RequestDisallowedByPolicy - Enforce Owner Tag

[RIashfaqahmed]

Remember to label the issue with the appropriate area, and also assign it to yourself if you plan to work on the issue in the near future.

Describe the bug
When creating a User Resource Guacamole VM, I am encountering following error. This is a 403 errors while deploying azure resources for VM and it his policy deny rule for Enforce Owner Tag

Resource Id
: <<resourceid******************>>
Resource Path
: /workspaces/<<workspaceid******************>>/workspace-services/<<serviceid******************>>/user-resources/<<resourceid******************>>
Resource Version
: 2
Status
: updating_failed
Action
: upgrade
Message
: <<resourceid******************>>: Error context message = �[31m╷�[0m�[0m �[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1mcreating Network Interface: (Name "internal-nic-TRE-ID-ws-6249-svc-d6f6" / Resource Group "rg-TRE-ID-ws-6249"): network.InterfacesClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'internal-nic-TRE-ID-ws-6249-svc-d6f6' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Enforce Owner Tag\",\"id\":\"/providers/Microsoft.Management/managementGroups/*******/providers/Microsoft.Authorization/policyAssignments/AssignEnforceTagging\"},\"policyDefinition\":{\"name\":\"EnforceTagging\",\"id\":\"/providers/Microsoft.Management/managementGroups/*******/providers/Microsoft.Authorization/policyDefinitions/EnforceTagging\"}}]'." Target="internal-nic-TRE-ID-ws-6249-svc-d6f6" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"tags['owner']","expressionKind":"Field","operator":"Exists","path":"tags['owner']","result":"True","targetValue":"false"}]},"policyAssignmentDisplayName":"Enforce Owner Tag","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/*******/providers/Microsoft.Authorization/policyAssignments/AssignEnforceTagging","policyAssignmentName":"AssignEnforceTagging","policyAssignmentParameters":{},"policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/*******","policyDefinitionDisplayName":"EnforceTagging","policyDefinitionEffect":"deny","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/*******/providers/Microsoft.Authorization/policyDefinitions/EnforceTagging","policyDefinitionName":"EnforceTagging"},"type":"PolicyViolation"}]�[0m �[31m│�[0m �[0m �[31m│�[0m �[0m�[0m with azurerm_network_interface.internal, �[31m│�[0m �[0m on windowsvm.tf line 1, in resource "azurerm_network_interface" "internal": �[31m│�[0m �[0m 1: resource "azurerm_network_interface" "internal" �[4m{�[0m�[0m �[31m│�[0m �[0m �[31m╵�[0m�[0m error running command /cnab/app/terraform /usr/bin/terraform apply -auto-approve -input=false -var image=Server 2019 Data Science VM -var image_gallery_id= -var parent_service_id=<<serviceid******************>> -var shared_storage_access=true -var shared_storage_name=<shared_st_name> -var tre_id=TRE-ID -var tre_resource_id=<<resourceid******************>> -var vm_size=2 CPU | 8GB RAM -var workspace_id=<<workspaceid******************>>: exit status 1 Error: error running command /cnab/app/terraform /usr/bin/terraform apply -auto-approve -input=false -var image=Server 2019 Data Science VM -var image_gallery_id= -var parent_service_id=<<serviceid******************>> -var shared_storage_access=true -var shared_storage_name=<shared_st_name> -var tre_id=TRE-ID -var tre_resource_id=<<resourceid******************>> -var vm_size=2 CPU | 8GB RAM -var workspace_id=<<workspaceid******************>>: exit status 1 Error: mixin execution failed: exit status 1 Error: 1 error occurred: * container exit code: 1, message: <nil> az login --identity -u <az_id> && az acr login --name az_repo && porter upgrade "<<resourceid******************>>" --reference az_repo.azurecr.io/tre-service-guacamole-windowsvm:v0.5.2 --param arm_use_msi="true" --param id="<<resourceid******************>>" --param os_image="Server 2019 Data Science VM" --param parent_service_id="<<serviceid******************>>" --param shared_storage_access="True" --param tfstate_container_name="tfstate" --param tfstate_resource_group_name="<rg_name>" --param tfstate_storage_account_name="<st_name>" --param tre_id="TRE-ID" --param vm_size="2 CPU | 8GB RAM" --param workspace_id="<<workspaceid******************>>" --allow-docker-host-access --force --cred ./vmss_porter/arm_auth_local_debugging.json --cred ./vmss_porter/aad_auth.json

Steps to reproduce
This error was occurred after I followed instructions #2877 (comment) to execute cloud-init manually from nexus linux vm

[marrobi]

@RIashfaqahmed it looks like you have a corporate Azure policy that insists on all resources having an "owner" tag.

These tags will need adding to the terraform templates that you are deploying, tags are usually defined in locals.tf.

Also with noting customers often add Azure policies that apply tags, that's another route you could take.

We could also look at adding the ability to add custom tags to the project.

[marrobi]

@RIashfaqahmed did you manage to work around this? We have issue #417 to track this, so unless need further assistance will close this issue.