search

Azure / enterprise-azure-policy-as-code

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline)
https://azure.github.io/enterprise-azure-policy-as-code/
MIT License
403 stars 206 forks source link

Exemptions skipped in 'Prod Plan - Main Branch' stage #685

Closed donk-msft closed 2 weeks ago

donk-msft commented 4 weeks ago

Describe the bug Added exemption file (json) and noticed during deployment that exemption was successfully created in Dev Plan stage, but skipped in 'Prod Plan - Main Branch' stage with the following errors:

Processing file '/home/vsts/work/1/s/Definitions/policyExemptions/<ManagementGroup>/exemptions-prd.json'

WARNING: Row 0: Resource '/subscriptions/<subId>/resourceGroups/rg-connectivity-prd-we-001/providers/Microsoft.Network/virtualNetworks/vnet-hub-prd-we-001' does not exist, skipping entry. WARNING: Exemption entry 0: Exemption scope /subscriptions/<subId>/resourceGroups/rg-connectivity-prd-we-001/providers/Microsoft.Network/virtualNetworks/vnet-hub-prd-we-001 not found in current scope tree for root /providers/Microsoft.Management/managementGroups/<ManagementGroup>, skipping entry.

WARNING: Exemption entry 0: No assignments found for exemption scope /subscriptions/<subId>/resourceGroups/rg-connectivity-prd-we-001/providers/Microsoft.Network/virtualNetworks/vnet-hub-prd-we-001, skipping entry. WARNING: Row 1: Resource '/subscriptions/<subId>/resourceGroups/rg-connectivity-dev-we-001/providers/Microsoft.Network/virtualNetworks/vnet-<bla>-dev-we-001' does not exist, skipping entry. WARNING: Exemption entry 1: Exemption scope /subscriptions/<subId>/resourceGroups/rg-connectivity-dev-we-001/providers/Microsoft.Network/virtualNetworks/vnet-<bla>-dev-we-001 not found in current scope tree for root /providers/Microsoft.Management/managementGroups/<ManagementGroup>, skipping entry. WARNING: Exemption entry 1: No assignments found for exemption scope /subscriptions/<subId>/resourceGroups/rg-connectivity-dev-we-001/providers/Microsoft.Network/virtualNetworks/vnet-<bla>-dev-we-001, skipping entry.

To Reproduce Steps to reproduce the behavior: We've implemented the suggested segregation of SPN's to run each stage. For the Plan stage we're using an SPN that has the custom role 'EPAC Resource Policy Reader'. This custom role has limited read permissions related to Policies and exemptions, but not other resources. When we assign the 'Reader' role to this SPN at MG scope, the exemptions are planned and created as expected.

Expected behavior A clear and concise description of what you expected to happen.

EPAC Version v10.3.5

anwather commented 3 weeks ago

So just to be clear assigning 'Reader' at MG scope fixes this?

donk-msft commented 3 weeks ago

So just to be clear assigning 'Reader' at MG scope fixes this?

@anwather Yes, that fixes it.

anwather commented 3 weeks ago

Is it this role https://azure.github.io/enterprise-azure-policy-as-code/operational-scripts-hydration-kit/#create-policy-reader-role that you have created?

anwather commented 3 weeks ago

So from what I can see in the docs - you need to assign reader permissions at the root level in order to complete a plan as noted below:- image

donk-msft commented 3 weeks ago

Is it this role https://azure.github.io/enterprise-azure-policy-as-code/operational-scripts-hydration-kit/#create-policy-reader-role that you have created?

Yes it is. Looking back at my work items, I believe the guidance has changed since I implemented EPAC and I missed it when upgrading to v10.3.*.

I created the SPNs based on this guidance: image

This issue can be closed then.

anwather commented 2 weeks ago

Closing as resolved