I have an Azure Policy that applies a resource tag "env:prod" to any resource group that has a "prod" part of its name.
This seems to be working just fine as when I create new resource groups, the tag is applied.And when I remove the tag (modify the resource group) the policy applies it back.
The issue I am having is that these resource groups show non-compliance with the same policy.
Looking at the reason why these resource groups are not compliant, it seems the policy is comparing the resource group name to the tag name.
I don't understand why the policy is making this evaluation for compliance.
Even when I create a remediation task from within the policy compliance details, the task does pick up impacted resource groups, completes successfully, and states (2 out of 2) remediated, and I confirmed the remediation task took action by reviewing the resource groups Activity Logs, but the matter of the fact, these two resource groups always had the required tags that were applied by the policy itself when they were created.
If you may help me understand:
- Why is the policy making such an evaluation (comparing resource group name to the tag value)
- How can I fix it?
Additional notes:
- The resource groups have been created over a week or so ago.
- Their compliance as described here has not changed since.
Thanks ahead.
Policy definition:
{"mode": "All","policyRule": {"if": {"allOf": [ {"field": "type","equals": "Microsoft.Resources/subscriptions/resourceGroups" }, {"field": "name","contains": "prod" } ] },"then": {"effect": "modify","details": {"roleDefinitionIds": ["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ],"operations": [ {"operation": "addOrReplace","field": "[concat('tags[','env',']')]","value": "prod" } ] } } },"parameters": {}}Visual aid: