            ]

          }

        }

      },

      "parameters": {

        "tag_company": {

          "type""String",

          "metadata": {

            "displayName""tag_company",

            "description""tag name is company"

          },

          "defaultValue""company"

        }

      }

    }


    But this might not accomplish your complete requirement to also have tag check in policyRule.if; without which the compliance on all RGs show green because they are all just RGs.

    AFAIK currently might not be able to do one policy for both greenfield and brownfield so this might be a situation where use both (the above provided policy that works with greenfield and the policy that you have provided which works with brownfield) and put them in an initiative so you can see full compliance and still use remediation tasks.
    • Marked as answer by jtp64 Friday, June 5, 2020 1:46 PM
    Wednesday, May 20, 2020 2:08 PM

All replies

  • Hi jtp64,

    If possible, can you please share your complete policy and/or your use case scenario so that it would help to diagnose the issue better or it would help to try reproducing the issue in my environment ?

    Based on given information I believe it's either related to policy's mode (where may be it's required to change mode from indexed to all) or it's related to non-compliance resource state due to timestamp of the last evaluation for the current policy assignment, etc.
    Wednesday, May 6, 2020 11:19 AM
  • Here is the code for the Policy.

    Resource group name has "-" between each section and the policy is supposed to get the first section which is company name of RG when created. It stays blank but creates tag name company when RG is created.  I can then immediately modify tag, add new tag to same RG and it populates.  For some reason the resourcegroup.name() cannot capture the RG name when RG is actually created, only afterwards.

    For example, I create RG called "mp-app1-pr-rg"  company tag value should be "mp" but is blank when RG is created. After Policy runs it will show non-compliant if company tag value is blank or not equal to "mp" and I can run a remediate task and it works properly.  Only when RG is created does it not capture it.

    {
      "mode": "All",
      "policyRule": {
        "if": {
          "allOf": [
            {
                "field": "[concat('tags[',parameters('tag_company'), ']')]",
                "NotEquals": "[first(split(resourceGroup().name, '-'))]"
            },
    {
                "anyOf": [
                  {
                    "field": "[concat('tags[',parameters('tag_company'), ']')]",
                    "exists": "false"
                  },
                  {
                    "field": "[concat('tags[',parameters('tag_company'), ']')]",
                    "exists": "true"
                  }
                ]
            },
            {
              "field": "type",
              "equals": "Microsoft.Resources/subscriptions/resourceGroups"
            },
            {
               "value": "[resourceGroup().managedby]",
               "notContains": "providers/Microsoft."
            }
          ]
        },
        "then": {
          "effect": "modify",
          "details": {
            "roleDefinitionIds": [
              "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
            ],
            "operations": [
             {
                "operation": "addOrReplace",
                "field": "[concat('tags[', parameters('tag_company'), ']')]",
                "value": "[first(split(resourceGroup().name, '-'))]"
              }
            ]
          }
        }
      },
      "parameters": {
        "tag_company": {
          "type": "String",
          "metadata": {
            "displayName": "tag_company",
            "description": "tag name is company"
          },
          "defaultValue": "company"
        }


    • Edited by jtp64 Wednesday, May 6, 2020 12:22 PM
    Wednesday, May 6, 2020 12:19 PM
  • I placed the code in this section.  Does that make sense?
    Wednesday, May 13, 2020 12:37 PM
  • Hi jtp64,

    Sorry for the delayed response. I am checking internally with the product team regarding your requirement and the issue that you are currently facing. I shall hopefully update you with some insights and findings in couple of working days.
    Saturday, May 16, 2020 12:24 PM
  • Hi jtp64,

    Below policy creates RGs by automatically adding the company tag value (with first section of RG name) as expected.

    {

      "mode""All",

      "policyRule": {

        "if": {

          "allOf": [

            {

              "field""type",

              "equals""Microsoft.Resources/subscriptions/resourceGroups"

            },

            {

              "value""[resourceGroup().managedby]",

              "notContains""providers/Microsoft."

            }

          ]

        },

        "then": {

          "effect""modify",

          "details": {

            "roleDefinitionIds": [

              "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"

            ],

            "operations": [

              {

                "operation""addOrReplace",

                "field""[concat('tags[', parameters('tag_company'), ']')]",

                "value""[first(split(field('name'), '-'))]"

              }

            ]

          }

        }

      },

      "parameters": {

        "tag_company": {

          "type""String",

          "metadata": {

            "displayName""tag_company",

            "description""tag name is company"

          },

          "defaultValue""company"

        }

      }

    }


    But this might not accomplish your complete requirement to also have tag check in policyRule.if; without which the compliance on all RGs show green because they are all just RGs.

    AFAIK currently might not be able to do one policy for both greenfield and brownfield so this might be a situation where use both (the above provided policy that works with greenfield and the policy that you have provided which works with brownfield) and put them in an initiative so you can see full compliance and still use remediation tasks.
    • Marked as answer by jtp64 Friday, June 5, 2020 1:46 PM
    Wednesday, May 20, 2020 2:08 PM
  • Yes using the name instead of Resourcegroup().name works.  

    Thanks

    Friday, June 5, 2020 1:47 PM