search

Azure / manage-azure-policy

GiHub Action to manage Azure policy from GitHub workflows
MIT License
55 stars 26 forks source link

Unsure of method to un-assign initiative/policy #82

Open farroar opened 2 years ago

farroar commented 2 years ago

What process is recommended / intended to un-assign a policy?

Removal of the assign.*.json file from the repo results in no error and no change via the GitHub Action.

Removal of the scope entry in the assignment JSON results in notification of successful update with "Assignment updated successfully" via GitHub Action but no change to the actual assignment. Currently, it appears that the only way to remove an assignment is via a direct API call or portal.

tauhid621 commented 2 years ago

@farroar The actions does not support a method to un-assign a policy. Removal of scope entry leads to call to azure which sends back a success response but does not remove the scope.

As of now an assignment can only be removed via portal or an api call.

farroar commented 2 years ago

Could this be turned into a feature request? Is this connector being actively developed?

github-actions[bot] commented 2 years ago

This issue is idle because it has been open for 14 days with no activity.

s4parke commented 2 years ago

Re: @farroar:

Could this be turned into a feature request? Is this connector being actively developed?

The following sequence of operations is described in /lib/azure/forceUpdateHelper.js, in case it helps to formulate a new feature request Issue for a "force update" option with the desired effect.

/* APPROACH
1. Get all assignments and definition from Azure. We will need it in case we need to revert later.
2. For all definitions, check if their assignments are present in the code. If all assignments are not present in code we will abandon force update.
3. Create duplicate definitions and assignments.
4. Delete original assignments and definitions from Azure.
5. Create definitions and assignments from code. In case of any failure we will revert back to original definitions and assignments.
6. Delete duplicate assignments and definitions.
*/
function handleForceUpdate(definitionRequests, policyResponses, assignmentRequests, policyResults) {

Currently, the force update stops at Step 2 if there are Assignments in AZ that are not present in the code.

An enhancement might be to have a nuclear option which deletes all theAssignments, Initiatives, and Definitions in AZ before the deploy... possibly with a scope argument to limit the blast radius.

github-actions[bot] commented 1 year ago

This issue is idle because it has been open for 14 days with no activity.