search

Azure / enterprise-azure-policy-as-code

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline)
https://azure.github.io/enterprise-azure-policy-as-code/
MIT License
415 stars 220 forks source link

additionalRoleAssignments has issues in EPAC v10+ #571

Closed arrerezai closed 4 months ago

arrerezai commented 5 months ago

Describe the bug In EPAC v9+, the role assignment was always Unknown. This could have been for different reasons, but it still managed to get it right once viewed in the Azure Portal. Starting from EPAC v10, this is no longer the case. The additional role assignment isn't even detected while running the Build-DeploymentPlans and hence, there is no role to later deploy in the Deploy-RolesPlan.

To Reproduce I went on and ran the same exact policyAssignments, Definitions, and SetDefinitions using the same service connections and to the same exact tenant. V9 created the role assignment, whereas V10 removed it as can be seen by the screenshots.

I am using the follopwing structure: "additionalRoleAssignments": { "epac-prd": [ { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", "scope": "/subscriptions/_<subscriptionId>_" } ] }

Expected behavior For the role assignment to show up in the subscription that I am trying to assign it to.

Screenshots V9:

Here, it gets added correctly: Deploy-RolesPlan adds the new role assignment correctly

And is correctly represented under the connectivity subscription in the Azure Portal: Viewing the Connectivity subscription in Azure Portal shows the successful role assignment

V10:

Here, the Build-DeploymentPlans is already indicating the removal of the role assignment: Build-DeploymentPlans strangely returns the removal of the role

And it gets seen as an obsolete role assignment, which in turn gets removed, despite being declared in the ALZ-Corp-Default file the same way as before: Deploy-RolePlan removes the role incorrectly and updates the assignment on Corp, not linking it to the Subscription living in the Connectivity MG group anymore

EPAC Version v10.0.4

techlake commented 5 months ago

Bug fix was checked in with v10.1.0. Please verify that it fixes this issue.

arrerezai commented 5 months ago

Yes, indeed. Issue is solved in 10.1.0.

arrerezai commented 4 months ago

Hi @techlake, Unfortunately, issue presented itself again in v10.1.5:

Plan: image

Deploy Role Assignment: image

arrerezai commented 4 months ago

This is currently a blocker to move from v10.1.3 and onwards, I tried to comment out the additionalRoleAssignments section and run the plan and deploy scripts and then add it back. Scripts aren't even detecting the additionalRoleAssignments block anymore...

techlake commented 4 months ago

Is this still an issue?

arrerezai commented 4 months ago

@techlake, just tried with v10.2.1 and must say unfortunately yes, and by the looks of the thumbs up, seems to be the case for others as well.

techlake commented 4 months ago

The current issue is a different bug. I have this fixed and will push shortly.

https://github.com/Azure/enterprise-azure-policy-as-code/issues/609

arrerezai commented 4 months ago

I can confirm Epac v10.2.2 has the issue fixed again, thanks!