Skip to content

Instantly share code, notes, and snippets.

@ehrnst

ehrnst/inherit-tag-from-sub-mg.json

Created January 27, 2021 08:25
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ehrnst/95bcb81cffb97ec51fcd97df523d21ec to your computer and use it in GitHub Desktop.
Save ehrnst/95bcb81cffb97ec51fcd97df523d21ec to your computer and use it in GitHub Desktop.
Download ZIP
Azure policy managment group
Raw
inherit-tag-from-sub-mg.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"targetMGs": {
"type": "array",
"metadata": {
"description": "An Array of Target Management Group for the assignment"
}
},
"tagName1": {
"type": "string",
"defaultValue": "owner",
"metadata": {
"description": "the first tag"
}
},
"tagName2": {
"type": "string",
"defaultValue": "environment",
"metadata": {
"description": "the second tag."
}
}
},
"variables": {
"policyDefinitionName": "inherit-tag-from-sub"
},
"resources": [
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[variables('policyDefinitionName')]",
"apiVersion": "2020-09-01",
"properties": {
"policyType": "Custom",
"mode": "Indexed",
"parameters": {
},
"policyRule": {
"if": {
"allOf": [
{
"field": "[concat('tags[', parameters('tagName1'), ']')]",
"exists": "false"
},
{
"value": "[subscription().tags[parameters('tagName1')]]",
"notEquals": ""
},
{
"field": "[concat('tags[', parameters('tagName2'), ']')]",
"exists": "false"
},
{
"value": "[subscription().tags[parameters('tagName2')]]",
"notEquals": ""
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName1'), ']')]",
"value": "[subscription().tags[parameters('tagName1')]]"
},
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName2'), ']')]",
"value": "[subscription().tags[parameters('tagName2')]]"
}
]
}
}
}
}
},
{
// this is a no-op to get the name of the managementGroup for the policyDefintion, i.e. the name of the mg for this deployment
"name": "getManagementGroupName",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"location": "[deployment().location]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": []
}
}
},
{
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('targetMGs')[copyIndex()])]",
"name": "[concat('deploy-assignment-to-', parameters('targetMGs')[copyIndex()])]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"location": "[deployment().location]",
"dependsOn": [
"[variables('policyDefinitionName')]"
],
"copy":{
"count": "[length(parameters('targetMGs'))]",
"name": "assignment-loop"
},
"properties": {
"expressionEvaluationOptions": {
"scope": "outer"
},
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"name": "inherit tags from subscription",
"apiVersion": "2020-09-01",
"properties": {
"policyDefinitionId": "[extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', split(reference('getManagementGroupName', '2020-10-01', 'Full').scope, '/')[2]), 'Microsoft.Authorization/policyDefinitions', variables('policyDefinitionName'))]"
}
}
]
}
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment