search

Azure / enterprise-azure-policy-as-code

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline)
https://azure.github.io/enterprise-azure-policy-as-code/
MIT License
414 stars 219 forks source link

Exemptions can't get them to work - Even after merge #342 #343

Closed DrCefas closed 1 year ago

DrCefas commented 1 year ago

Hi,

After the merge of #342 I did some extensive testing and it seems to run a lot beter, some strange warnings about exemptions being duplicated etc. are gone :) but unfortunately the error reported in #341 is still there in Deploy Policies, I already tried it with a json and a csv exemptions file but both files still give the same error

===================================================================================================
Create new Exemptions (2)
---------------------------------------------------------------------------------------------------
Exempting DDOS Landingzone
Write-Error: /home/vsts/.local/share/powershell/Modules/EnterprisePolicyAsCode/8.1.0/functions/Deploy-PolicyPlan.ps1:318
Line |
 318 |  …      $null = Set-AzPolicyExemptionRestMethod -ExemptionObj $exemption
     |                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Policy Exemption error 404 --
     | {"error":{"code":"MissingSubscription","message":"The request did not
     | have a subscription or a valid tenant level resource provider."}}

##[error]PowerShell exited with code '1'.
Finishing: Deploy Policies
techlake commented 1 year ago

This is likely something in the payload:

DrCefas commented 1 year ago

Hi,

Here is the information that is requested (i hope that this is the correct information) and we scope them on management groups

  • Can you send me the Exemption for the exemption with the displayName "Exempting DDOS Landingzone" (redact subscription ids).
      {
          "name": "ExemptingDDOSLandingzone",
          "displayName": "Exempting DDOS Landingzone",
          "description": "o-LandingZones - Virtual networks should not be protected by Azure DDoS Network Protection",
          "exemptionCategory": "Waiver",
          "expiresOn": null,
          "status": "active",
          "expiresInDays": "n/a",
          "scope": "/providers/Microsoft.Management/managementGroups/alz-Landingzones",
          "policyAssignmentId": "/providers/Microsoft.Management/managementgroups/alz-Landingzones/providers/Microsoft.Authorization/policyAssignments/enable-ddos-vnet",
          "policyDefinitionReferenceIds": null,
          "metadata": {}
      },
  • Even better send me the plan section with the two new exemptions (again with subscription id redacted)

And to get a clean test I even created two brand new exemptions, which gave the same error 

{
  "exemptions": [
      {
          "name": "Allow Kubernetes clusters",
          "displayName": "Allow Kubernetes clusters container privilege escalation",
          "description": "Allow Kubernetes clusters should not allow container privilege escalation",
          "exemptionCategory": "Waiver",
          "expiresOn": null,
          "status": "active",
          "expiresInDays": "n/a",
          "scope": "/providers/Microsoft.Management/managementGroups/alz-Landingzones",
          "policyAssignmentId": "/providers/microsoft.management/managementgroups/alz-landingzones/providers/microsoft.authorization/policyassignments/deny-priv-esc-aks",
          "policyDefinitionReferenceIds": null,
          "metadata": {}
      },
      {
          "name": "Azure Defender SQL",
          "displayName": "Disable Azure Defender SQL",
          "description": "Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances",
          "exemptionCategory": "Waiver",
          "expiresOn": null,
          "status": "active",
          "expiresInDays": "n/a",
          "scope": "/providers/Microsoft.Management/managementGroups/alz-Connectivity",
          "policyAssignmentId": "/providers/microsoft.management/managementgroups/alz-oanwb/providers/microsoft.authorization/policyassignments/deploy-mdfc-sqlatp",
          "policyDefinitionReferenceIds": null,
          "metadata": {}
      }
  ]
}

With the plan section of those two new exemptions

2023-09-01T14:13:49.8170851Z ##[section]Starting: Run Build
2023-09-01T14:13:49.8175615Z ==============================================================================
2023-09-01T14:13:49.8175744Z Task         : Azure PowerShell
2023-09-01T14:13:49.8175814Z Description  : Run a PowerShell script within an Azure environment
2023-09-01T14:13:49.8175911Z Version      : 5.226.0
2023-09-01T14:13:49.8175988Z Author       : Microsoft Corporation
2023-09-01T14:13:49.8176060Z Help         : https://aka.ms/azurepowershelltroubleshooting
2023-09-01T14:13:49.8176146Z ==============================================================================
2023-09-01T14:13:50.1172387Z Generating script.
2023-09-01T14:13:50.1376292Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command . '/home/vsts/work/_temp/<>.ps1'
2023-09-01T14:13:50.1376779Z File saved!
2023-09-01T14:13:51.3916438Z ##[command]Import-Module -Name /usr/share/az_9.3.0/Az.Accounts/2.12.5/Az.Accounts.psd1 -Global
2023-09-01T14:13:52.0170731Z ##[command]Clear-AzContext -Scope Process
2023-09-01T14:13:52.1509704Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2023-09-01T14:13:52.5897977Z ##[command]Connect-AzAccount -ServicePrincipal -Tenant <> -Credential System.Management.Automation.PSCredential -Environment AzureCloud @processScope
2023-09-01T14:13:53.9162078Z VERBOSE: Exporting function 'Build-DeploymentPlans'.
2023-09-01T14:13:53.9199219Z VERBOSE: Exporting function 'Build-PolicyDocumentation'.
2023-09-01T14:13:53.9243808Z VERBOSE: Exporting function 'Create-AzRemediationTasks'.
2023-09-01T14:13:53.9292652Z VERBOSE: Exporting function 'Deploy-PolicyPlan'.
2023-09-01T14:13:53.9315265Z VERBOSE: Exporting function 'Deploy-RolesPlan'.
2023-09-01T14:13:53.9376486Z VERBOSE: Exporting function 'Export-AzPolicyResources'.
2023-09-01T14:13:53.9495315Z VERBOSE: Exporting function 'Export-NonComplianceReports'.
2023-09-01T14:13:53.9507570Z VERBOSE: Exporting function 'Get-AzExemptions'.
2023-09-01T14:13:53.9529017Z VERBOSE: Exporting function 'Get-AzMissingTags'.
2023-09-01T14:13:53.9548694Z VERBOSE: Exporting function 'Get-AzPolicyAliasOutputCSV'.
2023-09-01T14:13:53.9573147Z VERBOSE: Exporting function 'Get-AzResourceTags'.
2023-09-01T14:13:53.9590484Z VERBOSE: Exporting function 'Get-AzStorageNetworkConfig'.
2023-09-01T14:13:53.9606376Z VERBOSE: Exporting function 'Get-AzUserRoleAssignments'.
2023-09-01T14:13:53.9630976Z VERBOSE: Exporting function 'New-AzPolicyReaderRole'.
2023-09-01T14:13:53.9640643Z VERBOSE: Exporting function 'New-EPACDefinitionFolder'.
2023-09-01T14:13:53.9654903Z VERBOSE: Exporting function 'New-EPACPolicyAssignmentDefinition'.
2023-09-01T14:13:53.9682965Z VERBOSE: Exporting function 'New-EPACPolicyDefinition'.
2023-09-01T14:13:53.9703530Z VERBOSE: Exporting function 'Sync-ALZPolicies'.
2023-09-01T14:13:53.9723530Z VERBOSE: Exporting function 'Sync-CAFPolicies'.
2023-09-01T14:13:54.0270794Z 
2023-09-01T14:13:54.0271478Z ===================================================================================================
2023-09-01T14:13:54.0273508Z Read global settings from 'Definitions/global-settings.jsonc'.
2023-09-01T14:13:54.0275595Z ===================================================================================================
2023-09-01T14:13:54.0278468Z PowerShell Versions: 7.2.13
2023-09-01T14:13:54.1235931Z PAC Environments: tenant1
2023-09-01T14:13:54.1236333Z Definitions root folder: Definitions
2023-09-01T14:13:54.1236535Z Input folder: ./Output
2023-09-01T14:13:54.1239846Z Output folder: ./Output
2023-09-01T14:13:54.1243672Z 
2023-09-01T14:13:54.1268366Z Environment Selected: tenant1
2023-09-01T14:13:54.1271771Z     cloud      = AzureCloud
2023-09-01T14:13:54.1275202Z     tenant     = <>
2023-09-01T14:13:54.1279167Z     root scope = /providers/Microsoft.Management/managementGroups/alz-O
2023-09-01T14:13:54.1281982Z 
2023-09-01T14:13:54.1977705Z Telemetry is disabled
2023-09-01T14:13:54.1978039Z 
2023-09-01T14:13:54.2117802Z 
2023-09-01T14:13:54.2118447Z ===================================================================================================
2023-09-01T14:13:54.2148217Z Get scope tree for EPAC environment 'tenant1' at root scope /managementGroups/alz-O
2023-09-01T14:13:54.2148681Z ===================================================================================================
2023-09-01T14:13:54.8185436Z Retrieved 30 resource containers
2023-09-01T14:13:54.8193144Z 
2023-09-01T14:13:54.8204228Z Processing 30 resource containers:
2023-09-01T14:13:54.8625556Z     Management groups = 13
2023-09-01T14:13:54.8626329Z     Subscriptions     = 3
2023-09-01T14:13:54.8700020Z     Resource groups   = 14
2023-09-01T14:13:54.9241674Z 
2023-09-01T14:13:54.9247672Z ===================================================================================================
2023-09-01T14:13:54.9254458Z Get Policy Resources for EPAC environment 'tenant1' at root scope /managementGroups/alz-O
2023-09-01T14:13:54.9259579Z ===================================================================================================
2023-09-01T14:13:58.4718345Z Retrieved 2000 Policy definitions, Policy Set definitions, and Policy Assignments
2023-09-01T14:14:05.9377056Z Retrieved 3820 Policy definitions, Policy Set definitions, and Policy Assignments
2023-09-01T14:14:06.6583840Z Processed 1000 Policy definitions, Policy Set definitions, and Policy Assignments
2023-09-01T14:14:07.2370280Z Processed 2000 Policy definitions, Policy Set definitions, and Policy Assignments
2023-09-01T14:14:07.8307009Z Processed 3000 Policy definitions, Policy Set definitions, and Policy Assignments
2023-09-01T14:14:08.4071946Z Processed 3820 Policy definitions, Policy Set definitions, and Policy Assignments
2023-09-01T14:14:08.4089779Z 
2023-09-01T14:14:08.8229546Z Retrieved 1 Policy Exemptions
2023-09-01T14:14:08.8319429Z Processed 1 Policy Exemptions
2023-09-01T14:14:08.8328788Z 
2023-09-01T14:14:08.8335148Z Collecting Role assignments (this may take a while):
2023-09-01T14:14:08.8361579Z     /subscriptions/
2023-09-01T14:14:11.6524483Z     /subscriptions/
2023-09-01T14:14:13.1133113Z     /subscriptions/
2023-09-01T14:14:14.5377514Z     /providers/Microsoft.Management/managementGroups/alz-Production
2023-09-01T14:14:15.5462878Z     /providers/Microsoft.Management/managementGroups/Alz-connectivity
2023-09-01T14:14:16.5007286Z     /providers/Microsoft.Management/managementGroups/alz-Identity
2023-09-01T14:14:22.4507582Z     /providers/Microsoft.Management/managementGroups/alz-Decommissioned
2023-09-01T14:14:23.4053973Z 
2023-09-01T14:14:23.4054770Z ===================================================================================================
2023-09-01T14:14:23.4055538Z Policy Resources found for EPAC environment 'tenant1' at root scope /managementGroups/alz-O
2023-09-01T14:14:23.4055933Z ===================================================================================================
2023-09-01T14:14:23.4065468Z 
2023-09-01T14:14:23.4066436Z Policy counts:
2023-09-01T14:14:23.4067337Z     BuiltIn        = 2984
2023-09-01T14:14:23.4070091Z     Managed (132) by:
2023-09-01T14:14:23.4071030Z         This PaC   = 132
2023-09-01T14:14:23.4071938Z         Other PaC  = 0
2023-09-01T14:14:23.4072877Z         Unknown    = 0
2023-09-01T14:14:23.4082327Z     Inherited      = 0
2023-09-01T14:14:23.4091614Z     Excluded       = 0
2023-09-01T14:14:23.4093602Z 
2023-09-01T14:14:23.4094521Z Policy Set counts:
2023-09-01T14:14:23.4095374Z     BuiltIn        = 106
2023-09-01T14:14:23.4096384Z     Managed (12) by:
2023-09-01T14:14:23.4097300Z         This PaC   = 12
2023-09-01T14:14:23.4098339Z         Other PaC  = 0
2023-09-01T14:14:23.4099226Z         Unknown    = 0
2023-09-01T14:14:23.4100451Z     Inherited      = 0
2023-09-01T14:14:23.4101179Z     Excluded       = 0
2023-09-01T14:14:23.4103198Z 
2023-09-01T14:14:23.4104007Z Policy Assignment counts:
2023-09-01T14:14:23.4104819Z     Managed (74) by:
2023-09-01T14:14:23.4105685Z         This PaC    = 53
2023-09-01T14:14:23.4106686Z         Other PaC   = 3
2023-09-01T14:14:23.4107692Z         Unknown     = 18
2023-09-01T14:14:23.4134950Z     With identity   = 36
2023-09-01T14:14:23.4135249Z     Excluded        = 0
2023-09-01T14:14:23.4136092Z 
2023-09-01T14:14:23.4136882Z Policy Exemptions:
2023-09-01T14:14:23.4137929Z     Managed (0) by:
2023-09-01T14:14:23.4138869Z         This PaC    = 0
2023-09-01T14:14:23.4139869Z         Other PaC   = 0
2023-09-01T14:14:23.4140830Z         Unknown     = 0
2023-09-01T14:14:23.4150281Z         Orphaned    = 0
2023-09-01T14:14:23.4151115Z     Excluded        = 0
2023-09-01T14:14:23.4153099Z 
2023-09-01T14:14:23.4162135Z Role Assignments:
2023-09-01T14:14:23.4163242Z     Total principalIds     = 36
2023-09-01T14:14:23.4164206Z     Total Scopes           = 10
2023-09-01T14:14:23.4165247Z     Total Role Assignments = 92
2023-09-01T14:14:23.4363647Z ===================================================================================================
2023-09-01T14:14:23.4364941Z Processing Policy JSON files in folder 'Definitions/policyDefinitions'
2023-09-01T14:14:23.4365823Z ===================================================================================================
2023-09-01T14:14:29.7872472Z Number of Policy files = 132
2023-09-01T14:14:32.8755886Z Number of unchanged Policies = 132
2023-09-01T14:14:32.8756483Z 
2023-09-01T14:14:32.8902633Z ===================================================================================================
2023-09-01T14:14:32.8903596Z Processing Policy Set JSON files in folder 'Definitions/policySetDefinitions'
2023-09-01T14:14:32.8948358Z ===================================================================================================
2023-09-01T14:14:33.5697019Z Number of Policy Set files = 12
2023-09-01T14:14:35.2505915Z Number of unchanged Policy SetPolicy Sets definition = 12
2023-09-01T14:14:35.2506518Z 
2023-09-01T14:14:35.2636386Z ===================================================================================================
2023-09-01T14:14:35.2637426Z Processing Policy Assignments JSON files in folder 'Definitions/policyAssignments'
2023-09-01T14:14:35.2637940Z ===================================================================================================
2023-09-01T14:14:35.8693388Z Calculating effect parameters for 3116 Policies.
2023-09-01T14:14:42.5098409Z Calculating effect parameters for 118 Policy Sets.
2023-09-01T14:14:55.7307085Z Number of Policy Assignment files = 18
2023-09-01T14:14:57.7695967Z Desired State(unknownOwner,ownedOnly) - no delete 'ASC provisioning default LA agent Linux Arc' at /subscriptions/
2023-09-01T14:14:57.7704835Z Desired State(unknownOwner,ownedOnly) - no delete 'OpenSourceRelationalDatabasesProtectionSecurityCenter' at /subscriptions/
2023-09-01T14:14:57.7715108Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning AKS Security Profile' at /subscriptions/
2023-09-01T14:14:57.7726085Z Desired State(unknownOwner,ownedOnly) - no delete 'OpenSourceRelationalDatabasesProtectionSecurityCenter' at /subscriptions/
2023-09-01T14:14:57.7737004Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning AKS Security Profile' at /subscriptions/
2023-09-01T14:14:57.7748176Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning Azure Policy Addon for Kub' at /subscriptions/
2023-09-01T14:14:57.7758933Z Desired State(otherPaC,ownedOnly) - no delete 'Deny-Public-IP-On-NIC' at /managementGroups/alz-Sandbox
2023-09-01T14:14:57.7781121Z Desired State(unknownOwner,ownedOnly) - no delete 'DataProtectionSecurityCenter' at /subscriptions/
2023-09-01T14:14:57.7781896Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning ARC k8s Enabled' at /subscriptions/
2023-09-01T14:14:57.7792126Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning Policy extension for Arc-e' at /subscriptions/
2023-09-01T14:14:57.7802832Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning Policy extension for Arc-e' at /subscriptions/
2023-09-01T14:14:57.7813684Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning Policy extension for Arc-e' at /subscriptions/
2023-09-01T14:14:57.7824893Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning ARC k8s Enabled' at /subscriptions/
2023-09-01T14:14:57.7835533Z Desired State(unknownOwner,ownedOnly) - no delete 'DataProtectionSecurityCenter' at /subscriptions/
2023-09-01T14:14:57.7847055Z Desired State(unknownOwner,ownedOnly) - no delete 'DataProtectionSecurityCenter' at /subscriptions/
2023-09-01T14:14:57.7857823Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning ARC k8s Enabled' at /subscriptions/
2023-09-01T14:14:57.7909535Z Desired State(unknownOwner,ownedOnly) - no delete 'ASC provisioning default LA agent Windows Arc' at /subscriptions/
2023-09-01T14:14:57.7910614Z Desired State(unknownOwner,ownedOnly) - no delete 'OpenSourceRelationalDatabasesProtectionSecurityCenter' at /subscriptions/
2023-09-01T14:14:57.7913143Z Desired State(unknownOwner,ownedOnly) - no delete 'Defender for Containers provisioning AKS Security Profile' at /subscriptions/
2023-09-01T14:14:57.7913587Z Desired State(otherPaC,ownedOnly) - no delete 'Deny-HybridNetworking' at /managementGroups/alz-Sandbox
2023-09-01T14:14:57.7913943Z Desired State(otherPaC,ownedOnly) - no delete 'Audit-PeDnsZones' at /managementGroups/alz-Sandbox
2023-09-01T14:14:57.7915569Z Number of unchanged Policy Assignments = 53
2023-09-01T14:14:57.7915659Z 
2023-09-01T14:14:57.8083504Z ===================================================================================================
2023-09-01T14:14:57.8084636Z Processing Policy Exemption files in folder 'Definitions/policyExemptions/tenant1'
2023-09-01T14:14:57.8085295Z ===================================================================================================
2023-09-01T14:14:57.8149549Z Number of Policy Exemption files = 1
2023-09-01T14:14:57.8150332Z Processing file '/home/vsts/work/1/s/Definitions/policyExemptions/tenant1/new-exemptions.json'
2023-09-01T14:14:57.8161524Z 
2023-09-01T14:14:57.8262782Z New 'Allow Kubernetes clusters', '/providers/Microsoft.Management/managementGroups/alz-Landingzones'
2023-09-01T14:14:57.8292687Z New 'Azure Defender SQL', '/providers/Microsoft.Management/managementGroups/alz-Connectivity'
2023-09-01T14:14:57.8293864Z 
2023-09-01T14:14:57.8294365Z 
2023-09-01T14:14:57.8316847Z ===================================================================================================
2023-09-01T14:14:57.8317316Z Summary
2023-09-01T14:14:57.8318527Z ===================================================================================================
2023-09-01T14:14:57.8319003Z Policy counts:
2023-09-01T14:14:57.8327741Z     132 unchanged
2023-09-01T14:14:57.8336782Z     0 changes
2023-09-01T14:14:57.8337808Z Policy Set counts:
2023-09-01T14:14:57.8338936Z     12 unchanged
2023-09-01T14:14:57.8339870Z     0 changes
2023-09-01T14:14:57.8341726Z Policy Assignment counts:
2023-09-01T14:14:57.8342085Z     53 unchanged
2023-09-01T14:14:57.8343501Z     0 changes
2023-09-01T14:14:57.8343851Z Policy Exemption counts:
2023-09-01T14:14:57.8344910Z     0 unchanged
2023-09-01T14:14:57.8353739Z     0 orphaned
2023-09-01T14:14:57.8362754Z     0 expired
2023-09-01T14:14:57.8363710Z     2 changes:
2023-09-01T14:14:57.8374144Z         new     = 2
2023-09-01T14:14:57.8384483Z         update  = 0
2023-09-01T14:14:57.8394147Z         replace = 0
2023-09-01T14:14:57.8403880Z         delete  = 0
2023-09-01T14:14:57.8404824Z Role Assignment counts:
2023-09-01T14:14:57.8406223Z     0 changes
2023-09-01T14:14:57.8407801Z ---------------------------------------------------------------------------------------------------
2023-09-01T14:14:57.8408474Z Output plan(s)
2023-09-01T14:14:57.8423997Z     Policy resource deployment required; writing Policy plan file './Output/plans-tenant1/policy-plan.json'
2023-09-01T14:14:57.8513819Z     Skipping Role Assignment stage/step - no changes
2023-09-01T14:14:57.8514534Z ---------------------------------------------------------------------------------------------------
2023-09-01T14:14:57.8515121Z 
2023-09-01T14:14:57.9716553Z ##[section]Finishing: Run Build

And deploy policies log (to be complete) 

2023-09-01T14:15:42.7803242Z ##[section]Starting: Deploy Policies
2023-09-01T14:15:42.7808348Z ==============================================================================
2023-09-01T14:15:42.7808498Z Task         : Azure PowerShell
2023-09-01T14:15:42.7808580Z Description  : Run a PowerShell script within an Azure environment
2023-09-01T14:15:42.7808694Z Version      : 5.226.0
2023-09-01T14:15:42.7808783Z Author       : Microsoft Corporation
2023-09-01T14:15:42.7809022Z Help         : https://aka.ms/azurepowershelltroubleshooting
2023-09-01T14:15:42.7809125Z ==============================================================================
2023-09-01T14:15:43.1689601Z Generating script.
2023-09-01T14:15:43.1798137Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command . '/home/vsts/work/_temp/a88aa23e-f48b-4778-9489-96343aa70b6a.ps1'
2023-09-01T14:15:43.1798658Z File saved!
2023-09-01T14:15:43.8618290Z ##[command]Import-Module -Name /usr/share/az_9.3.0/Az.Accounts/2.12.5/Az.Accounts.psd1 -Global
2023-09-01T14:15:44.6175996Z ##[command]Clear-AzContext -Scope Process
2023-09-01T14:15:44.7754544Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2023-09-01T14:15:45.1485088Z ##[command]Connect-AzAccount -ServicePrincipal -Tenant <> -Credential System.Management.Automation.PSCredential -Environment AzureCloud @processScope
2023-09-01T14:15:46.4062357Z VERBOSE: Exporting function 'Build-DeploymentPlans'.
2023-09-01T14:15:46.4108276Z VERBOSE: Exporting function 'Build-PolicyDocumentation'.
2023-09-01T14:15:46.4162175Z VERBOSE: Exporting function 'Create-AzRemediationTasks'.
2023-09-01T14:15:46.4224853Z VERBOSE: Exporting function 'Deploy-PolicyPlan'.
2023-09-01T14:15:46.4255381Z VERBOSE: Exporting function 'Deploy-RolesPlan'.
2023-09-01T14:15:46.4330343Z VERBOSE: Exporting function 'Export-AzPolicyResources'.
2023-09-01T14:15:46.4492309Z VERBOSE: Exporting function 'Export-NonComplianceReports'.
2023-09-01T14:15:46.4506049Z VERBOSE: Exporting function 'Get-AzExemptions'.
2023-09-01T14:15:46.4533080Z VERBOSE: Exporting function 'Get-AzMissingTags'.
2023-09-01T14:15:46.4557315Z VERBOSE: Exporting function 'Get-AzPolicyAliasOutputCSV'.
2023-09-01T14:15:46.4589779Z VERBOSE: Exporting function 'Get-AzResourceTags'.
2023-09-01T14:15:46.4611476Z VERBOSE: Exporting function 'Get-AzStorageNetworkConfig'.
2023-09-01T14:15:46.4634764Z VERBOSE: Exporting function 'Get-AzUserRoleAssignments'.
2023-09-01T14:15:46.4664306Z VERBOSE: Exporting function 'New-AzPolicyReaderRole'.
2023-09-01T14:15:46.4676822Z VERBOSE: Exporting function 'New-EPACDefinitionFolder'.
2023-09-01T14:15:46.4698558Z VERBOSE: Exporting function 'New-EPACPolicyAssignmentDefinition'.
2023-09-01T14:15:46.4764161Z VERBOSE: Exporting function 'New-EPACPolicyDefinition'.
2023-09-01T14:15:46.4796618Z VERBOSE: Exporting function 'Sync-ALZPolicies'.
2023-09-01T14:15:46.4831872Z VERBOSE: Exporting function 'Sync-CAFPolicies'.
2023-09-01T14:15:46.5912949Z 
2023-09-01T14:15:46.5918818Z ===================================================================================================
2023-09-01T14:15:46.5923027Z Read global settings from 'Definitions/global-settings.jsonc'.
2023-09-01T14:15:46.5928562Z ===================================================================================================
2023-09-01T14:15:46.5929020Z PowerShell Versions: 7.2.13
2023-09-01T14:15:46.6978112Z PAC Environments: tenant1
2023-09-01T14:15:46.6978966Z Definitions root folder: Definitions
2023-09-01T14:15:46.6986112Z Input folder: /home/vsts/work/1/policy-plan-tenant1
2023-09-01T14:15:46.6991594Z Output folder: ./Output
2023-09-01T14:15:46.6996951Z 
2023-09-01T14:15:46.7028657Z Environment Selected: tenant1
2023-09-01T14:15:46.7033732Z     cloud      = AzureCloud
2023-09-01T14:15:46.7038461Z     tenant     = <>
2023-09-01T14:15:46.7044044Z     root scope = /providers/Microsoft.Management/managementGroups/alz-O
2023-09-01T14:15:46.7044355Z 
2023-09-01T14:15:46.7606580Z Telemetry is disabled
2023-09-01T14:15:46.7613351Z 
2023-09-01T14:15:46.7719301Z ***************************************************************************************************
2023-09-01T14:15:46.7724801Z Deploy Policy resources from plan in file '/home/vsts/work/1/policy-plan-tenant1/plans-tenant1/policy-plan.json'
2023-09-01T14:15:46.7731333Z Plan created on 2023-09-01 14:14:57Z.
2023-09-01T14:15:46.7734950Z ***************************************************************************************************
2023-09-01T14:15:46.8075014Z 
2023-09-01T14:15:46.8081642Z ===================================================================================================
2023-09-01T14:15:46.8087509Z Create new Exemptions (2)
2023-09-01T14:15:46.8088276Z ---------------------------------------------------------------------------------------------------
2023-09-01T14:15:46.8170794Z Disable Azure Defender SQL
2023-09-01T14:15:47.2310628Z Write-Error: /home/vsts/.local/share/powershell/Modules/EnterprisePolicyAsCode/8.1.0/functions/Deploy-PolicyPlan.ps1:318
2023-09-01T14:15:47.2311091Z Line |
2023-09-01T14:15:47.2311845Z  318 |  …      $null = Set-AzPolicyExemptionRestMethod -ExemptionObj $exemption
2023-09-01T14:15:47.2312396Z      |                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2023-09-01T14:15:47.2312750Z      | Policy Exemption error 404 --
2023-09-01T14:15:47.2313140Z      | {"error":{"code":"MissingSubscription","message":"The request did not
2023-09-01T14:15:47.2313513Z      | have a subscription or a valid tenant level resource provider."}}
2023-09-01T14:15:47.2313768Z 
2023-09-01T14:15:47.3374080Z ##[error]PowerShell exited with code '1'.
2023-09-01T14:15:47.3429634Z ##[section]Finishing: Deploy Policies
techlake commented 1 year ago

I found the problem. Fix will be out shortly. Thank you for all your testing