Azure Custom Policies
3 minute read
This policy will create a new tag for all resources with the UTC date as a value. This is useful for automation tasks and other activities that may require the knowledge of when the resource was created as this information is not easily knowable through traditional route such as the activity log.
Prerequisites
Before you begin, make sure you have:
- Access to an Azure subscription
- Basic knowledge of Azure Policy
- Permissions to create and assign policies in Azure
Step-by-Step Instructions
1. Create the Policy Definition
In Azure Policy create a new policy definition. The definition location can be either a management group or subscription. Give the definition a useful name which can be descriptive and contain spaces. For example; Add a CreatedOnDate tag to all resources. In the description add some useful text explaining what the policy does. Choose to categorize the new policy with a new custom name or use an existing one.
- In Azure Policy, create a new policy definition.
- Choose a descriptive name for the policy, such as “Add CreatedOnDate Tag to All Resources”.
- Add a detailed description explaining the purpose of the policy.
- Categorize the policy with a new custom name or use an existing one.
- Copy and paste the following JSON code into the policy rule:
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags['CreatedOnDate']",
"exists": "false"
}
]
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "tags['CreatedOnDate']",
"value": "[utcNow()]"
}
]
}
},
"parameters": {}
}
2. Assign the Policy Definition
The policy scope can be assigned to take effect at any level you choose under the scope where you created the policy definition above. So if you chose to create the policy definition at a subscription level you can only assign the policy to resources within that subscription. Good practice for this type of design is to use Azure management groups high enough up the chain so you can choose your targets more easily.
If enforcement mode is disabled, the policy effect isn’t enforced (i.e. deny policy won’t deny resources). Compliance assessment results are still available. There are no parameters for this policy. There is no remediation for this policy as the current timestamp is used and any remediated resources will have the current date and not the correct date. If you wish enter a non-compliance message that will appear in the error message. Review and create the assignment.
- Assign the policy definition at the desired scope level (e.g., subscription, resource group).
- If you created the policy definition at the subscription level, assign the policy to resources within that subscription.
- Disable enforcement mode if you do not want the policy effect enforced (e.g., deny policy won’t deny resources). Compliance assessment results will still be available.
- Enter a non-compliance message if needed.
- Review and create the assignment.
This custom Azure policy ensures that all newly created resources without a “CreatedOnDate” tag will automatically have this tag added. The tag will contain the current UTC date and time at the moment of creation.
- Policy Mode: Set to “Indexed,” meaning it only applies during the creation or modification of resources.
- Condition: Checks if the resource type is “resourceGroups” or if the “CreatedOnDate” tag does not exist.
- Effect: Appends the “CreatedOnDate” tag with the current UTC date and time ([utcNow()]).
Resources
azure/policy/CreatedOnDate.json
Feedback
Was this page helpful?
Glad to hear it!
Sorry to hear that.