Closed roddick-mark closed 4 months ago
could we maybe utilise the deleteOrphanedExemptions switch, so the resource exist check doesn't happen?
Not currently, I could see a different kind of switch; (-DoNotValidateExemptedResources); I'll tag your issue as a Feature Request.
As a cybersecurity guy, I think 5000 Exemptions might indicate a different problem (please note that this pure speculation). If you like we could have a private chat, contact me privately (my LinkedIn link is on my GH profile page).
@techlake Regarding the number of exemptions I agree, we have been trying to resolve this with our customer.
Regarding the resource check, is this something that is actually needed in Get-AzPolicyExemptions? Exemptions are child ID's of their resources so by default, if the resource no longer exists, the exemption doesn't either.
Agreed, orthogonal concerns. I'll look into it today or Monday.
Hi Mark, I have a solution, but need a private test. I sent you a message via LinkedIn.
Fixed in v10.2.2
Describe the bug In V10, the plan performance is slow when you have a large number of exemptions against individual resources. We have around 5k exemptions and still processing after 2 hours.
This looks to be due to a call to
Get-AzResource -ResourceId $scope -ErrorAction SilentlyContinue
for each exemption against a resource ID.https://github.com/Azure/enterprise-azure-policy-as-code/blob/7092b094e75b14d802f8623bf2fd3def53b77cb5/Scripts/Helpers/Get-AzPolicyExemptions.ps1#L151C25-L151C100
EPAC Version 10.1.2