search

Azure / enterprise-azure-policy-as-code

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline)
https://azure.github.io/enterprise-azure-policy-as-code/
MIT License
403 stars 206 forks source link

Not possible to have an exemption against an assignment where the scope is included in the assignment excluded scopes #649

Closed roddick-mark closed 1 month ago

roddick-mark commented 1 month ago

Describe the bug We are currently migrating from using excluded scopes to exemptions and would like to leave the excluded scopes in place until all the exemptions have been created. This is now not possible in v10.2.13 as the exemption will be deleted/not created if it is included in the excluded scope of an assignment. In v8 this was possible.

Example 1

Running EPAC v10.2.13 with an exemption previously created with EPAC v8. If the scope is included in the excluded scopes of an assignment, the exemption will be deleted:

WARNING: Exemption entry 373: No assignments found for exemption scope /subscriptions/xxxxx/resourceGroups/xxxxx, skipping entry.

...

Policy Exemption counts:
    0 unchanged
    0 orphaned
    0 expired
    1 changes:
        new     = 0
        update  = 0
        replace = 0
        delete  = 1

Example 2

Trying to create a new exemption with EPAC v10.2.13, the exemptions scope is included in the excluded scope of an assignment:

WARNING: Exemption entry 374: No assignments found for exemption scope /subscriptions/xxxxx/resourceGroups/xxxxx, skipping entry.

...

Policy Exemption counts:
    0 unchanged
    0 orphaned
    0 expired
    0 changes:
        new     = 0
        update  = 0
        replace = 0
        delete  = 0

EPAC Version 10.2.13

anwather commented 1 month ago

Working on a fix for this - you will be able to specify a switch called -SkipNotScopedExemptions when you run Build-DeploymentPlans to override this default behavior.

roddick-mark commented 1 month ago

thanks @anwather thats working great!