search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.11k stars 3.75k forks source link

Set-AzPolicyAssignment Command Loses Description and Display Name #25362

Open DFRZ7 opened 6 days ago

DFRZ7 commented 6 days ago

Description

While testing the Set-AzPolicyAssignment command with the latest version, we noticed the following behavior:

Policy Enforcement Mode and Non-Compliant Messages: These properties are maintained correctly when running the command.

Description and Display Name: These properties are lost when executing the command directly.

Issue script & Debug output

# Connect to Azure
Note: Policy assignment is set to DoNotEnforce, for testing.

Get-AzPolicyAssignment -Id "/subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyAssignments/<PolicyAssignmentId>"

# Set the subscription context
Set-AzContext -SubscriptionId "<SubscriptionId>"

# Assign a policy with the Set-AzPolicyAssignment command
Set-AzPolicyAssignment -Id "/subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyAssignments/<PolicyAssignmentId>" -EnforcementMode Default

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Microsoft Windows 10.0.22635
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

Get-InstalledModule -Name Az -AllVersions

Version              Name                                Repository           Description
-------              ----                                ----------           -----------
12.0.0               Az                                  PSGallery            Microsoft Azure PowerShell - Cmdlets to manage resources in Azure. This module is compatib…

Get-InstalledModule -Name Az.Resources -AllVersions

Version              Name                                Repository           Description
-------              ----                                ----------           -----------
7.1.0                Az.Resources                        PS

Error output

Example Output Before Changing Enforcement Mode:

Metadata                     : @{parameterScopes=; createdBy=<CreatedById>; createdOn=5/27/2024 7:36:55 PM; updatedBy=<UpdatedById>; updatedOn=6/24/2024 6:17:53 PM}
NonComplianceMessage         : 
NotScope                     : 
Parameter                    : @{profileName=}
Description                  : This is a test
DisplayName                  : DiagOpenAI
EnforcementMode              : DoNotEnforce
Id                           : /subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyAssignments/<PolicyAssignmentId>
IdentityPrincipalId          : 
IdentityTenantId             : 
IdentityType                 : 
IdentityUserAssignedIdentity : Microsoft.Azure.PowerShell.Cmdlets.Policy.Models.IdentityUserAssignedIdentities
Location                     : 
Name                         : <PolicyAssignmentName>
Override                     : {}
PolicyDefinitionId           : /subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyDefinitions/<PolicyDefinitionId>
ResourceSelector             : {}
SystemDataCreatedAt          : 5/27/2024 7:36:55 PM
SystemDataCreatedByType      : User
SystemDataLastModifiedAt     : 6/24/2024 6:17:53 PM
SystemDataLastModifiedByType : User
Type                         : Microsoft.Authorization/policyAssignments

Example Output After Changing Enforcement Mode:

Metadata                     : @{createdBy=<CreatedById>; createdOn=5/27/2024 7:36:55 PM; updatedBy=<UpdatedById>; updatedOn=6/24/2024 6:43:50 PM}
NonComplianceMessage         : 
NotScope                     : 
Parameter                    : @{profileName=}
Description                  : 
DisplayName                  : 
EnforcementMode              : Default
Id                           : /subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyAssignments/<PolicyAssignmentId>
IdentityPrincipalId          : 
IdentityTenantId             : 
IdentityType                 : 
IdentityUserAssignedIdentity : Microsoft.Azure.PowerShell.Cmdlets.Policy.Models.IdentityUserAssignedIdentities
Location                     : 
Name                         : <PolicyAssignmentName>
Override                     : 
PolicyDefinitionId           : /subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyDefinitions/<PolicyDefinitionId>
ResourceSelector             : 
SystemDataCreatedAt          : 5/27/2024 7:36:55 PM
SystemDataCreatedByType      : User
SystemDataLastModifiedAt     : 6/24/2024 6:43:50 PM
SystemDataLastModifiedByType : User
Type                         : Microsoft.Authorization/policyAssignments

Example of workaround:

Piping the output of Get to the Set:

Get-AzPolicyAssignment -Id "/subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyAssignments/<PolicyAssignmentId>" | Set-AzPolicyAssignment

Nonetheless, documentation does not state this, so it could be somewhat confusing.
isra-fel commented 4 days ago

@mentat9 Hi Chris, making sure you know this. Thanks

mentat9 commented 4 days ago

This will be fixed in the next Az.Policy release.

isra-fel commented 3 days ago

cc @VeryEarly

DFRZ7 commented 3 days ago

Thank you @mentat9