Describe the bug
When assigning a userAssignedIdentity in the policyAssignment file EPAC will always replace the current assignment. The reason it gives is: Replace(changed userAssignedIdentity). - even though nothing about the userAssignedIdentity has been changed.
To Reproduce
Deploy a policy, policySet and policyAssignment. In the Assignment make use of the userAssignedIdentity property as usual:
Build the deploymentPlan and after deploy the Definitions & Assignment.
Repeat the steps above and you will notice that EPAC tries to replace the Assignment.
Replace(changed userAssignedIdentity) 'ASGN.01.NON-PRD Foundation set.Staging' at /subscriptions/XXXX...
Expected behavior
No plan changes are detected as nothing changed.
Screenshots
In our case, we are deploying 4 sets, each with a userAssignedIdentity. Even when we have no changes, EPAC wnats to replace the entire assignment because it detects a change in identity
EPAC Version
10.2.7
Possible Solution:
In script: /Build-AssignmentIdentityChanges.ps1
It seems that the value of $existingUserAssignedIdentity cannot be retrieved properly. On line 30, this line of code:
$existingUserAssignedIdentity = ($existingIdentity.userAssignedIdentities | get-member)[-1].Name
evaluates to "Values" instead of the resource id of my identity. This causes the if statement
elseif ($existingIdentityType -eq "UserAssigned" -and $existingUserAssignedIdentity -ne $definedUserAssignedIdentity)
later on in the file to always evaluate True
Changing the code on line 30 to this:
$existingUserAssignedIdentity = $existingIdentity.userAssignedIdentities.Keys[0]
solves the issue for me.
Please verify if this is correct however 😊
Describe the bug When assigning a userAssignedIdentity in the policyAssignment file EPAC will always replace the current assignment. The reason it gives is: Replace(changed userAssignedIdentity). - even though nothing about the userAssignedIdentity has been changed.
To Reproduce Deploy a policy, policySet and policyAssignment. In the Assignment make use of the userAssignedIdentity property as usual:
"userAssignedIdentity": { "epac-dev": "/subscriptions/XXXX-XXXX-XXXX-XXXX/resourceGroups/policy_identities/providers/Microsoft.ManagedIdentity/userAssignedIdentities/guardrail_policy_set_nonprd_stg" }
Build the deploymentPlan and after deploy the Definitions & Assignment. Repeat the steps above and you will notice that EPAC tries to replace the Assignment.
Replace(changed userAssignedIdentity) 'ASGN.01.NON-PRD Foundation set.Staging' at /subscriptions/XXXX...
Expected behavior No plan changes are detected as nothing changed.
Screenshots In our case, we are deploying 4 sets, each with a userAssignedIdentity. Even when we have no changes, EPAC wnats to replace the entire assignment because it detects a change in identity
EPAC Version 10.2.7
Possible Solution:
In script: /Build-AssignmentIdentityChanges.ps1 It seems that the value of $existingUserAssignedIdentity cannot be retrieved properly. On line 30, this line of code:
$existingUserAssignedIdentity = ($existingIdentity.userAssignedIdentities | get-member)[-1].Name
evaluates to "Values" instead of the resource id of my identity. This causes the if statementelseif ($existingIdentityType -eq "UserAssigned" -and $existingUserAssignedIdentity -ne $definedUserAssignedIdentity)
later on in the file to always evaluate TrueChanging the code on line 30 to this:
$existingUserAssignedIdentity = $existingIdentity.userAssignedIdentities.Keys[0]
solves the issue for me. Please verify if this is correct however 😊