Closed mclgoerg closed 1 month ago
anwather
commented
1 month ago When the plan generates does it give a reason for a change being detected? E. G. What is the output from the plan where it evaluates policy sets. Are you able to share the set definition?
mclgoerg
commented
1 month ago storageaccount-set-assignment.jsonc security-set-assignment.jsonc storageaccount-set-definition.jsonc security-set-definition.jsonc
I hope I did not miss any important file. 2 Policy Sets and 2 Assignment Files
Processing Policy Set JSON files in folder './Definitions/policySetDefinitions'
Number of Policy Set files = 2 Update (policies) 'Security Baseline' Update (policies) 'StorageAccount Baseline' Number of unchanged Policy SetPolicy Sets definition = 0
The reason seems to be "Update (policies)"
anwather
commented
1 month ago Hmm my thought is it may be the definition version specified in each policy, EPAC may not be checking for that when it does the diff. I'll have to test out the theory but won't have time until next week.
mclgoerg
commented
1 month ago But the definition version is mandatory right? Otherwise I can change/remove this data.
anwather
commented
1 month ago It's not mandatory - if you want to try removing it and let me know if this fixes it - might help narrow down the problem.
mclgoerg
commented
1 month ago This actually fixed it. Thank you very much!
Describe the bug Build-DeploymentPlans.ps1 results each time in the fact that it has found a change in the policy set. (The deployment then runs - Deploy-PolicyPlan.ps1). Nothing was adjusted in the policy set definitions, only the deployment was executed several times in succession. Policy Set counts: 0 unchanged 2 changes: new = 0 update = 2 replace = 0 delete = 0
Expected behavior The script Build-DeploymentPlans.ps1 should only find a change if there really was a change in the definitions.
EPAC Version 10.6.0