-
Notifications
You must be signed in to change notification settings - Fork 251
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NOTSCOPES are not applying through EPAC #766
Comments
You are many versions behind current and there have been a lot of bug fixes - I would suggest upgrading to the latest version. You will need to upgrade your |
Can you check with Jeremiah who is not working on the new version either? There should be some internal chatter about that as well. |
Let me retest with the child structure you have above and see if I can work it out |
We tested with templates given by our MS partner. This is a version issue. We will upgrade to the latest. |
Describe the bug
NOTSCOPES are not applied in Azure as they are expected to.
This happens with any assignment and any definition that I am using.
I am also unable to export, using this command "Export-AzPolicyResources", the exclusions that I created manually while testing.
There are internal discussions that this may not work on v10 as well.
This is the assignment file code with specific environment identifiers removed.
{
"$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json",
"nodeName": "/azure-root/",
"children": [
{
"nodeName": "Restricted-Services/",
"children": [
{
"nodeName": "restrict-services",
"assignment": {
"name": "restrict-services",
"displayName": "restrict-services",
"description": "This policy prevents the creation of a technology or resource that is centralized within Azure. An exception must be approved by if this resource is needed."
},
"definitionEntry": {
"policyName": "restrict-services",
"description": "This policy prevents the creation of a technology or resource that is centralized within Azure. An exception must be approved by if this resource is needed."
},
"nonComplianceMessages": [
{
"message": "An attempt has been made to create an Azure service. If this resource is needed, please consult documentation for an exception."
}
],
"scope": {
"mg-dev": [
"/providers/Microsoft.Management/managementGroups/mg-name-dev"
],
"mg-prod": [
"/providers/Microsoft.Management/managementGroups/mg-name-prod"
]
},
"notScopes": {
"mg-prod": [
"/subscriptions/[subscription 1 GUID]",
"/subscriptions/[subscription 2 GUID]",
"/subscriptions/[subscription 3 GUID]",
"/providers/Microsoft.Management/managementGroups/[MG 1 Name],
"/providers/Microsoft.Management/managementGroups/[MG 2 Name]
]
}
}
]
}
]
}
To Reproduce
Using the file sample above, changing out the blank environment labels to match your environment, run the code to assign the policy and set exclusions through notScopes.
Expected behavior
When done manually the exclusion of Azure resource work as expected. See this screenshot:
When doing it through EPAC the exclusion is blank. See screen shot:
Screenshots
If applicable, add screenshots to help explain your problem.
EPAC Version
EPAC version 9.1.5
The text was updated successfully, but these errors were encountered: