Sentinel policy to correct tag value

jhabikal21 · April 29, 2021, 10:39am

“tags”: {

                "Data Classification": "Data Level 1",

                "environment":         "staging",

            },

allStorageAccounts = filter tfplan.resource_changes as _, resource_changes {
resource_changes.mode is “managed” and
resource_changes.type is “azurerm_storage_account” and
(resource_changes.change.actions contains “create” or
resource_changes.change.actions is [“update”])
}

only_allow_defined_tags = rule {
all allStorageAccounts as _, tags {
keys(tags.change.after.tags) contains “Data Classification”
}
}

only_allow_defined_tags_values = rule when only_allow_defined_tags is true {
all allStorageAccounts as _, tags {
values(tags.change.after.tags[“Data Classification”]) contains “Data Level 1” or
values(tags.change.after.tags) contains “Data Level 2” or
values(tags.change.after.tags) contains “Data Level 3” or
values(tags.change.after.tags) contains “Data Level 4”
}
}

I need to check the value for the corresponding key of the tag “Data Classification”.
Above code just checks the value match. Can you help?

jhabikal21 · April 29, 2021, 10:44am

@hcrhall Can you help?

jhabikal21 · April 29, 2021, 11:11am

I think I found one of your post with an example which basically addresses my problem too. Sentinel : Checking nested tagging values
Thanks

hcrhall · April 29, 2021, 11:57am

@jhabikal21 you can take a look at the following example which is a little easier to read.