search

Azure / enterprise-azure-policy-as-code

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline)
https://azure.github.io/enterprise-azure-policy-as-code/
MIT License
434 stars 243 forks source link

Error: invalidlocationupdate The existing assignment location cannot be changed from "uksouth" to "." #246

Closed rowbot-99 closed 1 year ago

rowbot-99 commented 1 year ago

Hi, update policy assignments with null identity type seems to have the error above, all other assignments with system assigned or user assigned don't have this error. Any idea what could be causing this issue?

anwather commented 1 year ago

Can you provide clear repro steps and I can take a look?

rowbot-99 commented 1 year ago

Hey, yh so I had enterprise scale deploy the policies, now I'm trying to manage the policies using this tool going forward. I pulled down the existing policies using export-azurepolicyresources and moved the folders inside the definitions folder. I ran the build pipeline which produced deploy.json and now I get this error during deploy stage.

anwather commented 1 year ago

OK it could be the managed identities for those policies, they may be deployed in a different region to what you have specified in your global-settings.json.

Can you check a managed identity location for one of the deployed policies and see if it matches what you have specified?

Other way to fix it may be to rename the assignment files in the definition folder, run the deploy which will remove all the assignments. Then name them back to json files and redeploy them

Get Outlook for Androidhttps://aka.ms/AAb9ysg

From: faisal @.> Sent: Friday, May 19, 2023 9:36:51 PM To: Azure/enterprise-azure-policy-as-code @.> Cc: Anthony Watherston @.>; Assign @.> Subject: Re: [Azure/enterprise-azure-policy-as-code] Error: invalidlocationupdate The existing assignment location cannot be changed from "uksouth" to "." (Issue #246)

Hey, yh so I had enterprise scale deploy the policies, now I'm trying to manage the policies using this tool going forward. I pulled down the existing policies using export-azurepolicyresources and moved the folders inside the definitions folder. I ran the build pipeline which produced deploy.json and now I get this error during deploy stage.

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/enterprise-azure-policy-as-code/issues/246#issuecomment-1554443153, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACWCJVUV2XW5CHMVPBGK4U3XG5LNHANCNFSM6AAAAAAYHTUHDA. You are receiving this because you were assigned.Message ID: @.***>

anwather commented 1 year ago

Also post your global settings file so I can take a look.

rowbot-99 commented 1 year ago

actually the pipeline fails when it starts processing the policies that doesn't use idenities: identity: none, the ones that have identity: system assigned are fine. I just checked one of identities used and the location is uksouth.

This is my global settings file

{
    "pacOwnerId": "11111111-2222-3333-4444-555555555555",
    "pacEnvironments": [
        {
            "pacSelector": "epac-dev",
            "cloud": "AzureCloud",
            "tenantId": "id",
            "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/lz"
        }

    ],
    "managedIdentityLocations": {
        "*": "uksouth"
    },
    "globalNotScopes": {
        "*": [
            "/resourceGroupPatterns/excluded-rg*",
        ],
        "tenant": [
            "/providers/Microsoft.Management/managementGroups/EPAC-Dev"
        ]
    }
}

an example of failing assignment is Deny-Public-IP

Thanks

anwather commented 1 year ago

Ah I think I know what is happening, can you post the assignment file for that Deny-Public-IP assignment? It probably is putting in a null entry for identity which needs to be removed from the file....

Get Outlook for Androidhttps://aka.ms/AAb9ysg

From: faisal @.> Sent: Friday, May 19, 2023 10:02:14 PM To: Azure/enterprise-azure-policy-as-code @.> Cc: Anthony Watherston @.>; Assign @.> Subject: Re: [Azure/enterprise-azure-policy-as-code] Error: invalidlocationupdate The existing assignment location cannot be changed from "uksouth" to "." (Issue #246)

actually the pipeline fails when it starts processing the policies that doesn't use idenities: identity: none, the ones that have identity: system assigned are fine. I just checked one of identities used and the location is uksouth.

This is my global settings file

{ "pacOwnerId": "11111111-2222-3333-4444-555555555555", "pacEnvironments": [ { "pacSelector": "epac-dev", "cloud": "AzureCloud", "tenantId": "id", "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/lz" }

],
"managedIdentityLocations": {
    "*": "uksouth"
},
"globalNotScopes": {
    "*": [
        "/resourceGroupPatterns/excluded-rg*",
    ],
    "tenant": [
        "/providers/Microsoft.Management/managementGroups/EPAC-Dev"
    ]
}

}

an example of failing assignment is Deny-Public-IP

Thanks

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/enterprise-azure-policy-as-code/issues/246#issuecomment-1554469034, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACWCJVUSA337PHCPBY5MHN3XG5OMNANCNFSM6AAAAAAYHTUHDA. You are receiving this because you were assigned.Message ID: @.***>

rowbot-99 commented 1 year ago

This is it from my policy-plan.json

"/providers/Microsoft.Management/managementGroups/lz-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP": {
          "metadata": {
            "pacOwnerId": "11111111-2222-3333-4444-555555555555"
          },
          "id": "/providers/Microsoft.Management/managementGroups/lz-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP",
          "notScopes": [],
          "parameters": {
            "listOfResourceTypesNotAllowed": [
              "Microsoft.Network/publicIPAddresses"
            ]
          },
          "identity": {
            "type": "None"
          },
          "enforcementMode": "DoNotEnforce",
          "displayName": "Deny the creation of public IP",
          "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
          "description": "This policy denies creation of Public IPs under the assigned scope.",
          "scope": "/providers/Microsoft.Management/managementGroups/lz-identity",
          "name": "Deny-Public-IP",
          "identityRequired": false,
          "nonComplianceMessages": [
            {
              "message": "Public IPs should not be created under this scope."

            }
          ]
        },

Thanks

anwather commented 1 year ago

Can you check the assignment files which have been extracted from the environment - remove any managedIdentityLocations keys in those files? Also any roles sections in the metadata keys?

rowbot-99 commented 1 year ago

The original assignment I extracted from my environment for deny public ip doesn’t have neither of those properties, No metadata or managedidentitylocations in the file.

On Mon, 22 May 2023 at 00:54, Anthony Watherston @.***> wrote:

Can you check the assignment files which have been extracted from the environment - remove any managedIdentityLocations keys in those files? Also any roles sections in the metadata keys?

— Reply to this email directly, view it on GitHub https://github.com/Azure/enterprise-azure-policy-as-code/issues/246#issuecomment-1556332589, or unsubscribe https://github.com/notifications/unsubscribe-auth/AP56SGWRPV4M2QZLLFVSEB3XHKTLNANCNFSM6AAAAAAYHTUHDA . You are receiving this because you authored the thread.Message ID: @.***>

anwather commented 1 year ago

OK weird can you download the latest version of the module and try again?

Get Outlook for Androidhttps://aka.ms/AAb9ysg

From: faisal @.> Sent: Monday, May 22, 2023 6:16:30 PM To: Azure/enterprise-azure-policy-as-code @.> Cc: Anthony Watherston @.>; Assign @.> Subject: Re: [Azure/enterprise-azure-policy-as-code] Error: invalidlocationupdate The existing assignment location cannot be changed from "uksouth" to "." (Issue #246)

The original assignment I extracted from my environment for deny public ip doesn’t have neither of those properties, No metadata or managedidentitylocations in the file.

On Mon, 22 May 2023 at 00:54, Anthony Watherston @.***> wrote:

Can you check the assignment files which have been extracted from the environment - remove any managedIdentityLocations keys in those files? Also any roles sections in the metadata keys?

— Reply to this email directly, view it on GitHub https://github.com/Azure/enterprise-azure-policy-as-code/issues/246#issuecomment-1556332589, or unsubscribe https://github.com/notifications/unsubscribe-auth/AP56SGWRPV4M2QZLLFVSEB3XHKTLNANCNFSM6AAAAAAYHTUHDA . You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/enterprise-azure-policy-as-code/issues/246#issuecomment-1556753900, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACWCJVRCL32DKTXR4BT3O3LXHMOF5ANCNFSM6AAAAAAYHTUHDA. You are receiving this because you were assigned.Message ID: @.***>

rowbot-99 commented 1 year ago

yes I actually did that yesterday same error. Though this time I had other issues during the build but I got those fixed. But the main error is there still.

Break down below

my "not-allowed-resource-types-policy.jsonc" inside policyAssignments folder looks like this:

{
  "children": [
    {
      "nodeName": "/child-0",
      "parameters": {
        "listOfResourceTypesNotAllowed": [
          "Microsoft.ClassicCompute/capabilities",
          "Microsoft.ClassicCompute/checkDomainNameAvailability",
          "Microsoft.ClassicCompute/domainNames",
          "Microsoft.ClassicCompute/domainNames/capabilities",
          "Microsoft.ClassicCompute/domainNames/internalLoadBalancers",
          "Microsoft.ClassicCompute/domainNames/serviceCertificates",
          "Microsoft.ClassicCompute/domainNames/slots",
          "Microsoft.ClassicCompute/domainNames/slots/roles",
          "Microsoft.ClassicCompute/domainNames/slots/roles/metricDefinitions",
          "Microsoft.ClassicCompute/domainNames/slots/roles/metrics",
          "Microsoft.ClassicCompute/moveSubscriptionResources",
          "Microsoft.ClassicCompute/operatingSystemFamilies",
          "Microsoft.ClassicCompute/operatingSystems",
          "Microsoft.ClassicCompute/operations",
          "Microsoft.ClassicCompute/operationStatuses",
          "Microsoft.ClassicCompute/quotas",
          "Microsoft.ClassicCompute/resourceTypes",
          "Microsoft.ClassicCompute/validateSubscriptionMoveAvailability",
          "Microsoft.ClassicCompute/virtualMachines",
          "Microsoft.ClassicCompute/virtualMachines/diagnosticSettings",
          "Microsoft.ClassicCompute/virtualMachines/metricDefinitions",
          "Microsoft.ClassicCompute/virtualMachines/metrics",
          "Microsoft.ClassicInfrastructureMigrate/classicInfrastructureResources",
          "Microsoft.ClassicNetwork/capabilities",
          "Microsoft.ClassicNetwork/expressRouteCrossConnections",
          "Microsoft.ClassicNetwork/expressRouteCrossConnections/peerings",
          "Microsoft.ClassicNetwork/gatewaySupportedDevices",
          "Microsoft.ClassicNetwork/networkSecurityGroups",
          "Microsoft.ClassicNetwork/operations",
          "Microsoft.ClassicNetwork/quotas",
          "Microsoft.ClassicNetwork/reservedIps",
          "Microsoft.ClassicNetwork/virtualNetworks",
          "Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies",
          "Microsoft.ClassicNetwork/virtualNetworks/virtualNetworkPeerings",
          "Microsoft.ClassicStorage/capabilities",
          "Microsoft.ClassicStorage/checkStorageAccountAvailability",
          "Microsoft.ClassicStorage/disks",
          "Microsoft.ClassicStorage/images",
          "Microsoft.ClassicStorage/operations",
          "Microsoft.ClassicStorage/osImages",
          "Microsoft.ClassicStorage/osPlatformImages",
          "Microsoft.ClassicStorage/publicImages",
          "Microsoft.ClassicStorage/quotas",
          "Microsoft.ClassicStorage/storageAccounts",
          "Microsoft.ClassicStorage/storageAccounts/blobServices",
          "Microsoft.ClassicStorage/storageAccounts/fileServices",
          "Microsoft.ClassicStorage/storageAccounts/metricDefinitions",
          "Microsoft.ClassicStorage/storageAccounts/metrics",
          "Microsoft.ClassicStorage/storageAccounts/queueServices",
          "Microsoft.ClassicStorage/storageAccounts/services",
          "Microsoft.ClassicStorage/storageAccounts/services/diagnosticSettings",
          "Microsoft.ClassicStorage/storageAccounts/services/metricDefinitions",
          "Microsoft.ClassicStorage/storageAccounts/services/metrics",
          "Microsoft.ClassicStorage/storageAccounts/tableServices",
          "Microsoft.ClassicStorage/storageAccounts/vmImages",
          "Microsoft.ClassicStorage/vmImages",
          "Microsoft.ClassicSubscription/operations"
        ],
        "effect": "Deny"
      },
      "nonComplianceMessages": [
        {
          "message": "Classic resources must not be deployed."
        }
      ],
      "assignment": {
        "name": "Deny-Classic-Resources",
        "displayName": "Deny the deployment of classic resources",
        "description": "Denies deployment of classic resource types under the assigned scope."
      },
      "scope": {
        "epac-dev": [
          "/providers/Microsoft.Management/managementGroups/lz"
        ]
      }
    },
    {
      "nodeName": "/child-1",
      "parameters": {
        "listOfResourceTypesNotAllowed": [
          "Microsoft.Network/publicIPAddresses"
        ],
        "effect": "Deny"
      },
      "enforcementMode": "DoNotEnforce",
      "nonComplianceMessages": [
        {
          "message": "Public IPs should not be created under this scope."
        }
      ],
      "assignment": {
        "name": "Deny-Public-IP",
        "displayName": "Deny the creation of public IP",
        "description": "This policy denies creation of Public IPs under the assigned scope."
      },
      "scope": {
        "epac-dev": [
          "/providers/Microsoft.Management/managementGroups/lz-identity"
        ]
      }
    }
  ],
  "nodeName": "/root",
  "definitionEntry": {
    "policyId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
    "displayName": "Not allowed resource types"
  }
}

my policy-plan.json file for the Deny-PublicIP looks like this:

"/providers/Microsoft.Management/managementGroups/lz/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP": {
          "parameters": {
            "effect": {
              "allowedValues": [
                "Audit",
                "Deny",
                "Disabled"
              ],
              "defaultValue": "Deny",
              "metadata": {
                "description": "Enable or disable the execution of the policy",
                "displayName": "Effect"
              },
              "type": "String"
            }
          },
          "displayName": "[Deprecated] Deny the creation of public IP",
          "metadata": {
            "source": "https://github.com/Azure/Enterprise-Scale/",
            "version": "1.0.0-deprecated",
            "deprecated": true,
            "category": "Network",
            "pacOwnerId": "11111111-2222-3333-4444-555555555555",
            "alzCloudEnvironments": [
              "AzureCloud",
              "AzureChinaCloud",
              "AzureUSGovernment"
            ]
          },
          "scopeId": "/providers/Microsoft.Management/managementGroups/lz",
          "policyRule": {
            "if": {
              "field": "type",
              "equals": "Microsoft.Network/publicIPAddresses"
            },
            "then": {
              "effect": "[parameters('effect')]"
            }
          },
          "description": "[Deprecated] This policy denies creation of Public IPs under the assigned scope.",
          "name": "Deny-PublicIP",
          "id": "/providers/Microsoft.Management/managementGroups/lz/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP",
          "mode": "Indexed"
        },

lastly here is the error when I run deploy.yaml

Write-Error: /home/runner/.local/share/powershell/Modules/EnterprisePolicyAsCode/7.2.3/functions/Deploy-PolicyPlan.ps1:292 Line | 292 | … splayName = Set-AzPolicyAssignmentRestMethod -assignment $_ -currentD … | ~~~~~~~~~~~~~ | Assignment error 400 -- | {"error":{"code":"InvalidLocationUpdate","message":"The policy | assignment 'Deny-Public-IP' request is invalid. The existing | assignment's location cannot be changed from 'uksouth' to ''."}}

Error: Error: The process '/usr/bin/pwsh' failed with exit code 1

anwather commented 1 year ago

Let me try and take another look at this one tomorrow for you.

Get Outlook for Androidhttps://aka.ms/AAb9ysg

From: faisal @.> Sent: Monday, May 22, 2023 6:41:14 PM To: Azure/enterprise-azure-policy-as-code @.> Cc: Anthony Watherston @.>; Assign @.> Subject: Re: [Azure/enterprise-azure-policy-as-code] Error: invalidlocationupdate The existing assignment location cannot be changed from "uksouth" to "." (Issue #246)

yes I actually did that yesterday same error. Though this time I had other issues during the build but I got those fixed. But the main error is there still.

Break down below

my "not-allowed-resource-types-policy.jsonc" inside policyAssignments folder looks like this:

{ "children": [ { "nodeName": "/child-0", "parameters": { "listOfResourceTypesNotAllowed": [ "Microsoft.ClassicCompute/capabilities", "Microsoft.ClassicCompute/checkDomainNameAvailability", "Microsoft.ClassicCompute/domainNames", "Microsoft.ClassicCompute/domainNames/capabilities", "Microsoft.ClassicCompute/domainNames/internalLoadBalancers", "Microsoft.ClassicCompute/domainNames/serviceCertificates", "Microsoft.ClassicCompute/domainNames/slots", "Microsoft.ClassicCompute/domainNames/slots/roles", "Microsoft.ClassicCompute/domainNames/slots/roles/metricDefinitions", "Microsoft.ClassicCompute/domainNames/slots/roles/metrics", "Microsoft.ClassicCompute/moveSubscriptionResources", "Microsoft.ClassicCompute/operatingSystemFamilies", "Microsoft.ClassicCompute/operatingSystems", "Microsoft.ClassicCompute/operations", "Microsoft.ClassicCompute/operationStatuses", "Microsoft.ClassicCompute/quotas", "Microsoft.ClassicCompute/resourceTypes", "Microsoft.ClassicCompute/validateSubscriptionMoveAvailability", "Microsoft.ClassicCompute/virtualMachines", "Microsoft.ClassicCompute/virtualMachines/diagnosticSettings", "Microsoft.ClassicCompute/virtualMachines/metricDefinitions", "Microsoft.ClassicCompute/virtualMachines/metrics", "Microsoft.ClassicInfrastructureMigrate/classicInfrastructureResources", "Microsoft.ClassicNetwork/capabilities", "Microsoft.ClassicNetwork/expressRouteCrossConnections", "Microsoft.ClassicNetwork/expressRouteCrossConnections/peerings", "Microsoft.ClassicNetwork/gatewaySupportedDevices", "Microsoft.ClassicNetwork/networkSecurityGroups", "Microsoft.ClassicNetwork/operations", "Microsoft.ClassicNetwork/quotas", "Microsoft.ClassicNetwork/reservedIps", "Microsoft.ClassicNetwork/virtualNetworks", "Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies", "Microsoft.ClassicNetwork/virtualNetworks/virtualNetworkPeerings", "Microsoft.ClassicStorage/capabilities", "Microsoft.ClassicStorage/checkStorageAccountAvailability", "Microsoft.ClassicStorage/disks", "Microsoft.ClassicStorage/images", "Microsoft.ClassicStorage/operations", "Microsoft.ClassicStorage/osImages", "Microsoft.ClassicStorage/osPlatformImages", "Microsoft.ClassicStorage/publicImages", "Microsoft.ClassicStorage/quotas", "Microsoft.ClassicStorage/storageAccounts", "Microsoft.ClassicStorage/storageAccounts/blobServices", "Microsoft.ClassicStorage/storageAccounts/fileServices", "Microsoft.ClassicStorage/storageAccounts/metricDefinitions", "Microsoft.ClassicStorage/storageAccounts/metrics", "Microsoft.ClassicStorage/storageAccounts/queueServices", "Microsoft.ClassicStorage/storageAccounts/services", "Microsoft.ClassicStorage/storageAccounts/services/diagnosticSettings", "Microsoft.ClassicStorage/storageAccounts/services/metricDefinitions", "Microsoft.ClassicStorage/storageAccounts/services/metrics", "Microsoft.ClassicStorage/storageAccounts/tableServices", "Microsoft.ClassicStorage/storageAccounts/vmImages", "Microsoft.ClassicStorage/vmImages", "Microsoft.ClassicSubscription/operations" ], "effect": "Deny" }, "nonComplianceMessages": [ { "message": "Classic resources must not be deployed." } ], "assignment": { "name": "Deny-Classic-Resources", "displayName": "Deny the deployment of classic resources", "description": "Denies deployment of classic resource types under the assigned scope." }, "scope": { "epac-dev": [ "/providers/Microsoft.Management/managementGroups/lz" ] } }, { "nodeName": "/child-1", "parameters": { "listOfResourceTypesNotAllowed": [ "Microsoft.Network/publicIPAddresses" ], "effect": "Deny" }, "enforcementMode": "DoNotEnforce", "nonComplianceMessages": [ { "message": "Public IPs should not be created under this scope." } ], "assignment": { "name": "Deny-Public-IP", "displayName": "Deny the creation of public IP", "description": "This policy denies creation of Public IPs under the assigned scope." }, "scope": { "epac-dev": [ "/providers/Microsoft.Management/managementGroups/lz-identity" ] } } ], "nodeName": "/root", "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", "displayName": "Not allowed resource types" } }

my policy-plan.json file for the Deny-PublicIP looks like this:

"/providers/Microsoft.Management/managementGroups/lz/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP": { "parameters": { "effect": { "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Deny", "metadata": { "description": "Enable or disable the execution of the policy", "displayName": "Effect" }, "type": "String" } }, "displayName": "[Deprecated] Deny the creation of public IP", "metadata": { "source": "https://github.com/Azure/Enterprise-Scale/", "version": "1.0.0-deprecated", "deprecated": true, "category": "Network", "pacOwnerId": "11111111-2222-3333-4444-555555555555", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", "AzureUSGovernment" ] }, "scopeId": "/providers/Microsoft.Management/managementGroups/lz", "policyRule": { "if": { "field": "type", "equals": "Microsoft.Network/publicIPAddresses" }, "then": { "effect": "[parameters('effect')]" } }, "description": "[Deprecated] This policy denies creation of Public IPs under the assigned scope.", "name": "Deny-PublicIP", "id": "/providers/Microsoft.Management/managementGroups/lz/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP", "mode": "Indexed" },

lastly here is the error when I run deploy.yaml

Write-Error: /home/runner/.local/share/powershell/Modules/EnterprisePolicyAsCode/7.2.3/functions/Deploy-PolicyPlan.ps1:292 Line | 292 | … splayName = Set-AzPolicyAssignmentRestMethod -assignment $_ -currentD … | ~~~~~~~~~~~~~ | Assignment error 400 -- | {"error":{"code":"InvalidLocationUpdate","message":"The policy | assignment 'Deny-Public-IP' request is invalid. The existing | assignment's location cannot be changed from 'uksouth' to ''."}}

Error: Error: The process '/usr/bin/pwsh' failed with exit code 1

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/enterprise-azure-policy-as-code/issues/246#issuecomment-1556792184, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACWCJVT6WDBMDXKTLERPTMTXHMRCVANCNFSM6AAAAAAYHTUHDA. You are receiving this because you were assigned.Message ID: @.***>

anwather commented 1 year ago

I was finally able to replicate this by deploying ALZ again, then extracting the deployed policies.

I would recommend deleting the assignment in the portal and letting EPAC recreate it - the policy assignments deployed by ALZ seem to have a location property available on them - while policy assignments deployed by EPAC do not. This causes the policy API to throw an error when deploying. This property is only required for policies which have a managed identity assigned to them however all of the policies deployed by ALZ have this for some reason. Since this is going to be a specific edge case I would recommend just deleting them and recreating them ..

rowbot-99 commented 1 year ago

Ok, could do that. Maybe worth adding this to the documentation, surely I won't be the only one trying to do something similar.

Thanks for your help.

rowbot-99 commented 1 year ago

I have been playing around with this and was thinking the following could be added to resolve this issue, what do you think?

if ($assignmentObj.identityRequired -eq $true) {
  $assignment.location = $assignmentObj.managedidentityLocation
} elseif ($assignmentObj.identityRequired -eq $false) {
  if (Get-AzPolicyAssignment - Name $assignmentObj.name -Scope $assignmentObj.scope -ErrorAction SilentlyContinue) {
  $assignment.Location = (Get-AzPolicyAssignment - Name $assignmentObj.name -Scope $assignmentObj.scope).Location
} else {
  write-information ''The Azure platform does not contain the requested assignment ('$($assignmentObj.name)')" }
techlake commented 1 year ago

This used to work way back in the pre-OSS days and more importantly pre-User-Assigned-Identity. I'll investigate fixing this. The underlying API cannot change the location of the identity.

anwather commented 1 year ago

@techlake - let's discuss tomorrow - this is a really weird edge case - no identities are involved which makes it different

soupercomputer commented 1 year ago

+1 on this, i get the same issue. It seems to be a buggy API issue where it is storing a location against a Policy that doesnt need one. Ive seen similar issues to this on other Azure APIs when deploying with bicep. The API throws an error if you seem to be trying to change a value it shouldnt care about. Seems like an interim robust way to handle it would simply be to alter the code so that updates pass in location even if its not needed, i will use this fix myself for now - but then if the API gets fixed it will fail again.

anwather commented 1 year ago

@soupercomputer just curious as to how you deployed the policies causing issues? Were they part of Azure Landing Zones deployments? The current fix is to delete the policy from Azure and let EPAC deploy the assignment until we have a workaround.

soupercomputer commented 1 year ago

yep, was just evaluating the approach so built a LZ using the ESLZ Accelerator, its picking up those standard policies with the erroneous location codes. There also seems to be an issue deleting the assignments a) they dont all show up in the Policy assignments on the portal, though they do in Graph queries, and b) obviously they cant all be deleted in the poral as they dont show up, but it seems they cant be deleted by Remove-AzPolicyAssignment either. It comes back without error but the assignment persists. So a code workaround is the only way.

techlake commented 1 year ago

Elevating to needs to be fixed

techlake commented 1 year ago

I might have a fix. If so, would you mind testing it?

Q: are you using the sync-repo method or the PowerShell market version?