Closed lassehastrup closed 3 weeks ago
lassehastrup
commented
3 weeks ago @JulianHayward , I've made this PR that I hope we can merge. Let me know if you see any issues, or we should discuss this solution together. We currently have failing pipelines, due to missing permissions for the subscriptions that are retrieved, even though we have specified the management Group Id. This PR will solve this issue.
JulianHayward
commented
3 weeks ago @lassehastrup
I am a bit confused :)
Let me try to recap what you want to achieve: You want to only process the subscriptions that are direct child of the given managementGroupId?
If you granted permissions as per the setup guide, then all subscriptions in scope of the given managementGroupId should be accessible - no? Can you share the errors, please?
Please take a look at the contribution guide, too.
Happy to discuss - ping me on LinkedIn
lassehastrup
commented
3 weeks ago Sorry, let me try to clear up the confusion :)
We are running this codebase towards a tenant where out Service Connection have read access on tenant root level. However, we would only like to process any subscriptions that reside within a given management group (with children).
As we manage all of the subscriptions within the desired management group, we can determine which Resource Providers that are registered on these subscriptions programatically. The reason for this PR, is because we attempt to retrieve Security data from subscriptions that are outside of the scope of the Management Group we specify in the parameter file. This will generate this error: 'Please register to Microsoft.Security in order to view your security status' However, we don't have any write permissions to this subscription, as it is located outside of the hierarchy from the management group we have specified in the parameter (MangementGroupID) and therefore we cannot add resource providers.
The implementation I have requested to merge will only take the subscriptions within the management group specified in the parameter file, and even though the service connection/App registration has more permission, it will only retrieve and process data for any subscriptions that are located inside of the management group (it includes children as well ie. (MG-Desired Management Group -> MG-LandingZones -> MG-Corp -> Subscription 1)
If you however still want all subscriptions that the servece connection has access to, the management group ID parameter should not be specified.
I hope this clears things up, otherwise I'm happy to do a call :)
JulianHayward
commented
3 weeks ago let´s go for a call :)
lassehastrup
commented
3 weeks ago @JulianHayward, how can I reach you?
JulianHayward
commented
3 weeks ago ping me on LinkedIn
lassehastrup
commented
3 weeks ago @JulianHayward , found the issue to be elsewhere, and therefore this PR is closed.
We have seen an issue where the AzGovViz attempts to retrieve information (costManagement ie) on subscriptions that are out of scope according to the specified ManagementGroupId.
This pullRequest will change how subscriptions will be retrieved, and take the management group into consideration.
Retrieve all subscriptions from the 'Subscriptions API', as this API have all the properties for the objects that we need.
Check if we have specified the management group Id in the parameter file, if so, we use the 'descendants' REST-API, as this will allow us to only retrieve the subscriptions that has a relation to this management group.
We filter out the subscriptions from the Subscriptions API and the Management Group descendants API to ensure we only have the 'relevant' subscriptions. We do this because the Subscription API have more attributes for the subscriptions, which we require to process them further in the script. (ie. TenantId, ManagedBy, QuotaId)
If no ManagementGroupId is specified, the subscriptions retrieved from the 'Subscriptions'