Closed anderssonpof closed 3 months ago
Any steps we can take to try and reproduce this? Is this happening during Build-Deployment Plans? I'm not sure why it's complaining about user assigned managed identities.
Last question is it blocking deployment?
Get Outlook for Androidhttps://aka.ms/AAb9ysg
From: Per Andersson @.> Sent: Wednesday, June 12, 2024 6:47:58 PM To: Azure/enterprise-azure-policy-as-code @.> Cc: Subscribed @.***> Subject: [Azure/enterprise-azure-policy-as-code] Build-ExemptionsPlan MethodInvocationException (Issue #666)
Describe the bug I'm not sure what is causing this and I've been trying to debug why this is happening. This works in 10.2.11 but not in 10.3.x
I'm getting about 13 errors like this. The resources that are shown in the errors are unrelated to any policy exemption scopes that I have defined.
MethodInvocationException: /Users/user/.local/share/powershell/Modules/EnterprisePolicyAsCode/10.3.2/internal/functions/Build-ExemptionsPlan.ps1:567:41
Line |
567 | … $resourceIds.Add($resourceId, $resource)
| ~~~~~~~~
| Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary:
| '/subscriptions/subid/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript' Key being
| added: '/subscriptions/subid/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript'"
Expected behavior Build-ExemptionsPlan succeeds with no errors
EPAC Version 10.3.2
— Reply to this email directly, view it on GitHubhttps://github.com/Azure/enterprise-azure-policy-as-code/issues/666 or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACWCJVQTTIT7SGAZFRWVDMTZHADL5BFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJLJONZXKZNENZQW2ZNLORUHEZLBMRPXI6LQMWBKK5TBNR2WLKRSG4ZDKOJYHE2DOOFENZQW2ZNJNBQXGX3MMFRGK3ECUV3GC3DVMWSHI4TVMWSG4YLNMWXHOYLUMNUF6YLDORUXM2LUPGWHG5LCNJSWG5C7OR4XAZNFJFZXG5LFUZ2G64DJMNZZHAVEOR4XAZNKOJSXA33TNF2G64TZUV3GC3DVMWUTGMZXGE3DEOBTHCBKI5DZOBS2K2LTON2WLJLWMFWHKZNKGIZTIOBRHA4TKMJUQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKRSG4ZDKOJYHE2DOOFHORZGSZ3HMVZKMY3SMVQXIZI. You are receiving this email because you are subscribed to this thread.
Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
We are currently deploying with azure devops, deploy doesn't even run since the build stage fails.
I'm unsure how to reproduce this since I cannot correlate the resources with any configuration in the policy files.
Looking at the debug logs it loops through all resources in the subscription? It seems that the resources gets returned twice from the API and then Build-ExemptionsPlan tries to add it twice to the list.
===================================================================================================
Processing Policy Exemption files in folder './policy/definitions/policyExemptions/tenant'
===================================================================================================
Number of Policy Exemption files = 2
---------------------------------------------------------------------------------------------------
Processing file './policy/definitions/policyExemptions/tenant/policy-exemption.jsonc'
---------------------------------------------------------------------------------------------------
DEBUG: 12:28:18 PM - InvokeAzRestMethodCommand begin processing with ParameterSet 'ByPath'.
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/subscriptions/subid/resources?api-version=2021-04-01
starting row 832576
{
"id": "/subscriptions/subid/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript",
"name": "DeploymentScript",
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"location": "westeurope",
"tags": {}
},
"nextLink": "https://management.azure.com/subscriptions/id/resources?api-version=2021-04-01&%24skiptoken=token%3d"
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/subscriptions/subid/resources?api-version=2021-04-01&%24skiptoken=token%3d
starting row 846243
{
"id": "/subscriptions/subid/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript",
"name": "DeploymentScript",
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"location": "westeurope",
"tags": {}
},
Can you please try explicitly using v10.2.13 and see if the issue still occurs - I'm trying to narrow down what is cause this. It may have been a change to Get-AzResourceListMethod
.
Also can you confirm the number of resources in the subscription? I want to check if it is fault with the code we have added to support paging.
v10.2.13 works without any errors.
Number of resources in the subscription according to Get-AzResource
is: 2664
Yeah just thinking it is using the paging function which could be wrong - are you able to run Get-AzResourceListMethod
and see if any duplicate resources are returned from that function? Specifically the Id field. What we do in the code (for some reason) is construct a new hashtable from the result of that function and add each item returned into it using the id as they key. So I suspect there are duplicate id's being returned and I'm not sure why....
I used the following https://github.com/Azure/enterprise-azure-policy-as-code/blob/main/Scripts/Helpers/RestMethods/Get-AzResourceListRestMethod.ps1
Duplicate types are Microsoft.ManagedIdentity/userAssignedIdentities
and Microsoft.Insights/ActivityLogAlerts
Running Get-AzResourceListRestMethod
With the following filter
$path = "/subscriptions/$SubscriptionId/resources?api-version=$ApiVersion&`$filter=resourceType eq 'Microsoft.Insights/ActivityLogAlerts'"
No duplicates
With the following filter
$path = "/subscriptions/$SubscriptionId/resources?api-version=$ApiVersion&`$filter=resourceType eq 'Microsoft.ManagedIdentity/userAssignedIdentities'"
No duplicateas
Running it without any filters
$path = "/subscriptions/$SubscriptionId/resources?api-version=$ApiVersion"
I get duplicates for some reason Looking at the hashtable there's duplicates
Count : 5
IsFixedSize : False
IsReadOnly : False
IsSynchronized : False
Keys : {id, name, type, location…}
Values : {/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript, DeploymentScript, Microsoft.ManagedIdentity/userAssignedIdentities, westeurope…}
SyncRoot : {[id, /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript], [name, DeploymentScript], [type, Microsoft.ManagedIdentity/userAssignedIdentities], [location, westeurope]…}
Count : 5
IsFixedSize : False
IsReadOnly : False
IsSynchronized : False
Keys : {id, name, type, location…}
Values : {/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript, DeploymentScript, Microsoft.ManagedIdentity/userAssignedIdentities, westeurope…}
SyncRoot : {[id, /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript], [name, DeploymentScript], [type, Microsoft.ManagedIdentity/userAssignedIdentities], [location, westeurope]…}
Ok that's really interesting - I'll have to do some testing and try and work out why it's happening - are the objects exactly the same (properties)? I guess we could always check to see if the key exists before trying to insert it again...
Thanks for helping with the testing!
From: Per Andersson @.> Sent: Friday, 14 June 2024 6:34 PM To: Azure/enterprise-azure-policy-as-code @.> Cc: Comment @.>; Subscribed @.> Subject: Re: [Azure/enterprise-azure-policy-as-code] Build-ExemptionsPlan MethodInvocationException (Issue #666)
I used the following https://github.com/Azure/enterprise-azure-policy-as-code/blob/main/Scripts/Helpers/RestMethods/Get-AzResourceListRestMethod.ps1
Duplicate types are Microsoft.ManagedIdentity/userAssignedIdentities and Microsoft.Insights/ActivityLogAlerts
Running Get-AzResourceListRestMethod With the following filter
$path = "/subscriptions/$SubscriptionId/resources?api-version=$ApiVersion&`$filter=resourceType eq 'Microsoft.Insights/ActivityLogAlerts'"
No duplicates
With the following filter
$path = "/subscriptions/$SubscriptionId/resources?api-version=$ApiVersion&`$filter=resourceType eq 'Microsoft.ManagedIdentity/userAssignedIdentities'"
No duplicateas
Running it without any filters
$path = "/subscriptions/$SubscriptionId/resources?api-version=$ApiVersion"
I get duplicates for some reason Looking at the hashtable there's duplicates
Count : 5 IsFixedSize : False IsReadOnly : False IsSynchronized : False Keys : {id, name, type, location…} Values : {/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript, DeploymentScript, Microsoft.ManagedIdentity/userAssignedIdentities, westeurope…} SyncRoot : {[id, /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript], [name, DeploymentScript], [type, Microsoft.ManagedIdentity/userAssignedIdentities], [location, westeurope]…}
Count : 5 IsFixedSize : False IsReadOnly : False IsSynchronized : False Keys : {id, name, type, location…} Values : {/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript, DeploymentScript, Microsoft.ManagedIdentity/userAssignedIdentities, westeurope…} SyncRoot : {[id, /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript], [name, DeploymentScript], [type, Microsoft.ManagedIdentity/userAssignedIdentities], [location, westeurope]…}
— Reply to this email directly, view it on GitHubhttps://github.com/Azure/enterprise-azure-policy-as-code/issues/666#issuecomment-2167534890 or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACWCJVS64M662VJ6R6MRYRDZHKTLBBFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVIZDOMRVHE4DSNBXHCSG4YLNMWUWQYLTL5WGCYTFNSWHG5LCNJSWG5C7OR4XAZNMJFZXG5LFINXW23LFNZ2KM5DPOBUWG44TQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKJTGM3TCNRSHAZTRAVEOR4XAZNFNFZXG5LFUV3GC3DVMWVDEMZUHAYTQOJVGE2IFJDUPFYGLJLMMFRGK3FFOZQWY5LFVIZDOMRVHE4DSNBXHCTXI4TJM5TWK4VGMNZGKYLUMU. You are receiving this email because you commented on the thread.
Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
From what I can discern the object(s) have the same properties and the same resource id.
Describe the bug I'm not sure what is causing this and I've been trying to debug why this is happening. This works in 10.2.11 but not in 10.3.x
I'm getting about 13 errors like this. The resources that are shown in the errors are unrelated to any policy exemption scopes that I have defined.
MethodInvocationException: /Users/user/.local/share/powershell/Modules/EnterprisePolicyAsCode/10.3.2/internal/functions/Build-ExemptionsPlan.ps1:567:41 Line | 567 | … $resourceIds.Add($resourceId, $resource) |
~~~~~~~~| Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary: | '/subscriptions/subid/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript' Key being | added: '/subscriptions/subid/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/DeploymentScript'"Expected behavior Build-ExemptionsPlan succeeds with no errors
EPAC Version 10.3.2