Assignment always replaced when using userAssignedIdentity

[luke-iseger91]

Describe the bug When assigning a userAssignedIdentity in the policyAssignment file EPAC will always replace the current assignment. The reason it gives is: Replace(changed userAssignedIdentity). - even though nothing about the userAssignedIdentity has been changed.

To Reproduce Deploy a policy, policySet and policyAssignment. In the Assignment make use of the userAssignedIdentity property as usual:

"userAssignedIdentity": { "epac-dev": "/subscriptions/XXXX-XXXX-XXXX-XXXX/resourceGroups/policy_identities/providers/Microsoft.ManagedIdentity/userAssignedIdentities/guardrail_policy_set_nonprd_stg" }

Build the deploymentPlan and after deploy the Definitions & Assignment. Repeat the steps above and you will notice that EPAC tries to replace the Assignment.

Replace(changed userAssignedIdentity) 'ASGN.01.NON-PRD Foundation set.Staging' at /subscriptions/XXXX...

Expected behavior No plan changes are detected as nothing changed.

Screenshots In our case, we are deploying 4 sets, each with a userAssignedIdentity. Even when we have no changes, EPAC wnats to replace the entire assignment because it detects a change in identity

EPAC Version 10.2.7

Possible Solution:

In script: /Build-AssignmentIdentityChanges.ps1 It seems that the value of $existingUserAssignedIdentity cannot be retrieved properly. On line 30, this line of code: $existingUserAssignedIdentity = ($existingIdentity.userAssignedIdentities | get-member)[-1].Name evaluates to "Values" instead of the resource id of my identity. This causes the if statement elseif ($existingIdentityType -eq "UserAssigned" -and $existingUserAssignedIdentity -ne $definedUserAssignedIdentity) later on in the file to always evaluate True

Changing the code on line 30 to this: $existingUserAssignedIdentity = $existingIdentity.userAssignedIdentities.Keys[0] solves the issue for me. Please verify if this is correct however 😊

[anwather]

Thanks for the fix @luke-iseger91