资源‘myresource’被策略禁止。策略:‘要求资源具有标签’。原因:‘该资源没有标签。’但资源组具有应被继承的标签。
Resource 'myresource' was disallowed by policy. Policy: 'Require a tag on resources'. Reason: 'The resource has no tags.' but the resource group has tags that should have been inherited.
ID: policy/azure-policy-tag-inheritance-missing
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Azure Policy | active | — | — | — |
| Azure Resource Manager | active | — | — | — |
| Azure CLI 2.50.0+ | active | — | — | — |
根因分析
Azure 策略的‘要求资源具有标签’策略不会自动从资源组继承标签;必须使用单独的‘从资源组继承标签’策略或手动标记来显式配置继承。
English
Azure Policy's 'Require a tag on resources' policy does not automatically inherit tags from the resource group; inheritance must be explicitly configured using a separate 'Inherit a tag from the resource group' policy or by manual tagging.
官方文档
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#tags解决方案
-
创建并分配一个 Azure 策略计划,该计划包括‘要求资源具有标签’和‘如果缺少标签则从资源组继承标签’(内置策略 ID:/providers/Microsoft.Authorization/policyDefinitions/...)。使用 Azure 门户或 CLI:`az policy assignment create --policy-set-definition <initiative-id> --assign-identity`。
-
使用 `az resource tag --tags <key>=<value> --ids <resource-id>` 或通过 Azure 门户手动标记资源组中的每个资源。确保所有资源至少具有所需的标签。
-
如果资源是模板部署,请在 ARM 模板或 Bicep 文件的资源级别添加标签。例如,在 ARM 中:`"tags": { "Environment": "[parameters('environmentTag')]" }`。
无效尝试
常见但无效的做法:
-
90% 失败
Azure does not automatically propagate resource group tags to resources. Without an explicit inheritance policy, resources remain untagged.
-
70% 失败
The policy is designed to enforce tagging; modifying it to allow empty tags defeats its purpose and may violate compliance requirements.
-
50% 失败
This only works if you explicitly tag each resource. If you miss any resource, the policy will still fail for that resource.