Conflict policy config_error ai_generated true

Resource 'myresource' was disallowed by policy. Policy: 'Require a tag on resources'. Reason: 'The resource has no tags.'

ID: policy/azure-policy-tagging-enforcement-failure

Also available as: JSON · Markdown · 中文
80%Fix Rate
88%Confidence
1Evidence
2023-11-01First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
Azure CLI 2.57.0 active
Azure Policy 1.0.0 active

Root Cause

Azure Policy initiative requires specific tags on all resources; missing tags cause deployment denial.

generic

中文

Azure 策略计划要求所有资源具有特定标签;缺少标签导致部署被拒绝。

Official Documentation

https://learn.microsoft.com/en-us/azure/governance/policy/overview

Workarounds

  1. 90% success Add required tags in the deployment template. For ARM templates, add 'tags': { 'Environment': 'Production' } in the resource definition. 
    Add required tags in the deployment template. For ARM templates, add 'tags': { 'Environment': 'Production' } in the resource definition.
  2. 85% success Use Azure CLI to deploy with tags: 'az deployment group create --resource-group myRG --template-file template.json --parameters tags={Environment:Production}' 
    Use Azure CLI to deploy with tags: 'az deployment group create --resource-group myRG --template-file template.json --parameters tags={Environment:Production}'
  3. 70% success Request policy exemption for the resource group from Azure Policy team via: 'az policy exemption create --name myExemption --policy-assignment <assignment-id> --scope /subscriptions/<sub-id>/resourceGroups/<rg>' 
    Request policy exemption for the resource group from Azure Policy team via: 'az policy exemption create --name myExemption --policy-assignment <assignment-id> --scope /subscriptions/<sub-id>/resourceGroups/<rg>'

中文步骤

  1. Add required tags in the deployment template. For ARM templates, add 'tags': { 'Environment': 'Production' } in the resource definition.
  2. Use Azure CLI to deploy with tags: 'az deployment group create --resource-group myRG --template-file template.json --parameters tags={Environment:Production}'
  3. Request policy exemption for the resource group from Azure Policy team via: 'az policy exemption create --name myExemption --policy-assignment <assignment-id> --scope /subscriptions/<sub-id>/resourceGroups/<rg>'

Dead Ends

Common approaches that don't work:

  1. Redeploy the resource without any changes, hoping the policy is temporary. 100% fail

    Azure Policy is persistent and evaluated on every deployment; the same error will occur.

  2. Remove the resource group and recreate it. 99% fail

    The policy is applied at subscription or management group level, not resource group. Deleting the group doesn't remove the policy requirement.

  3. Add tags after deployment via Azure Portal. 90% fail

    The policy blocks the deployment itself; the resource is never created to add tags later.