Closed arrerezai closed 4 months ago
Bug fix was checked in with v10.1.0. Please verify that it fixes this issue.
Yes, indeed. Issue is solved in 10.1.0.
Hi @techlake, Unfortunately, issue presented itself again in v10.1.5:
Plan:
Deploy Role Assignment:
This is currently a blocker to move from v10.1.3 and onwards, I tried to comment out the additionalRoleAssignments section and run the plan and deploy scripts and then add it back. Scripts aren't even detecting the additionalRoleAssignments block anymore...
Is this still an issue?
@techlake, just tried with v10.2.1 and must say unfortunately yes, and by the looks of the thumbs up, seems to be the case for others as well.
The current issue is a different bug. I have this fixed and will push shortly.
https://github.com/Azure/enterprise-azure-policy-as-code/issues/609
I can confirm Epac v10.2.2 has the issue fixed again, thanks!
Describe the bug In EPAC v9+, the role assignment was always Unknown. This could have been for different reasons, but it still managed to get it right once viewed in the Azure Portal. Starting from EPAC v10, this is no longer the case. The additional role assignment isn't even detected while running the Build-DeploymentPlans and hence, there is no role to later deploy in the Deploy-RolesPlan.
To Reproduce I went on and ran the same exact policyAssignments, Definitions, and SetDefinitions using the same service connections and to the same exact tenant. V9 created the role assignment, whereas V10 removed it as can be seen by the screenshots.
I am using the follopwing structure:
"additionalRoleAssignments": { "epac-prd": [ { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", "scope": "/subscriptions/_<subscriptionId>_" } ] }
Expected behavior For the role assignment to show up in the subscription that I am trying to assign it to.
Screenshots V9:
Here, it gets added correctly:
And is correctly represented under the connectivity subscription in the Azure Portal:
V10:
Here, the Build-DeploymentPlans is already indicating the removal of the role assignment:
And it gets seen as an obsolete role assignment, which in turn gets removed, despite being declared in the ALZ-Corp-Default file the same way as before:
EPAC Version v10.0.4