search

Azure / enterprise-azure-policy-as-code

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline)
https://azure.github.io/enterprise-azure-policy-as-code/
MIT License
435 stars 243 forks source link

New-AzRemediationTasks failes when the -WhatIf option is used #817

Open edr-vlk opened 2 weeks ago

edr-vlk commented 2 weeks ago

Describe the bug The cmdlet New-AzRemediationTasks failes when the -WhatIf option is used

To Reproduce I did try to execute the following statement in pwsh: New-AzRemediationTasks -PacEnvironmentSelector ${pacEnvironmentSelector} -DefinitionsRootFolder $PAC_DEFINITIONS_FOLDER -OnlyCheckManagedAssignments -PolicyDefinitionFilter $PolicyDefinition -WhatIf

Expected behavior As describe din the documentation, but not failing the request

Output

Retrieve Policy Compliance List

Az Graph Query: 'policyresources | where type == "microsoft.policyinsights/policystates" and properties.complianceState == "NonCompliant" and (properties.policyDefinitionAction == "deployifnotexists" or properties.policyDefinitionAction == "modify")' What if: Performing the operation "POST" on target "/providers/Microsoft.ResourceGraph/resources?api-version=2022-10-01". Invoke-AzRestMethod: C:\Program Files\PowerShell\Modules\EnterprisePolicyAsCode\10.7.1\internal\functions\Search-AzGraphAllItems.ps1:33 Line | 33 | $response = Invoke-AzRestMethod -Method POST ` | ~~~~~~~~~~ | Object reference not set to an instance of an object. Write-Error: C:\Program Files\PowerShell\Modules\EnterprisePolicyAsCode\10.7.1\internal\functions\Find-AzNonCompliantResources.ps1:63 Line | 63 | … lt = @() + (Search-AzGraphAllItems -Query $query -ProgressItemName "P … | ~~~~~~~~~~~~~ | Search-AzGraph REST error for '' --

EPAC Version Version of EPAC module you are using. 10.7.1

apybar commented 2 days ago

So looks like the WhatIf flag will prevent a POST from taking place - this is going to take rework to somehow not run the "WhatIf" until the end of the script. Either that or it may not be possible altogether.

I'll work with some of the internal team and discuss and comment when I have a solution.

apybar commented 5 hours ago

Will change the flag to something else and will behave as originally intended in which it will output to the CLI the remediation tasks that would take place if you were to run it without the flag.

Will link the release to this ticket and closed once its been released.