search

Azure / enterprise-azure-policy-as-code

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline)
https://azure.github.io/enterprise-azure-policy-as-code/
MIT License
415 stars 220 forks source link

Exemptions can't get them to work #339

Closed DrCefas closed 1 year ago

DrCefas commented 1 year ago

Hallo,

In our test environment we are currently busy working on replacing our current policy solution with epac :) and almost everything runs fine, and the almost is in that I can't get the exemptions to work,

I created an exemption file (all-exemptions.json) that according to the documentation is correct (i hope :)), and the plan deployment also sees that exemptions file but the policy exemption counts stays on 0 and also in azure there are no policy exemptions added, help what goes wrong or I am doing wrong

all-exemptions.json content

  "exemptions": [
      {
          "name": "Exempting DDOS Landingzone",
          "displayName": "o-LandingZones - Virtual networks should not be protected by Azure DDoS Network Protection",
          "description": "o-LandingZones - Virtual networks should not be protected by Azure DDoS Network Protection",
          "exemptionCategory": "Waiver",
          "expiresOn": null,
          "status": "active",
          "expiresInDays": "n/a",
          "scope": "/providers/Microsoft.Management/managementGroups/alz-landingzones",
          "policyAssignmentId": "/providers/microsoft.management/managementgroups/alz-landingzones/providers/microsoft.authorization/policyassignments/enable-ddos-vnet",
          "policyDefinitionReferenceIds": null,
          "metadata": {}
      },
      {
          "name": "Exempting DDOS Connectivity",
          "displayName": "o-Connectivity - Virtual networks should not be protected by Azure DDoS Network Protection",
          "description": "o-Connectivity - Virtual networks should not be protected by Azure DDoS Network Protection",
          "exemptionCategory": "Waiver",
          "expiresOn": null,
          "status": "active",
          "expiresInDays": "n/a",
          "scope": "/providers/Microsoft.Management/managementGroups/alz-Connectivity",
          "policyAssignmentId": "/providers/Microsoft.Management/managementGroups/alz-Connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET",
          "policyDefinitionReferenceIds": null,
          "metadata": {}
      },
      {
        "name": "Exempting IaaS-Antimalware Sandbox",
        "displayName": "o-Sandbox - Don't deploy default Microsoft IaaS-Antimalware extension for Windows Server.",
        "description": "o-Sandbox - Don't deploy default Microsoft IaaS-Antimalware extension for Windows Server.",
        "exemptionCategory": "Waiver",
        "expiresOn": null,
        "status": "active",
        "expiresInDays": "n/a",
        "scope": "/providers/Microsoft.Management/managementGroups/alz-Sandbox",
        "policyAssignmentId": "/providers/microsoft.management/managementgroups/alz-o/providers/microsoft.authorization/policyassignments/win-antimalware",
        "policyDefinitionReferenceIds": null,
        "metadata": {}
    }
  ]
}

And the pipeline output of the plan deployment


Processing Policy Exemption files in folder 'Definitions/policyExemptions/tenant1'
===================================================================================================
Number of Policy Exemption files = 1
Processing file '/home/vsts/work/1/s/Definitions/policyExemptions/tenant1/all-exemptions.json'

===================================================================================================
Summary
===================================================================================================
Policy counts:
    132 unchanged
    0 changes
Policy Set counts:
    12 unchanged
    0 changes
Policy Assignment counts:
    54 unchanged
    0 changes
Policy Exemption counts:
    0 unchanged
    0 changes
Role Assignment counts:
    0 changes
---------------------------------------------------------------------------------------------------
Output plan(s)
    Skipping Policy deployment stage/step - no changes
    Skipping Role Assignment stage/step - no changes
---------------------------------------------------------------------------------------------------

Finishing: Run Build```
techlake commented 1 year ago

This might be a regression. Would you be able to host a debugging session? You can send me an email as dot@microsoft.com

anwather commented 1 year ago

Can confirm I'm seeing this as well using JSON exemptions

anwather commented 1 year ago

Fixed in 8.0.1