Build-ExemptionsPlan MethodInvocationException

anderssonpof commented 3 months ago

Describe the bug I'm not sure what is causing this and I've been trying to debug why this is happening. This works in 10.2.11 but not in 10.3.x

I'm getting about 13 errors like this. The resources that are shown in the errors are unrelated to any policy exemption scopes that I have defined.

MethodInvocationException: /Users/user/.local/share/powershell/Modules/EnterprisePolicyAsCode/10.3.2/internal/functions/Build-ExemptionsPlan.ps1:567:41 Line | 567 | … $resourceIds.Add($resourceId, $resource) | ~~~~~~~~ | Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary: | '/subscriptions/subid/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript' Key being | added: '/subscriptions/subid/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript'"

Expected behavior Build-ExemptionsPlan succeeds with no errors

EPAC Version 10.3.2

anwather commented 3 months ago

Any steps we can take to try and reproduce this? Is this happening during Build-Deployment Plans? I'm not sure why it's complaining about user assigned managed identities.

Last question is it blocking deployment?

Get Outlook for Androidhttps://aka.ms/AAb9ysg

From: Per Andersson @.> Sent: Wednesday, June 12, 2024 6:47:58 PM To: Azure/enterprise-azure-policy-as-code @.> Cc: Subscribed @.***> Subject: [Azure/enterprise-azure-policy-as-code] Build-ExemptionsPlan MethodInvocationException (Issue #666)

Describe the bug I'm not sure what is causing this and I've been trying to debug why this is happening. This works in 10.2.11 but not in 10.3.x

I'm getting about 13 errors like this. The resources that are shown in the errors are unrelated to any policy exemption scopes that I have defined.

MethodInvocationException: /Users/user/.local/share/powershell/Modules/EnterprisePolicyAsCode/10.3.2/internal/functions/Build-ExemptionsPlan.ps1:567:41 Line | 567 | … $resourceIds.Add($resourceId, $resource) | ~~~~~~~~ | Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary: | '/subscriptions/subid/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript' Key being | added: '/subscriptions/subid/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript'"

Expected behavior Build-ExemptionsPlan succeeds with no errors

EPAC Version 10.3.2

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/enterprise-azure-policy-as-code/issues/666 or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACWCJVQTTIT7SGAZFRWVDMTZHADL5BFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJLJONZXKZNENZQW2ZNLORUHEZLBMRPXI6LQMWBKK5TBNR2WLKRSG4ZDKOJYHE2DOOFENZQW2ZNJNBQXGX3MMFRGK3ECUV3GC3DVMWSHI4TVMWSG4YLNMWXHOYLUMNUF6YLDORUXM2LUPGWHG5LCNJSWG5C7OR4XAZNFJFZXG5LFUZ2G64DJMNZZHAVEOR4XAZNKOJSXA33TNF2G64TZUV3GC3DVMWUTGMZXGE3DEOBTHCBKI5DZOBS2K2LTON2WLJLWMFWHKZNKGIZTIOBRHA4TKMJUQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKRSG4ZDKOJYHE2DOOFHORZGSZ3HMVZKMY3SMVQXIZI. You are receiving this email because you are subscribed to this thread.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

anderssonpof commented 3 months ago

We are currently deploying with azure devops, deploy doesn't even run since the build stage fails.

I'm unsure how to reproduce this since I cannot correlate the resources with any configuration in the policy files.

Looking at the debug logs it loops through all resources in the subscription? It seems that the resources gets returned twice from the API and then Build-ExemptionsPlan tries to add it twice to the list.

===================================================================================================
Processing Policy Exemption files in folder './policy/definitions/policyExemptions/tenant'
===================================================================================================
Number of Policy Exemption files = 2

---------------------------------------------------------------------------------------------------
Processing file './policy/definitions/policyExemptions/tenant/policy-exemption.jsonc'
---------------------------------------------------------------------------------------------------
DEBUG: 12:28:18 PM - InvokeAzRestMethodCommand begin processing with ParameterSet 'ByPath'.
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/subid/resources?api-version=2021-04-01

starting row 832576
    {
      "id": "/subscriptions/subid/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript",
      "name": "DeploymentScript",
      "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
      "location": "westeurope",
      "tags": {}
    },
"nextLink": "https://management.azure.com/subscriptions/id/resources?api-version=2021-04-01&%24skiptoken=token%3d"

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/subid/resources?api-version=2021-04-01&%24skiptoken=token%3d
starting row 846243
    {
      "id": "/subscriptions/subid/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript",
      "name": "DeploymentScript",
      "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
      "location": "westeurope",
      "tags": {}
    },

anwather commented 3 months ago

Can you please try explicitly using v10.2.13 and see if the issue still occurs - I'm trying to narrow down what is cause this. It may have been a change to Get-AzResourceListMethod .

Also can you confirm the number of resources in the subscription? I want to check if it is fault with the code we have added to support paging.

anderssonpof commented 3 months ago

v10.2.13 works without any errors.

Number of resources in the subscription according to Get-AzResource is: 2664

anwather commented 3 months ago

Yeah just thinking it is using the paging function which could be wrong - are you able to run Get-AzResourceListMethod and see if any duplicate resources are returned from that function? Specifically the Id field. What we do in the code (for some reason) is construct a new hashtable from the result of that function and add each item returned into it using the id as they key. So I suspect there are duplicate id's being returned and I'm not sure why....

anderssonpof commented 3 months ago

I used the following https://github.com/Azure/enterprise-azure-policy-as-code/blob/main/Scripts/Helpers/RestMethods/Get-AzResourceListRestMethod.ps1

Duplicate types are Microsoft.ManagedIdentity/userAssignedIdentities and Microsoft.Insights/ActivityLogAlerts

Running Get-AzResourceListRestMethod With the following filter

$path = "/subscriptions/$SubscriptionId/resources?api-version=$ApiVersion&`$filter=resourceType eq 'Microsoft.Insights/ActivityLogAlerts'"

No duplicates

With the following filter

$path = "/subscriptions/$SubscriptionId/resources?api-version=$ApiVersion&`$filter=resourceType eq 'Microsoft.ManagedIdentity/userAssignedIdentities'"

No duplicateas

Running it without any filters

$path = "/subscriptions/$SubscriptionId/resources?api-version=$ApiVersion"

I get duplicates for some reason Looking at the hashtable there's duplicates

Count          : 5
IsFixedSize    : False
IsReadOnly     : False
IsSynchronized : False
Keys           : {id, name, type, location…}
Values         : {/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript, DeploymentScript, Microsoft.ManagedIdentity/userAssignedIdentities, westeurope…}
SyncRoot       : {[id, /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript], [name, DeploymentScript], [type, Microsoft.ManagedIdentity/userAssignedIdentities], [location, westeurope]…}

Count          : 5
IsFixedSize    : False
IsReadOnly     : False
IsSynchronized : False
Keys           : {id, name, type, location…}
Values         : {/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript, DeploymentScript, Microsoft.ManagedIdentity/userAssignedIdentities, westeurope…}
SyncRoot       : {[id, /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript], [name, DeploymentScript], [type, Microsoft.ManagedIdentity/userAssignedIdentities], [location, westeurope]…}

anwather commented 3 months ago

Ok that's really interesting - I'll have to do some testing and try and work out why it's happening - are the objects exactly the same (properties)? I guess we could always check to see if the key exists before trying to insert it again...

Thanks for helping with the testing!

From: Per Andersson @.> Sent: Friday, 14 June 2024 6:34 PM To: Azure/enterprise-azure-policy-as-code @.> Cc: Comment @.>; Subscribed @.> Subject: Re: [Azure/enterprise-azure-policy-as-code] Build-ExemptionsPlan MethodInvocationException (Issue #666)

I used the following https://github.com/Azure/enterprise-azure-policy-as-code/blob/main/Scripts/Helpers/RestMethods/Get-AzResourceListRestMethod.ps1

Duplicate types are Microsoft.ManagedIdentity/userAssignedIdentities and Microsoft.Insights/ActivityLogAlerts

Running Get-AzResourceListRestMethod With the following filter

$path = "/subscriptions/$SubscriptionId/resources?api-version=$ApiVersion&`$filter=resourceType eq 'Microsoft.Insights/ActivityLogAlerts'"

No duplicates

With the following filter

$path = "/subscriptions/$SubscriptionId/resources?api-version=$ApiVersion&`$filter=resourceType eq 'Microsoft.ManagedIdentity/userAssignedIdentities'"

No duplicateas

Running it without any filters

$path = "/subscriptions/$SubscriptionId/resources?api-version=$ApiVersion"

I get duplicates for some reason Looking at the hashtable there's duplicates

Count : 5 IsFixedSize : False IsReadOnly : False IsSynchronized : False Keys : {id, name, type, location…} Values : {/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript, DeploymentScript, Microsoft.ManagedIdentity/userAssignedIdentities, westeurope…} SyncRoot : {[id, /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript], [name, DeploymentScript], [type, Microsoft.ManagedIdentity/userAssignedIdentities], [location, westeurope]…}

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/enterprise-azure-policy-as-code/issues/666#issuecomment-2167534890 or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACWCJVS64M662VJ6R6MRYRDZHKTLBBFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVIZDOMRVHE4DSNBXHCSG4YLNMWUWQYLTL5WGCYTFNSWHG5LCNJSWG5C7OR4XAZNMJFZXG5LFINXW23LFNZ2KM5DPOBUWG44TQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKJTGM3TCNRSHAZTRAVEOR4XAZNFNFZXG5LFUV3GC3DVMWVDEMZUHAYTQOJVGE2IFJDUPFYGLJLMMFRGK3FFOZQWY5LFVIZDOMRVHE4DSNBXHCTXI4TJM5TWK4VGMNZGKYLUMU. You are receiving this email because you commented on the thread.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

anderssonpof commented 3 months ago

From what I can discern the object(s) have the same properties and the same resource id.

Azure / enterprise-azure-policy-as-code

Build-ExemptionsPlan MethodInvocationException #666