Bug Report - Audit-Tags-Mandatory-Rg / Audit-Tags-Mandatory Deny action

[iam-take]

Describe the bug
It might not be a bug but wanted to post it here to make sure, when assigning the policies

Audit-Tags-Mandatory and/or Audit-Tags-Mandatory-Rg with the effect set to Deny the policy will disallow deployment even when all required tags are set on for example a storage account or a new resource group.
It keeps telling not all required tags are entered.

Steps to reproduce

1.Assign policy with parameters
2.create resource group with the required tags

Screenshots

[Springstone]

@iam-take thanks for raising this issue. We recently pushed an update to fix an issue specifically for resource groups (last week), could you confirm you've updated to the latest version (1.1.0)?
The mode for the RG version was incorrectly set to Indexed, it should be All for your scenario to work as expected. The updated version of the policy addresses this.

[iam-take]

@Springstone I've double checked it and I am using the new policy the actual validation on existing resources is working correctly it seems. However the issue starts when I put it in Deny mode.

[Springstone]

@iam-take ok, I will validate what is going on.

[Springstone]

@iam-take after digging around a bit, it seems that DENY effect will not work for this policy as the policy is looking for the tag field of a resource group that hasn't been provisioned yet - which is why the AUDIT version of the policy works as intended. I've found a reasonable explanation of why here: https://medium.com/@robbiedouglas/why-cant-all-azure-policies-have-a-deny-effect-e2b08d6a9ade

If you want to deny the creation of a resource group that is missing a tag, the only way I can get this working consistently is by explicitly looking for if the tag exists, and even then it will ignore the tag value:

     "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "field": "tags['Environment']",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }

This logic WILL deny RG creation if the tag "Environment" is not present.

Logic that works to DENY on multiple tags:

    "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "anyOf": [
              {
                "field": "tags['owner']",
                "exists": "false"
              },
              {
                "field": "tags['costcenter']",
                "exists": "false"
              },
              {
                "field": "tags['Environment']",
                "exists": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deny"
      }

This isn't ideal and when I have a chance, I'll investigate further.