Policy definition for denying deployments where RG or SA does not have tags values for defined tags keys.

policy.json

{
  "if": {
    "allOf": [
      {
        "anyOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          }
        ]
      },
      {
        "anyOf": [
          {
            "field": "tags.env",
            "exists": false
          },
          {
            "field": "tags.bu",
            "exists": false
          },
          {
            "field": "tags.costcenter",
            "exists": false
          }
        ]
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}