Improve Tags/deny-resource-without-tag: add empty-value check, excludedResourceTypes param, and description

[hendersonandrade]

Summary

Improves the existing Tags/deny-resource-without-tag policy definition. This is an in-place update (same policy name GUID 12dc4dea-6097-4a18-b24e-a9a3e00dd456), not a new policy, so existing assignments continue to work.

What changed

• Description: replaced the placeholder "need to add description" with a meaningful description of the policy behavior.
• Empty-value detection: the rule now triggers when the tag exists but is empty (equals ""), in addition to the previous "tag does not exist" check. Previously a resource with an empty tag value passed compliance.
• New excludedResourceTypes parameter (Array, strongType: ResourceType, default []): allows excluding resource types that don't support tags, without editing the policy. More flexible than hardcoding exclusions.
• Fixed allof → allOf casing in the policy rule.
• Version bumped 1.0.0 → 1.1.0 (added functionality, backward compatible — the new parameter defaults to an empty array).

Backward compatibility

• Same policy GUID → updates the existing definition rather than creating a new one.
• The new excludedResourceTypes parameter has a default value ([]), so existing assignments are unaffected.
• The effect default remains Audit.

Validation

Validated with the repository's own script:

[hendersonandrade]

@microsoft-github-policy-service agree