Skip to content

Improve Tags/deny-resource-without-tag: add empty-value check, excludedResourceTypes param, and description#538

Merged
neiichango merged 2 commits into
Azure:mainfrom
hendersonandrade:improve-deny-resource-without-tag
Jul 16, 2026
Merged

Improve Tags/deny-resource-without-tag: add empty-value check, excludedResourceTypes param, and description#538
neiichango merged 2 commits into
Azure:mainfrom
hendersonandrade:improve-deny-resource-without-tag

Conversation

@hendersonandrade

Copy link
Copy Markdown
Contributor

Summary

Improves the existing Tags/deny-resource-without-tag policy definition. This is an in-place update (same policy name GUID 12dc4dea-6097-4a18-b24e-a9a3e00dd456), not a new policy, so existing assignments continue to work.

What changed

  • Description: replaced the placeholder "need to add description" with a meaningful description of the policy behavior.
  • Empty-value detection: the rule now triggers when the tag exists but is empty (equals ""), in addition to the previous "tag does not exist" check. Previously a resource with an empty tag value passed compliance.
  • New excludedResourceTypes parameter (Array, strongType: ResourceType, default []): allows excluding resource types that don't support tags, without editing the policy. More flexible than hardcoding exclusions.
  • Fixed allofallOf casing in the policy rule.
  • Version bumped 1.0.01.1.0 (added functionality, backward compatible — the new parameter defaults to an empty array).

Backward compatibility

  • Same policy GUID → updates the existing definition rather than creating a new one.
  • The new excludedResourceTypes parameter has a default value ([]), so existing assignments are unaffected.
  • The effect default remains Audit.

Validation

Validated with the repository's own script:

@hendersonandrade

Copy link
Copy Markdown
Contributor Author

@microsoft-github-policy-service agree

@Joshua-Donovan Joshua-Donovan self-assigned this Jun 17, 2026
Comment thread policyDefinitions/Tags/deny-resource-without-tag/azurepolicy.json Outdated

@hendersonandrade hendersonandrade left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fix implemented as suggested

@Joshua-Donovan Joshua-Donovan left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ready to merge

@neiichango

Copy link
Copy Markdown
Collaborator

Reviewed to confirm correct policy design.
merging it

@neiichango neiichango merged commit c4d64fa into Azure:main Jul 16, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants