Resource Group behavior for Policy Assignments for notScopes (global and assignment specific):
Field desiredState.includeResourceGroups is deprecated/removed. They are now included. If you need the previous experience add a pattern "/subscriptions/*/resourceGroups/*" to the"excludedScopes"` array.
Field "/resourceGroupPatterns/somergpattern*" is being replaced with "/subscriptions/*/resourceGroups/somergpattern*".
Desired state handling for Policy Assignments has been reworked:
desiredState.keepDfcSecurityAssignments which defaulted to false is being redone as desiredState.deleteDfcSecurityAssignments defaulted to true preserving the semantics.
This behavior is independent of the desiredState.strategy; prevuiously it did only matter when the strategy was "full"; therefore, it will always delete DfC Security assignments at subscription level.
Assignments created by DfC when enrolling a subscription in a DfC workload protection plan are never deleted
Desired state handling for Policy Exemptions has been reworked when desiredState.strategy is owenOnly:
Field desiredState.deleteExpiredExemptions affect only Exemptions not owned by a Policy as Code solution.
Field desiredState.deleteOrphanedExemptions affect only Exemptions not owned by a Policy as Code solution.
Exemptions owned by EPAC are only removed if they are removed from the Definition.
Build-PolicyDocumentation.ps1 skips Policies with effect Manual. Using the switch parameter -IncludeManualPolicies overrides this behavior reverting to the previous behavior.
Enhancements
Support for Microsoft release flow in addition to GitHub flow
China cloud (21v) handling - #468
Cross-tenant (Lighthouse) support - #472
Exemptions can be specified with a policyDefinitionName or policyDefinitionId instead of a policyAssignmentId and policyDefinitionReferenceId. EPAC creates as many Exemptions as needed to cover all Policy Assignments occurrences of the specified Policy - #478
Schema updated to latest draft specification
Script to merge parameters CSV file when new Policies are added - #498
techlake
commented
7 months ago
Breaking changes
desiredState.includeResourceGroupsis deprecated/removed. They are now included. If you need the previous experience add a pattern"/subscriptions/*/resourceGroups/*" to the"excludedScopes"` array."/resourceGroupPatterns/somergpattern*"is being replaced with"/subscriptions/*/resourceGroups/somergpattern*".desiredState.keepDfcSecurityAssignmentswhich defaulted tofalseis being redone asdesiredState.deleteDfcSecurityAssignmentsdefaulted totruepreserving the semantics.desiredState.strategy; prevuiously it did only matter when the strategy was"full"; therefore, it will always delete DfC Security assignments at subscription level.desiredState.strategyisowenOnly:desiredState.deleteExpiredExemptionsaffect only Exemptions not owned by a Policy as Code solution.desiredState.deleteOrphanedExemptionsaffect only Exemptions not owned by a Policy as Code solution.Build-PolicyDocumentation.ps1skips Policies with effectManual. Using the switch parameter-IncludeManualPoliciesoverrides this behavior reverting to the previous behavior.Enhancements
policyDefinitionNameorpolicyDefinitionIdinstead of apolicyAssignmentIdandpolicyDefinitionReferenceId. EPAC creates as many Exemptions as needed to cover all Policy Assignments occurrences of the specified Policy - #478New Guidance on workflow