Policy Exemptions handling - Enhancement request

[arrerezai]

Describe the solution you'd like

• Review and update the schema to reflect EPAC v10+. For instance, policyId and policyName are not correct values as they are called policyDefinitionId and policyDefinitionName
• Ensure all manually created exemptions get removed by running EPAC. Just the way policy assignments are, exemptions should also only be controlled through EPAC. As of v10.2.4, the logic is only adding exemptions, not deleting existing ones that are created in parallel in the Portal (or through something else other than EPAC)
• Remove the unuseful merging of the displayName. Whenever EPAC is run, it merges the subscriptionId and the assignmentId to the displayName that the user has inserted in the code him/herself. This makes the freedom of choice for a meaningful displayName very limited as the max allowed number of characters for the displayName (the exemption name that can be viewed in the Portal) is 128 chars altogether
• Create logic to strip the displayName if it exceeds the max allowed characters (same goes for the description, which has a max allowed number of 512). Having it stripped is better than having the run fail. An alternative is to describe in EPAC documentation that max amount of chars for displayName is 128-length of subscriptionId-length of assignmentId, forcing the folks to use short displayNames

[anwather]

@arrerezai for the exemption are you running with desired state strategy set to full?

[anwather]

For point 2 - desired state strategy set to full - EPAC is not deleting exemptions and I can reproduce - @apybar - I'll create a new issue from this and fix.

[anwather]

@apybar - fixed point 2 in #636

[apybar]

@arrerezai - what still from the list above is persisting? Or am I good to close this issue?

[arrerezai]

@apybar, while #1 and #2 were the most important ones and are solved, #3 and #4 are related to each other and are still to be overseen. Having the displayName merged with subId and assId is still a thing, which I think is totally unnecessary and like earlier mentioned, limits the freedom of having an own (more) meaningful name. Also, there should exist some logic to strip all parameters that exceed the total number of allowed chars imo, but I guess you need to have your say in that?

[apybar]

@arrerezai - I updated the documentation for point #4 and will push that out soon. Point #3 I will discuss internally and respond asap.

[apybar]

As for the merging of "displayName", this applies when using "PolicyDefintionID" and "Policy DisplayName". This is needed to distinguish the difference between the two when creating the exemption. Therefore, this is actually required to operate correctly and create the exemption.

It is recommended to use the Justification box for any description or additional text.