Excluded Scopes Not Working as Expected

[glsutter]

Describe the bug Reopen https://github.com/Azure/enterprise-azure-policy-as-code/issues/425. Testing with

"excludeSubscriptions": true

is not working as expected. Tried the flag within desiredState and also at other levels in JSON and unmanaged subscription assignments were deleted in the plan.

The code in the merge request does not seem to process this flag.

To Reproduce Add "excludeSubscriptions": true to desiredState. create unmanaged policy assigning in a subscription, examine policy plan to check if assignment will be deleted.

Expected behavior Unmanaged subscription policy assignments should not be deleted.

Screenshots If applicable, add screenshots to help explain your problem.

EPAC Version 10.0.0

[anwather]

That flag doesn't appear in the code anywhere. You can use excludedScopes. I have tested in 10.6 by deploying an assignment to a subscription and using desired settings as below.

"desiredState": {
                "strategy": "full",
                "keepDfcSecurityAssignments": true,
                "excludedScopes": [
                    "/subscriptions/01e2f327-74ac-451e-8ad9-1f923a06d634"
                ]
            }

The output from the plan was as follows:

Output plan(s); if any, will be written to the following file(s):
    Skipping Policy deployment stage/step - no changes
    Skipping Role Assignment stage/step - no changes

[glsutter]

Yes, that works, but we would like to exclude ALL subscriptions. And we have hundreds of subscriptions, the list is changing frequently. Originally, we tried:

"excludedScopes": [ "/subscriptions/*" // Ignore all subscription level policies ]

But that doesn't seem to work. (Confirmed by Heinrich.)

We're looking for a way for EPAC to manage at-scale policies at MG level without affecting any policies defined/assigned at subscription level. (ANY subscription.) I think that was the idea behind the "excludeSubscriptions" boolean but it never was implemented.

[anwather]

Ok - could you just set the desiredState to ownedOnly?

[glsutter]

Sure, that was our workaround. But that won't remove old policies and assignments we have at MG scope. It ignores EVERYTHING that's unmanaged, not just what's at subscription scope. Not really the same thing.

[anwather]

No problems, will look at implementing as Heinrich suggested.

[anwather]

Can you please test the code in the branch feature/aw/issue769 and see if this resolves the issue? You can now add excludeSubscriptions: true to global-settings.jsonc

[glsutter]

Hi, Anthony. We have the EPAC code in a Gitlab monorepo. Not Github. I really can't test a single branch very easily. And we're back on v10.0.0. There are probably other changes needed that were made after that release.

I tried to identify what Scripts had changed and updated our repo. But that didn't seem to work. I updated in our monorepo: Scripts/Helpers/RestMethods/Get-AzManagementGroupRestMethod.ps1 Scripts/Helpers/Build-ScopeTableForDeploymentRootScope.ps1 Scripts/Helpers/Build-ScopeTableForManagementGroup.ps1 Scripts/Helpers/Get-GlobalSettings.ps1

I'm attaching the -Verbose output of Build-DeploymentPlans.ps1. Show some errors and unexpected changes. Looks like there's something I'm missing. Do I need to upgrade to latest release, then apply changes in feature/aw/issue769?

[glsutter]

The output may have some sensitive information. Need to send to you securely. Or we can look at it in a Teams meeting.

[glsutter]

By the way, how can I identify the version I'm running if I'm using the main branch?

[anwather]

If you are using the main branch of this project it is the latest one. The branch I have created for you to test is based off that (currently v10.6.2). The easiest way for you to test this is:

1. Clone the project locally and switch to my branch
2. Add your Definitions folder into the local project (from your current running configuration)
3. Run scripts\deploy\Build-DeploymentPlans.ps1 as you would do in your pipeline (you can just run locally connected to Azure with your own credential - need to have Reader over the management group)
4. Check the build plan to see if the subscriptions are ignored.

You can email me or ping on teams at anwather @ microsoft dot com. Also I'm in Australia so timezone will be something to think about :)

[glsutter]

Okay, thanks Anthony. I will try that later today. My timezone, ha ha.