The policy document for this type of affair is quite easy and looks something like this:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"anyOf": [
{
"field": "tags.department",
"exists": "false"
},
{
"field": "tags.approved",
"exists": "false"
},
{
"field": "tags.owner",
"exists": "false"
}
]
}
]
},
"then": {
"effect": "audit"
}
}
The above policy will only look at virtual machines, and will kick off a non-compliance item if any of the tags department, approved, or owner is missing. Pretty neat! One thing to keep in mind when using this system is the evaluation triggers. See this link for more information.
No comments:
Post a Comment