I have a policy that denies changes on resources that have a terraform tag:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "tags['source']",
"exists": "true"
},
{
"field": "tags['source']",
"equals": "terraform"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
Currently this policy is blocking all changes on terraform managed resources, but I want to be able to do changes via terraform but not in the azure ui.
Is there a way in Azure Policies, to check if a change was made via Azure ui?
No, the policy prevents you from making any changes to the scope, regardless of the method you use, such as UI or tools.
The scope you are creating the resource is the same scope applied to policy as well, so resource creation will block if you are trying to create a resource regardless of method you are using UI and Tools.
I assigned the same policy to the resource group. When I attempted to create a VNet with the tag source: terraform, the resource deployment was blocked by the policy both on the UI portal and Terraform
UI portal
Terraform
To deploy using Terraform without blocking, avoid passing the same tag. Conversely, to enable blocking via the UI, make sure to pass the same tags.
For more details about the type: deny condition in azure policy, refer to Azure Policy effect type: deny.