Open farroar opened 2 years ago
@farroar The actions does not support a method to un-assign a policy. Removal of scope entry leads to call to azure which sends back a success response but does not remove the scope.
As of now an assignment can only be removed via portal or an api call.
Could this be turned into a feature request? Is this connector being actively developed?
This issue is idle because it has been open for 14 days with no activity.
Re: @farroar:
Could this be turned into a feature request? Is this connector being actively developed?
The following sequence of operations is described in /lib/azure/forceUpdateHelper.js, in case it helps to formulate a new feature request Issue for a "force update" option with the desired effect.
/* APPROACH
1. Get all assignments and definition from Azure. We will need it in case we need to revert later.
2. For all definitions, check if their assignments are present in the code. If all assignments are not present in code we will abandon force update.
3. Create duplicate definitions and assignments.
4. Delete original assignments and definitions from Azure.
5. Create definitions and assignments from code. In case of any failure we will revert back to original definitions and assignments.
6. Delete duplicate assignments and definitions.
*/
function handleForceUpdate(definitionRequests, policyResponses, assignmentRequests, policyResults) {
Currently, the force update stops at Step 2 if there are Assignments in AZ that are not present in the code.
An enhancement might be to have a nuclear option which deletes all theAssignments, Initiatives, and Definitions in AZ before the deploy... possibly with a scope
argument to limit the blast radius.
This issue is idle because it has been open for 14 days with no activity.
What process is recommended / intended to un-assign a policy?
Removal of the assign.*.json file from the repo results in no error and no change via the GitHub Action.
Removal of the scope entry in the assignment JSON results in notification of successful update with "Assignment updated successfully" via GitHub Action but no change to the actual assignment. Currently, it appears that the only way to remove an assignment is via a direct API call or portal.