Azure Policy Tag add tag if missing

Question

I set a new policy for existing resources to add required tag if missing. scenario1: Resource1 have the following tags and value Tag name = Project Value = ProjSSO Tag name = Purpose Value = app login

however if the the policy trigger I received an error. Error: Policies attempted to append some fields which already exist in the request with different values.

Note: If I use addOrReplace then the policy append / update the existing tag name and its value which we don't want to happen, we want the existing value as is. Just add the tag missing

{
  "properties": {
    "displayName": "test-add-required-tag-if missing",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "test-add-required-tag-if missing",
    "metadata": {
      "version": "1.0.1",
      "category": "Tags",
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "notEquals": "Microsoft.Compute/VirtualMachines"
          },
          {
            "field": "type",
            "notEquals": "Microsoft.ClassicCompute/virtualMachines"
          },
          {
            "field": "type",
            "notEquals": "microsoft.compute/virtualmachines/extensions"
          },
          {
            "field": "type",
            "notEquals": "microsoft.network/networkinterfaces"
          },
          {
            "field": "type",
            "notEquals": "Microsoft.Compute/disks"
          },
          {
            "anyOf": [
              {
                "not": {
                  "field": "tags[Project]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Application]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[BU]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Cost Center]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Ticket]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Function]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Purpose]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Platform Owner1]",
                  "exists": "true"
                }
              },
              {
                "not": {
                  "field": "tags[Platform Owner2]",
                  "exists": "true"
                }
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "modify",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "operations": [
            {
              "operation": "add",
              "field": "tags['Project']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Cost Center']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Application']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['bu']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Environment']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Ticket']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Function']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Purpose']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Platform Owner1']",
              "value": ""
            },
            {
              "operation": "add",
              "field": "tags['Platform Owner2']",
              "value": ""
            }
          ]
        }
      }
    }
  }
}

Answer 1

For your requirement, its better to use PowerShell or CLI. Here is a sample PowerShell code on how to update the tag name with previous tag value.

# Get all subscriptions in the Azure account

try {
    "Logging in to Azure..."
    Connect-AzAccount
}
catch {
    Write-Error -Message $_.Exception
    throw $_.Exception
}
$subscriptions = Get-AzSubscription -SubscriptionId "XXXXXXX"

# Loop through each subscription
foreach ($subscription in $subscriptions) {
    # Set the current subscription
    Set-AzContext -SubscriptionId $subscription.SubscriptionId 

    # Get all resource groups for the subscription
    $resourceGroups = Get-AzResourceGroup -ResourceGroupName "XXXXXXX"
    
    $tagName = "Region"
    $newTagName = "Country"
    # Loop through each resource provider
    foreach ($rg in $resourceGroups) {
        $resources = Get-AzResource -ResourceGroupName $rg.ResourceGroupName
        foreach ($r in $resources) {
            $resourceId = Get-AzResource -ResourceId $r.ResourceId
            if ($resourceId.Tags.ContainsKey("Region")) {
                $tagValue = $resourceId.Tags[$tagName]
                $resourceId.Tags.Remove($tagName)
                $resourceId.Tags.Add($newTagName, $tagValue)
                # Update the resource with the new tags
                $resourceId | Set-AzResource -Force
            }
        }
    }
}