search

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.72k stars 980 forks source link

Missing policyAssignments definitionVersion attribute #1769

Open sshockley opened 2 months ago

sshockley commented 2 months ago

Describe the bug Policy assignments generated from Enterprise-Scale templates are created successfully, but are missing the required definitionVersion attribute.

Steps to reproduce Create a policy assignment from the Enterprise Scale repo, e.g.:

NAME="DENY-VMUnmanagedDiskPolicyAssignment"
file="eslzArm/managementGroupTemplates/policyAssignments/${NAME}.json"
az deployment mg create \
        --name "alz-${NAME}" \
        --location ${REGION} \
        --management-group-id ${MGID} \
        --template-file "${file}"

Edit the policy assignment in the Azure portal UI Note the Version (preview) is marked as required. image

Note that this is in US Gov GCC High, not sure if that matters here.

Related PR: Azure/azure-rest-api-specs#29383

Not sure if they're upstream to you and you can just sync the changes via script. Thanks.

sshockley commented 2 months ago

Semi-related, it looks like the USGovernment policy versions are different? I kind of expected that, but I didn't exped USGovernment to have a higher version.

Commercial policy (8.2.0): https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json

USGovernment policy (9.1.0): https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Kubernetes/IngressHttpsOnly.json

Springstone commented 1 month ago

@sshockley Thanks for submitting this issue. We are aware of the changes as a result of the implementation of Policy Versioning. Currently there is no impact for deployed instances of ALZ, as with the release of Policy Versioning, the product group backfilled all assignments to pin to the current major version. However, new deployments may be impacted if a new major version of an existing policy is published. We're currently planning how/when we will implement given the significant engineering effort and other priorities.

For your second issue, this is possible as resource providers are not the same in all clouds, and as such the US Gov policy may be ahead in version.

Stay tuned for versioning support in ALZ.