roddick-mark
commented
4 months ago could we maybe utilise the deleteOrphanedExemptions switch, so the resource exist check doesn't happen?
Closed roddick-mark closed 4 months ago
roddick-mark
commented
4 months ago could we maybe utilise the deleteOrphanedExemptions switch, so the resource exist check doesn't happen?
techlake
commented
4 months ago Not currently, I could see a different kind of switch; (-DoNotValidateExemptedResources); I'll tag your issue as a Feature Request.
As a cybersecurity guy, I think 5000 Exemptions might indicate a different problem (please note that this pure speculation). If you like we could have a private chat, contact me privately (my LinkedIn link is on my GH profile page).
roddick-mark
commented
4 months ago @techlake Regarding the number of exemptions I agree, we have been trying to resolve this with our customer.
Regarding the resource check, is this something that is actually needed in Get-AzPolicyExemptions? Exemptions are child ID's of their resources so by default, if the resource no longer exists, the exemption doesn't either.
techlake
commented
4 months ago Agreed, orthogonal concerns. I'll look into it today or Monday.
techlake
commented
4 months ago Hi Mark, I have a solution, but need a private test. I sent you a message via LinkedIn.
techlake
commented
4 months ago Fixed in v10.2.2
Describe the bug In V10, the plan performance is slow when you have a large number of exemptions against individual resources. We have around 5k exemptions and still processing after 2 hours.
This looks to be due to a call to
Get-AzResource -ResourceId $scope -ErrorAction SilentlyContinuefor each exemption against a resource ID.https://github.com/Azure/enterprise-azure-policy-as-code/blob/7092b094e75b14d802f8623bf2fd3def53b77cb5/Scripts/Helpers/Get-AzPolicyExemptions.ps1#L151C25-L151C100
EPAC Version 10.1.2