Closed donk-msft closed 2 weeks ago
So just to be clear assigning 'Reader' at MG scope fixes this?
So just to be clear assigning 'Reader' at MG scope fixes this?
@anwather Yes, that fixes it.
Is it this role https://azure.github.io/enterprise-azure-policy-as-code/operational-scripts-hydration-kit/#create-policy-reader-role that you have created?
So from what I can see in the docs - you need to assign reader permissions at the root level in order to complete a plan as noted below:-
Is it this role https://azure.github.io/enterprise-azure-policy-as-code/operational-scripts-hydration-kit/#create-policy-reader-role that you have created?
Yes it is. Looking back at my work items, I believe the guidance has changed since I implemented EPAC and I missed it when upgrading to v10.3.*.
I created the SPNs based on this guidance:
This issue can be closed then.
Closing as resolved
Describe the bug Added exemption file (json) and noticed during deployment that exemption was successfully created in Dev Plan stage, but skipped in 'Prod Plan - Main Branch' stage with the following errors:
Processing file '/home/vsts/work/1/s/Definitions/policyExemptions/
<ManagementGroup
>/exemptions-prd.json'WARNING: Row 0: Resource '/subscriptions/
<subId
>/resourceGroups/rg-connectivity-prd-we-001/providers/Microsoft.Network/virtualNetworks/vnet-hub-prd-we-001' does not exist, skipping entry. WARNING: Exemption entry 0: Exemption scope /subscriptions/<subId
>/resourceGroups/rg-connectivity-prd-we-001/providers/Microsoft.Network/virtualNetworks/vnet-hub-prd-we-001 not found in current scope tree for root /providers/Microsoft.Management/managementGroups/<ManagementGroup
>, skipping entry.WARNING: Exemption entry 0: No assignments found for exemption scope /subscriptions/
<subId
>/resourceGroups/rg-connectivity-prd-we-001/providers/Microsoft.Network/virtualNetworks/vnet-hub-prd-we-001, skipping entry. WARNING: Row 1: Resource '/subscriptions/<subId
>/resourceGroups/rg-connectivity-dev-we-001/providers/Microsoft.Network/virtualNetworks/vnet-<bla
>-dev-we-001' does not exist, skipping entry. WARNING: Exemption entry 1: Exemption scope /subscriptions/<subId
>/resourceGroups/rg-connectivity-dev-we-001/providers/Microsoft.Network/virtualNetworks/vnet-<bla
>-dev-we-001 not found in current scope tree for root /providers/Microsoft.Management/managementGroups/<ManagementGroup
>, skipping entry. WARNING: Exemption entry 1: No assignments found for exemption scope /subscriptions/<subId
>/resourceGroups/rg-connectivity-dev-we-001/providers/Microsoft.Network/virtualNetworks/vnet-<bla
>-dev-we-001, skipping entry.To Reproduce Steps to reproduce the behavior: We've implemented the suggested segregation of SPN's to run each stage. For the Plan stage we're using an SPN that has the custom role 'EPAC Resource Policy Reader'. This custom role has limited read permissions related to Policies and exemptions, but not other resources. When we assign the 'Reader' role to this SPN at MG scope, the exemptions are planned and created as expected.
Expected behavior A clear and concise description of what you expected to happen.
EPAC Version v10.3.5