Pulumi policy as code for Azure resource tagging.

tag-policy.ts

import { ResourceValidationPolicy, ResourceValidationArgs } from "@pulumi/policy";

const requiredTags = ["owner", "environment"];

const isAzureResource = (args: ResourceValidationArgs): boolean => args.type.startsWith("azure");

// Subject to change since more types will fall through
const isAzureResourceTagFriendly = (args: ResourceValidationArgs): boolean => {
  return (
    !args.type.startsWith("azure:network/subnet") &&
    !args.type.startsWith("azure:compute/extension")
  );
};

const hasRequiredTags = (args: ResourceValidationArgs): boolean => {
  if (!args.props.tags) {
    return false;
  }

  requiredTags.forEach(tag => {
    if (!args.props.tags.hasOwnProperty(tag)) {
      return false;
    }
  });

  return true;
};

const tagPolicy: ResourceValidationPolicy = {
  name: "mandatory-tags",
  description: "Tags must be set on resources.",
  enforcementLevel: "mandatory",
  validateResource: (args, reportViolation) => {
    if (
      isAzureResource(args) &&
      isAzureResourceTagFriendly(args) &&
      !hasRequiredTags(args)
    ) {
      reportViolation(
        `Set the following required tags: '${requiredTags.join(',')}'.`
      );
    }
  }
};

export default tagPolicy;