Closed anderssonpof closed 5 months ago
I have a feeling this is due to the schema property in the parameters in each of those policies... When we pull the changes I don't think we're comparing that property so it comes up as new/replace.
Get Outlook for Androidhttps://aka.ms/AAb9ysg
From: Per Andersson @.> Sent: Tuesday, March 12, 2024 8:05:48 PM To: Azure/enterprise-azure-policy-as-code @.> Cc: Subscribed @.***> Subject: [Azure/enterprise-azure-policy-as-code] Policy assignment change every build/deploy (Issue #507)
EPAC build has changes every run even though policy assignment haven't changed. EPAC deploy therefore also deploys these assignment every run.
I would think this is not intentional ?
Policy Assignment counts: 6 unchanged 2 changes: new = 2 update = 0 replace = 0 delete = 0
New 'Kubernetes cluster pods and containers should only run with approved user and group IDs' at /subscriptions/
Policy Assignment in question
{
"$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json",
"assignment": {
"description": "",
"displayName": "Kubernetes cluster containers should only use allowed images",
"name": "
Running debug on plan and it does find the policyassignment
{
"id": "/subscriptions/<subid>/resourceGroups/<rgname>/providers/Microsoft.Authorization/policyAssignments/<assignment name>",
"name": "<assignment name>",
"type": "microsoft.authorization/policyassignments",
"tenantId": "<tenantid>",
"kind": "policyassignments",
"location": "global",
"resourceGroup": "<rgname>",
"subscriptionId": "<subid>",
"managedBy": "",
"sku": null,
"plan": null,
"properties": {
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042",
"effectiveDefinitionVersion": null,
"latestDefinitionVersion": null,
"definitionVersion": null,
"parameters": {
"allowedContainerImagesRegex": {
"value": "<regex>"
}
},
"displayName": "Kubernetes cluster containers should only use allowed images",
"description": null,
"metadata": {
"createdOn": "2024-03-11T11:39:57.355Z",
"createdBy": "e4d15b62-4e0f-40f2-a6db-47450a22b78c",
"updatedBy": "e4d15b62-4e0f-40f2-a6db-47450a22b78c",
"updatedOn": "2024-03-11T15:03:15.779Z",
"pacOwnerId": "df73e910-db51-49de-b732-1f868ce785e4"
},
"nonComplianceMessages": null,
"resourceSelectors": null,
"enforcementMode": "Default",
"overrides": null,
"notScopes": [],
"scope": "/subscriptions/<subid>/resourceGroups/<rgname>"
},
"tags": null,
"identity": {
"userAssignedIdentities": null,
"principalId": null,
"tenantId": null,
"type": "None"
},
"zones": null,
"extendedLocation": null
},
Let me know If you need additional information
— Reply to this email directly, view it on GitHubhttps://github.com/Azure/enterprise-azure-policy-as-code/issues/507 or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACWCJVSZXAG5RNC3IAD2HF3YX3AO3BFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJLJONZXKZNENZQW2ZNLORUHEZLBMRPXI6LQMWBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTLDTOVRGUZLDORPXI6LQMWSUS43TOVS2M5DPOBUWG44SQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKJTGM3TCNRSHAZTRAVEOR4XAZNFNFZXG5LFUV3GC3DVMWVDEMJYGEYDQMZQHAZ2O5DSNFTWOZLSUZRXEZLBORSQ. You are receiving this email because you are subscribed to this thread.
Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
I have made the necessary adjustment by removing the schema property from a particular policy assignment. build -> deploy -> build, the policies are still being identified as new.
This would be fixed with v10.0.0; however, your workaround is to add the following in your global-settings.jsonc file for each epac-environment (see https://azure.github.io/enterprise-azure-policy-as-code/desired-state-strategy/#use-case-3-include-resource-groups):
"desiredState": {
"strategy": "full",
"includeResourceGroups": true
}
To see how this changes is in v10.0.0: https://github.com/Azure/enterprise-azure-policy-as-code/issues/506
That solved it, cheers
Fixed in v10.0.0 released on 4/5/2024
EPAC build has changes every run even though policy assignment haven't changed. EPAC deploy therefore also deploys these assignment every run.
I would think this is not intentional ?
Policy Assignment in question
Running debug on plan and it does find the policyassignment
Let me know If you need additional information