search

Azure / enterprise-azure-policy-as-code

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline)
https://azure.github.io/enterprise-azure-policy-as-code/
MIT License
415 stars 219 forks source link

Duplicate exemption Id #700

Closed AzureStackNerd closed 2 months ago

AzureStackNerd commented 2 months ago

I am not sure if this is a bug, feature request or because the prerequisites are unclear in the documentation.

Describe the bug File '/home/vsts/work/1/Definitions/policyExemptions/epac-dev/all-exemptions01.json' has 1 errors: 0: Duplicate Exemption id '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx/providers/Microsoft.Authorization/policyExemptions/' for name ''.

To Reproduce I noticed that this happens when the policyExemption is made with

WITH the use of PolicyDefinitionReferenceId

AND The policySet is assigned to the same scope (azure management group) twice with different policyEffects.

Expected behavior I expected EPAC to create the exemption twice. One for each policyAssignmentIds. In which case the exemptionId could be an autogenerated guid, or the exemptionId name with an increment.

EPAC Version ModuleType Version PreRelease Name Script 10.4.2 EnterprisePolicyAsCode

anwather commented 2 months ago

If you make the exemption names unique it works?

AzureStackNerd commented 2 months ago

This is what I think is happening: There is 1 exemption (with a unique name) in the JSON-file, referred by policySetDefinitionName and policyDefinitionReferenceId. EPAC figures out which policyAssignmentId it should take for creating the exemption, but cannot. Since there are 2 assignments, it cannot create 2 exemptions based on 1 unique exemption name.

How can I create a unique exemption name in this scenario?

anwather commented 2 months ago

Are you able the share the exemption file so I can take a look at the structure?

Or email it to @.***?

Get Outlook for Androidhttps://aka.ms/AAb9ysg

From: Remco Vermeer @.> Sent: Thursday, July 11, 2024 4:30:04 PM To: Azure/enterprise-azure-policy-as-code @.> Cc: Comment @.>; Subscribed @.> Subject: Re: [Azure/enterprise-azure-policy-as-code] Duplicate exemption Id (Issue #700)

This is what I think is happening: There is 1 exemption (with a unique name) in the JSON-file, referred by policySetDefinitionName and policyDefinitionReferenceId. EPAC figures out which policyAssignmentId it should take for creating the exemption, but cannot. Since there are 2 assignments, it cannot create 2 exemptions based on 1 unique exemption name.

How can I create a unique exemption name in this scenario?

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/enterprise-azure-policy-as-code/issues/700#issuecomment-2222135699 or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACWCJVVD5CTMRFMOQTROBXDZLYQ6ZBFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVIZDOMRVHE4DSNBXHCSG4YLNMWUWQYLTL5WGCYTFNSWHG5LCNJSWG5C7OR4XAZNMJFZXG5LFINXW23LFNZ2KM5DPOBUWG44TQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKJTGM3TCNRSHAZTRAVEOR4XAZNFNFZXG5LFUV3GC3DVMWVDENBQGA2TKOBTGA3YFJDUPFYGLJLMMFRGK3FFOZQWY5LFVIZDOMRVHE4DSNBXHCTXI4TJM5TWK4VGMNZGKYLUMU. You are receiving this email because you commented on the thread.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

AzureStackNerd commented 2 months ago 
{
  "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-exemption-schema.json",
  "exemptions": [
    // DOES NOT WORK Is trying to create 2 exemptions because there are 2 policy Assignments with different effects
    {
      "name": "3bc74b9b-91d5-4b47-bc66-574321e4322f",
      "displayName": "logging-oms-workspace",
      "description": "logging-oms-workspace description",
      "exemptionCategory": "Mitigated",
      "scope": "/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/resourceGroups/rg-test-resources-d",
      "expiresOn": null,
      "policySetDefinitionName": "diaglogs-la-initiative",
      "policyDefinitionReferenceIds": [
        "LALAAGENTWINDOWS"
      ]
    },
    // WORKS
    {
      "name": "62c963c1-00f4-4555-92c3-1dfc9d7207fc",
      "displayName": "security-center-pricing-policy via policyset",
      "description": "security-center-pricings via policyset description",
      "exemptionCategory": "Mitigated",
      "scope": "/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/resourceGroups/rg-test-resources-d",
      "expiresOn": null,
      "policySetDefinitionName": "mg-asc-settings-initiative",
      "policyDefinitionReferenceIds": [
        "ascstorage"
      ]
    }
  ]
}
anwather commented 2 months ago

I wonder if you will have to use this method to assign the exemption - as it is getting confused because it doesn't know which assignment to look up?

AzureStackNerd commented 2 months ago

Yeah. I was afraid you might say that. I will look into that way. We migrating our old management group structure to the enterprise scale one. We probably have to calculate the new policyAssignmentIds then.