azure-policy icon indicating copy to clipboard operation
azure-policy copied to clipboard
verified publisher icon Azure

Is there any way to prevent everyone to delete or modify a specific tag added to resources but just add it?

Open sonalikaroy opened this issue 6 years ago • 8 comments

Is there any way to prevent every to delete or modify a specific tag added to resources?

sonalikaroy avatar May 08 '19 17:05 sonalikaroy

Is there any way to prevent everyone to delete or modify a specific tag added to resources but just add it?

sonalikaroy avatar May 08 '19 17:05 sonalikaroy

Can you provide a more specific example of what you'd like to accomplish?

You can do this with two policies: use a deny policy to prevent changing the tag value, and an append policy to always add the tag.

camillemarie avatar May 18 '19 00:05 camillemarie

Closing this issue per changes to the support model for this repo. See the Getting Support section in the readme for details and Azure Policy support information.

mentat9 avatar Jul 15 '19 17:07 mentat9

still like to follow up on this. I have a createDate Tag which I want to prevent users from deleting or modifying this tag. How is it possible with Policies? There are no deny action effects available.

Using a deny policy as @camillemarie stated above, prevents user from creating the resource, not from modifying that tag afterwards.

m-soltani avatar Mar 31 '23 19:03 m-soltani

Did we find an answer to this? I am trying the same thing, and can't find a solution.

elderrollins avatar Nov 13 '23 23:11 elderrollins

There is no way to do this, as of now - and the fact that the issue has been closed shows that the team probably do not consider to add this in their planned tasks for development.

m-soltani avatar Nov 14 '23 16:11 m-soltani

Hi @m-soltani, I may need to understand your use case further, but wanted to share the modify effect that released after you first created this issue:

  • Modify effect: enables you to add, update, or remove properties or tags on a subscription or resource during creation or update. We have several samples available in Azure Policy's built in definition library

nehakulkarni123 avatar Nov 14 '23 19:11 nehakulkarni123

@nehakulkarni123: The modified effect as described allow you to add, update, remove specific tags. We want to forbid updating the tag values, categorically. Let's say the resource has a creationDate tag with some datatime assigned as the value of the tag. I want to have a policy enforcement in place in which it disallows users to go ahead and edit the value, basically change the datetime value.

That is not possible, right?

m-soltani avatar Nov 16 '23 13:11 m-soltani