search

Azure / enterprise-azure-policy-as-code

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline)
https://azure.github.io/enterprise-azure-policy-as-code/
MIT License
436 stars 243 forks source link

Excluded Scopes Not Working as Expected #769

Closed glsutter closed 1 month ago

glsutter commented 1 month ago

Describe the bug Reopen https://github.com/Azure/enterprise-azure-policy-as-code/issues/425. Testing with

"excludeSubscriptions": true

is not working as expected. Tried the flag within desiredState and also at other levels in JSON and unmanaged subscription assignments were deleted in the plan.

The code in the merge request does not seem to process this flag.

To Reproduce Add "excludeSubscriptions": true to desiredState. create unmanaged policy assigning in a subscription, examine policy plan to check if assignment will be deleted.

Expected behavior Unmanaged subscription policy assignments should not be deleted.

Screenshots If applicable, add screenshots to help explain your problem.

EPAC Version 10.0.0

anwather commented 1 month ago

That flag doesn't appear in the code anywhere. You can use excludedScopes. I have tested in 10.6 by deploying an assignment to a subscription and using desired settings as below.

"desiredState": {
                "strategy": "full",
                "keepDfcSecurityAssignments": true,
                "excludedScopes": [
                    "/subscriptions/01e2f327-74ac-451e-8ad9-1f923a06d634"
                ]
            }

The output from the plan was as follows:

Output plan(s); if any, will be written to the following file(s):
    Skipping Policy deployment stage/step - no changes
    Skipping Role Assignment stage/step - no changes
glsutter commented 1 month ago

Yes, that works, but we would like to exclude ALL subscriptions. And we have hundreds of subscriptions, the list is changing frequently. Originally, we tried:

"excludedScopes": [ "/subscriptions/*" // Ignore all subscription level policies ]

But that doesn't seem to work. (Confirmed by Heinrich.)

We're looking for a way for EPAC to manage at-scale policies at MG level without affecting any policies defined/assigned at subscription level. (ANY subscription.) I think that was the idea behind the "excludeSubscriptions" boolean but it never was implemented.

anwather commented 1 month ago

Ok - could you just set the desiredState to ownedOnly?

glsutter commented 1 month ago

Sure, that was our workaround. But that won't remove old policies and assignments we have at MG scope. It ignores EVERYTHING that's unmanaged, not just what's at subscription scope. Not really the same thing.

anwather commented 1 month ago

No problems, will look at implementing as Heinrich suggested.

anwather commented 1 month ago

Can you please test the code in the branch feature/aw/issue769 and see if this resolves the issue? You can now add excludeSubscriptions: true to global-settings.jsonc

glsutter commented 1 month ago

Hi, Anthony. We have the EPAC code in a Gitlab monorepo. Not Github. I really can't test a single branch very easily. And we're back on v10.0.0. There are probably other changes needed that were made after that release.

I tried to identify what Scripts had changed and updated our repo. But that didn't seem to work. I updated in our monorepo: Scripts/Helpers/RestMethods/Get-AzManagementGroupRestMethod.ps1 Scripts/Helpers/Build-ScopeTableForDeploymentRootScope.ps1 Scripts/Helpers/Build-ScopeTableForManagementGroup.ps1 Scripts/Helpers/Get-GlobalSettings.ps1

I'm attaching the -Verbose output of Build-DeploymentPlans.ps1. Show some errors and unexpected changes. Looks like there's something I'm missing. Do I need to upgrade to latest release, then apply changes in feature/aw/issue769?

glsutter commented 1 month ago

The output may have some sensitive information. Need to send to you securely. Or we can look at it in a Teams meeting.

glsutter commented 1 month ago

By the way, how can I identify the version I'm running if I'm using the main branch?

anwather commented 1 month ago

If you are using the main branch of this project it is the latest one. The branch I have created for you to test is based off that (currently v10.6.2). The easiest way for you to test this is:

  1. Clone the project locally and switch to my branch
  2. Add your Definitions folder into the local project (from your current running configuration)
  3. Run scripts\deploy\Build-DeploymentPlans.ps1 as you would do in your pipeline (you can just run locally connected to Azure with your own credential - need to have Reader over the management group)
  4. Check the build plan to see if the subscriptions are ignored.

You can email me or ping on teams at anwather @ microsoft dot com. Also I'm in Australia so timezone will be something to think about :)

glsutter commented 1 month ago

Okay, thanks Anthony. I will try that later today. My timezone, ha ha.

glsutter commented 1 month ago

Testing delayed due to project demands. Hoping to get to it today.

glsutter commented 1 month ago

Anthony - Tested with

"desiredState": { "strategy": "full", "excludeSubscriptions": true },

and EPAC did not delete subscription policy assignments. Seems to work as intended based on my preliminary testing.

Should we just wait on the release that contains this new code?

Thanks

anwather commented 1 month ago

I'll hopefully push out a release this week with another couple of changes we have in flight - will more than likely be version 10.6.3 - but keep an eye out for it.

glsutter commented 3 weeks ago

Anthony – Quick question, I think. Looks like exemptions at subscription scope are still being deleted when excludeSubscriptions flag is true. Can you confirm that flag works only for assignments, not exemptions?

Thanks Geary

From: Anthony Watherston @.> Reply-To: Azure/enterprise-azure-policy-as-code @.> Date: Wednesday, October 16, 2024 at 4:55 PM To: Azure/enterprise-azure-policy-as-code @.> Cc: Undisclosed Recipients @.>, Author @.***> Subject: [EXT] Re: [Azure/enterprise-azure-policy-as-code] Excluded Scopes Not Working as Expected (Issue #769)

I'll hopefully push out a release this week with another couple of changes we have in flight - will more than likely be version 10. 6. 3 - but keep an eye out for it. — Reply to this email directly, view it on GitHub, or unsubscribe. You

I'll hopefully push out a release this week with another couple of changes we have in flight - will more than likely be version 10.6.3 - but keep an eye out for it.

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/enterprise-azure-policy-as-code/issues/769#issuecomment-2417945405, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ALHO2R6FYSRSIALMFWIQLHDZ33HD5AVCNFSM6AAAAABPSJAJX2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMJXHE2DKNBQGU. You are receiving this because you authored the thread.Message ID: @.***>

anwather commented 3 weeks ago

It removes all subscriptions from the scope for evaluation - I haven't tested with exemptions specifically - I'll have to set up an environment and test the effect...

From: glsutter @.> Sent: Wednesday, 6 November 2024 6:29 AM To: Azure/enterprise-azure-policy-as-code @.> Cc: Comment @.>; Assign @.>; State change @.>; Subscribed @.> Subject: Re: [Azure/enterprise-azure-policy-as-code] Excluded Scopes Not Working as Expected (Issue #769)

Anthony – Quick question, I think. Looks like exemptions at subscription scope are still being deleted when excludeSubscriptions flag is true. Can you confirm that flag works only for assignments, not exemptions?

Thanks Geary

From: Anthony Watherston @.> Reply-To: Azure/enterprise-azure-policy-as-code @.> Date: Wednesday, October 16, 2024 at 4:55 PM To: Azure/enterprise-azure-policy-as-code @.> Cc: Undisclosed Recipients @.>, Author @.***> Subject: [EXT] Re: [Azure/enterprise-azure-policy-as-code] Excluded Scopes Not Working as Expected (Issue #769)

I'll hopefully push out a release this week with another couple of changes we have in flight - will more than likely be version 10. 6. 3 - but keep an eye out for it. — Reply to this email directly, view it on GitHub, or unsubscribe. You

I'll hopefully push out a release this week with another couple of changes we have in flight - will more than likely be version 10.6.3 - but keep an eye out for it.

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/enterprise-azure-policy-as-code/issues/769#issuecomment-2417945405, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ALHO2R6FYSRSIALMFWIQLHDZ33HD5AVCNFSM6AAAAABPSJAJX2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMJXHE2DKNBQGU. You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/enterprise-azure-policy-as-code/issues/769#issuecomment-2457995042 or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACWCJVTXFZHLSIROEDRXSH3Z7EMCJBFKMF2HI4TJMJ2XIZLTSWBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVIZDOMRVHE4DSNBXHCSG4YLNMWUWQYLTL5WGCYTFNSBKK5TBNR2WLKRVHE2TCMJSGEYDQMNENZQW2ZNJNBQXGX3MMFRGK3FMON2WE2TFMN2F65DZOBS2YSLTON2WKQ3PNVWWK3TUUZ2G64DJMNZZJAVEOR4XAZNKOJSXA33TNF2G64TZUV3GC3DVMWUTGMZXGE3DEOBTHCBKI5DZOBS2K2LTON2WLJLWMFWHKZNKGI2TOMZSHA3DSMRXQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKRSG4ZDKOJYHE2DOOECUR2HS4DFUVWGCYTFNSSXMYLMOVS2UNJZGUYTCMRRGA4DDJ3UOJUWOZ3FOKTGG4TFMF2GK. You are receiving this email because you commented on the thread.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

glsutter commented 3 weeks ago

My early testing showed subscription scope exemptions being deleted with excludeSubscriptions set to true. Not a big issue for us since we want EPAC to manage all exemptions. But I just wanted you to be aware of the behavior.

Geary

From: Anthony Watherston @.> Sent: Tuesday, November 5, 2024 4:44 PM To: Azure/enterprise-azure-policy-as-code @.> Cc: Geary L Sutterfield @.>; Author @.> Subject: [EXT] Re: [Azure/enterprise-azure-policy-as-code] Excluded Scopes Not Working as Expected (Issue #769)

It removes all subscriptions from the scope for evaluation - I haven't tested with exemptions specifically - I'll have to set up an environment and test the effect. . .
____
From: 

It removes all subscriptions from the scope for evaluation - I haven't tested with exemptions specifically - I'll have to set up an environment and test the effect...
____
From: glsutter @.>
Sent: Wednesday, 6 November 2024 6:29 AM
To: Azure/enterprise-azure-policy-as-code @.>
Cc: Comment @.>; Assign @.>; State change @.>; Subscribed @.>
Subject: Re: [Azure/enterprise-azure-policy-as-code] Excluded Scopes Not Working as Expected (Issue #769)

Anthony – Quick question, I think. Looks like exemptions at subscription scope are still being deleted when excludeSubscriptions flag is true. Can you confirm that flag works only for assignments, not exemptions?

Thanks
Geary

From: Anthony Watherston @.>
Reply-To: Azure/enterprise-azure-policy-as-code @.>
Date: Wednesday, October 16, 2024 at 4:55 PM
To: Azure/enterprise-azure-policy-as-code @.>
Cc: Undisclosed Recipients @.>, Author @.>
Subject: [EXT] Re: [Azure/enterprise-azure-policy-as-code] Excluded Scopes Not Working as Expected (Issue #769)

I'll hopefully push out a release this week with another couple of changes we have in flight - will more than likely be version 10. 6. 3 - but keep an eye out for it. — Reply to this email directly, view it on GitHub, or unsubscribe. You


I'll hopefully push out a release this week with another couple of changes we have in flight - will more than likely be version 10.6.3 - but keep an eye out for it.


Reply to this email directly, view it on GitHub<https://github.com/Azure/enterprise-azure-policy-as-code/issues/769#issuecomment-2417945405&gthttps://urldefense.us/v2/url?u=https-3A__github.com_Azure_enterprise-2Dazure-2Dpolicy-2Das-2Dcode_issues_769-23issuecomment-2D2417945405-26gt&d=DwQFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=d7YKHHbK0WCYU6NR2GgLOT2l_XERfb7IkmmOCDUr12Q&m=AF5FEedwUWsSkJUf5An4QBtEvu5cdadvwZpjU9w1iPFqo0uqorsUEfeUj8UbFqBU&s=-7of5CN0uMwp6E0QFwkJQIiaiZs1LTBak_XmCXKr3hI&e=;, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ALHO2R6FYSRSIALMFWIQLHDZ33HD5AVCNFSM6AAAAABPSJAJX2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMJXHE2DKNBQGU&gthttps://urldefense.us/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ALHO2R6FYSRSIALMFWIQLHDZ33HD5AVCNFSM6AAAAABPSJAJX2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMJXHE2DKNBQGU-26gt&d=DwQFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=d7YKHHbK0WCYU6NR2GgLOT2l_XERfb7IkmmOCDUr12Q&m=AF5FEedwUWsSkJUf5An4QBtEvu5cdadvwZpjU9w1iPFqo0uqorsUEfeUj8UbFqBU&s=ZrANDctYPYZRV-TEU9DincHEwDkxzCrMn-cOzJy4Wbs&e=;.
You are receiving this because you authored the thread.Message ID: @.>


Reply to this email directly, view it on GitHub<https://github.com/Azure/enterprise-azure-policy-as-code/issues/769#issuecomment-2457995042&gthttps://urldefense.us/v2/url?u=https-3A__github.com_Azure_enterprise-2Dazure-2Dpolicy-2Das-2Dcode_issues_769-23issuecomment-2D2457995042-26gt&d=DwQFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=d7YKHHbK0WCYU6NR2GgLOT2l_XERfb7IkmmOCDUr12Q&m=AF5FEedwUWsSkJUf5An4QBtEvu5cdadvwZpjU9w1iPFqo0uqorsUEfeUj8UbFqBU&s=HR3SBlvVyG9f8xuhDL5qoRuUk_4Bs1wXURJ-fpnANyc&e=; or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACWCJVTXFZHLSIROEDRXSH3Z7EMCJBFKMF2HI4TJMJ2XIZLTSWBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVIZDOMRVHE4DSNBXHCSG4YLNMWUWQYLTL5WGCYTFNSBKK5TBNR2WLKRVHE2TCMJSGEYDQMNENZQW2ZNJNBQXGX3MMFRGK3FMON2WE2TFMN2F65DZOBS2YSLTON2WKQ3PNVWWK3TUUZ2G64DJMNZZJAVEOR4XAZNKOJSXA33TNF2G64TZUV3GC3DVMWUTGMZXGE3DEOBTHCBKI5DZOBS2K2LTON2WLJLWMFWHKZNKGI2TOMZSHA3DSMRXQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKRSG4ZDKOJYHE2DOOECUR2HS4DFUVWGCYTFNSSXMYLMOVS2UNJZGUYTCMRRGA4DDJ3UOJUWOZ3FOKTGG4TFMF2GK&gthttps://urldefense.us/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ACWCJVTXFZHLSIROEDRXSH3Z7EMCJBFKMF2HI4TJMJ2XIZLTSWBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVIZDOMRVHE4DSNBXHCSG4YLNMWUWQYLTL5WGCYTFNSBKK5TBNR2WLKRVHE2TCMJSGEYDQMNENZQW2ZNJNBQXGX3MMFRGK3FMON2WE2TFMN2F65DZOBS2YSLTON2WKQ3PNVWWK3TUUZ2G64DJMNZZJAVEOR4XAZNKOJSXA33TNF2G64TZUV3GC3DVMWUTGMZXGE3DEOBTHCBKI5DZOBS2K2LTON2WLJLWMFWHKZNKGI2TOMZSHA3DSMRXQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKRSG4ZDKOJYHE2DOOECUR2HS4DFUVWGCYTFNSSXMYLMOVS2UNJZGUYTCMRRGA4DDJ3UOJUWOZ3FOKTGG4TFMF2GK-26gt&d=DwQFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=d7YKHHbK0WCYU6NR2GgLOT2l_XERfb7IkmmOCDUr12Q&m=AF5FEedwUWsSkJUf5An4QBtEvu5cdadvwZpjU9w1iPFqo0uqorsUEfeUj8UbFqBU&s=d-dcxYabbo3v0Jzg3QkV6U3GDovcf8JckEIgawnD1XI&e=;.
You are receiving this email because you commented on the thread.

Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&amp;mt=8&amp;pt=524675&gthttps://urldefense.us/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26amp-3Bmt-3D8-26amp-3Bpt-3D524675-26gt&d=DwQFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=d7YKHHbK0WCYU6NR2GgLOT2l_XERfb7IkmmOCDUr12Q&m=AF5FEedwUWsSkJUf5An4QBtEvu5cdadvwZpjU9w1iPFqo0uqorsUEfeUj8UbFqBU&s=6g-VS7EFGQkSiFp_FuLu4bJB0GEIpPhbEPbPp3j83FY&e=; or Android<https://play.google.com/store/apps/details?id=com.github.android&amp;referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub&gthttps://urldefense.us/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26amp-3Breferrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub-26gt&d=DwQFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=d7YKHHbK0WCYU6NR2GgLOT2l_XERfb7IkmmOCDUr12Q&m=AF5FEedwUWsSkJUf5An4QBtEvu5cdadvwZpjU9w1iPFqo0uqorsUEfeUj8UbFqBU&s=2iFlQv8aOdZ_3o-h_wfgZN-_jeQpWqli1W6xGSl7NuE&e=;.


— Reply to this email directly, view it on GitHubhttps://urldefense.us/v2/url?u=https-3A__github.com_Azure_enterprise-2Dazure-2Dpolicy-2Das-2Dcode_issues_769-23issuecomment-2D2458207177&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=d7YKHHbK0WCYU6NR2GgLOT2l_XERfb7IkmmOCDUr12Q&m=AF5FEedwUWsSkJUf5An4QBtEvu5cdadvwZpjU9w1iPFqo0uqorsUEfeUj8UbFqBU&s=ciDFzlbFy1mjpnkaGakmTKJ_AVR3W1t7QaJm6Ic2CBM&e=, or unsubscribehttps://urldefense.us/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ALHO2R7DEWEPNCHSGOLJXVDZ7E323AVCNFSM6AAAAABPSJAJX2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJYGIYDOMJXG4&d=DwMFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=d7YKHHbK0WCYU6NR2GgLOT2l_XERfb7IkmmOCDUr12Q&m=AF5FEedwUWsSkJUf5An4QBtEvu5cdadvwZpjU9w1iPFqo0uqorsUEfeUj8UbFqBU&s=GMantBqBwVl0ZqcpjbmwagvTsXyDEpgqXXVD6vpSDAQ&e=. You are receiving this because you authored the thread.Message ID: @.***>