anwather
commented
1 month ago I've tested in v10.6.1.(latest) - notScopes are applying correctly.
Also tested the export and it came out as expected (minor fix required to naming but it is functional)
Closed dmburrel closed 1 month ago
anwather
commented
1 month ago I've tested in v10.6.1.(latest) - notScopes are applying correctly.
Also tested the export and it came out as expected (minor fix required to naming but it is functional)
anwather
commented
1 month ago You are many versions behind current and there have been a lot of bug fixes - I would suggest upgrading to the latest version. You will need to upgrade your global-settings.jsonc file to support the new version. This is documented at https://azure.github.io/enterprise-azure-policy-as-code/start-changes/#breaking-changes-in-v1000
dmburrel
commented
1 month ago Can you check with Jeremiah who is not working on the new version either? There should be some internal chatter about that as well.
anwather
commented
1 month ago Let me retest with the child structure you have above and see if I can work it out
dmburrel
commented
1 month ago We tested with templates given by our MS partner. This is a version issue. We will upgrade to the latest. Thank you.
Describe the bug NOTSCOPES are not applied in Azure as they are expected to. This happens with any assignment and any definition that I am using.
I am also unable to export, using this command "Export-AzPolicyResources", the exclusions that I created manually while testing. There are internal discussions that this may not work on v10 as well.
This is the assignment file code with specific environment identifiers removed.
{ "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json", "nodeName": "/azure-root/", "children": [ { "nodeName": "Restricted-Services/", "children": [ { "nodeName": "restrict-services", "assignment": { "name": "restrict-services", "displayName": "restrict-services", "description": "This policy prevents the creation of a technology or resource that is centralized within Azure. An exception must be approved by if this resource is needed." }, "definitionEntry": { "policyName": "restrict-services", "description": "This policy prevents the creation of a technology or resource that is centralized within Azure. An exception must be approved by if this resource is needed." }, "nonComplianceMessages": [ { "message": "An attempt has been made to create an Azure service. If this resource is needed, please consult documentation for an exception." } ], "scope": { "mg-dev": [ "/providers/Microsoft.Management/managementGroups/mg-name-dev" ], "mg-prod": [ "/providers/Microsoft.Management/managementGroups/mg-name-prod" ] }, "notScopes": { "mg-prod": [ "/subscriptions/[subscription 1 GUID]", "/subscriptions/[subscription 2 GUID]", "/subscriptions/[subscription 3 GUID]", "/providers/Microsoft.Management/managementGroups/[MG 1 Name], "/providers/Microsoft.Management/managementGroups/[MG 2 Name] ] } } ] } ] }
To Reproduce Using the file sample above, changing out the blank environment labels to match your environment, run the code to assign the policy and set exclusions through notScopes.
Expected behavior When done manually the exclusion of Azure resource work as expected. See this screenshot:
When doing it through EPAC the exclusion is blank. See screen shot:
Screenshots If applicable, add screenshots to help explain your problem.
EPAC Version EPAC version 9.1.5