NOTSCOPES are not applying through EPAC #766
Comments
|
I've tested in v10.6.1.(latest) - notScopes are applying correctly.
Also tested the export and it came out as expected (minor fix required to naming but it is functional) |
|
You are many versions behind current and there have been a lot of bug fixes - I would suggest upgrading to the latest version. You will need to upgrade your |
|
Can you check with Jeremiah who is not working on the new version either? There should be some internal chatter about that as well. |
|
Let me retest with the child structure you have above and see if I can work it out |
|
We tested with templates given by our MS partner. This is a version issue. We will upgrade to the latest. |
Describe the bug
NOTSCOPES are not applied in Azure as they are expected to.
This happens with any assignment and any definition that I am using.
I am also unable to export, using this command "Export-AzPolicyResources", the exclusions that I created manually while testing.
There are internal discussions that this may not work on v10 as well.
This is the assignment file code with specific environment identifiers removed.
{
"$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json",
"nodeName": "/azure-root/",
"children": [
{
"nodeName": "Restricted-Services/",
"children": [
{
"nodeName": "restrict-services",
"assignment": {
"name": "restrict-services",
"displayName": "restrict-services",
"description": "This policy prevents the creation of a technology or resource that is centralized within Azure. An exception must be approved by if this resource is needed."
},
"definitionEntry": {
"policyName": "restrict-services",
"description": "This policy prevents the creation of a technology or resource that is centralized within Azure. An exception must be approved by if this resource is needed."
},
"nonComplianceMessages": [
{
"message": "An attempt has been made to create an Azure service. If this resource is needed, please consult documentation for an exception."
}
],
"scope": {
"mg-dev": [
"/providers/Microsoft.Management/managementGroups/mg-name-dev"
],
"mg-prod": [
"/providers/Microsoft.Management/managementGroups/mg-name-prod"
]
},
"notScopes": {
"mg-prod": [
"/subscriptions/[subscription 1 GUID]",
"/subscriptions/[subscription 2 GUID]",
"/subscriptions/[subscription 3 GUID]",
"/providers/Microsoft.Management/managementGroups/[MG 1 Name],
"/providers/Microsoft.Management/managementGroups/[MG 2 Name]
]
}
}
]
}
]
}
To Reproduce
Using the file sample above, changing out the blank environment labels to match your environment, run the code to assign the policy and set exclusions through notScopes.
Expected behavior
When done manually the exclusion of Azure resource work as expected. See this screenshot:
When doing it through EPAC the exclusion is blank. See screen shot:
Screenshots
If applicable, add screenshots to help explain your problem.
EPAC Version
EPAC version 9.1.5
The text was updated successfully, but these errors were encountered: