Closed precog90 closed 1 month ago
Created the custom initiative check for Azure Policy in GR5 to check for allowed locations initiative. Tested the feature in azure dev tenant with successful results.
The allowed location policy checks for parameters in standalone policies to retrieve allowed locations and update the resource compliance. However, the custom initiatives don't have any parameters for allowed locations and rely on the policies within them.
After a thorough research in azure doc for powershell and troubleshooting, it became clear that it is programmatically impossible to retrieve policies inside an initiative to check for their allowed location parameters.
1) We can assume that the "Allowed Locations" initiatives will have allowed location policies attached to it and we can rely on our code checking the standalone policies which are part of initiative for allowed locations. This approach is based on a singular assumption that our initiatives will have allowed location policies attached to it
2) We can change our solution to allow custom initiatives to be created with the same allowed location parameters as the standalone policies have. This approach requires a bit of work to be done but is a better alternative.
Decision was to proceed with alternative 2.
One of our clients installed the Azure CaC solution, and was reporting "Allowed Locations" under GR5 as non-compliant for all their subscriptions and management groups.
They had referenced and assigned "Allowed Locations" as part of an initiative (policySet)
Issue did not fix until "Allowed Locations" was applied as standalone policy instead of initiative.
If "Allowed Locations" is part of an initiative with locations "canada,canadacentral,canadaeast", and that initiative is applied across management groups - results show "Allowed Locations" on respective subscriptions and management groups as compliant.