8.2.4 removing Exemptions in OwnedOnly mode

[robsissons-contino]

When building a policy plan with the latest Powershell module the plan shows that ALL existing Exemptions will be removed despite the PAC environment being configured for "ownedOnly" strategy.

EPAC Module version: 8.2.4
Powershell version: 7.3.6

Example:

global-settings.json:

{
    "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/global-settings-schema.json",
    "pacOwnerId": "policy-as-code",
    "pacEnvironments": [
        {
            "pacSelector": "production",
            "cloud": "AzureCloud",
            "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            "desiredState": {
                "strategy": "ownedOnly"
            }
        }
    ]
}

plan output snippets:

===================================================================================================
Processing Policy Exemption files in folder 'C:\Repos\EPAC\azure-policy-as-code\production\Definitions\/policyExemptions/production'
===================================================================================================
Number of Policy Exemption files = 1
Processing file 'C:\Repos\EPAC\azure-policy-as-code\production\Definitions\policyExemptions\production\all-exemptions.csv'
Delete 'xxxxxxxx', '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgxxxxxxxx'
Delete 'xxxxxxxx', '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgxxxxxxxx'
Delete 'xxxxxxxx', '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgxxxxxxxx'
...

Policy Exemption counts:
    0 unchanged
    354 orphaned
    0 expired
    354 changes:
        new     = 0
        update  = 0
        replace = 0
        delete  = 354

[anwather]

Let me take a look at this tomorrow, just to confirm the exemptions aren't managed by EPAC?

[robsissons-contino]

correct - we currently have no exemptions managed by EPAC but do have a template CSV file in the directory which is why it shows "processing 1 file".

Tested with previous versions and no issues

[techlake]

Delete the directory as well Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: robsissons-contino ***@***.***> Sent: Tuesday, September 19, 2023 8:27:54 AM To: Azure/enterprise-azure-policy-as-code ***@***.***> Cc: Subscribed ***@***.***> Subject: Re: [Azure/enterprise-azure-policy-as-code] 8.2.4 removing Exemptions in OwnedOnly mode (Issue #364) correct - we currently have no exemptions managed by EPAC but do have a template CSV file in the directory which is why it shows "processing 1 file". Tested with previous versions and no issues — Reply to this email directly, view it on GitHub<#364 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABTITRLUHT2KI7ACVM6IPOTX3GFU5BFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVIZDOMRVHE4DSNBXHCSG4YLNMWUWQYLTL5WGCYTFNSWHG5LCNJSWG5C7OR4XAZNMJFZXG5LFINXW23LFNZ2KM5DPOBUWG44TQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKJTGM3TCNRSHAZTRAVEOR4XAZNFNFZXG5LFUV3GC3DVMWVDCOJQGI3DQMBXHA4YFJDUPFYGLJLMMFRGK3FFOZQWY5LFVIZDOMRVHE4DSNBXHCTXI4TJM5TWK4VGMNZGKYLUMU>. You are receiving this email because you are subscribed to this thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[anwather]

Yes please delete or rename the directory and let us know the outcome - I'm curious as to why those exemptions are showing up as orphaned, my understanding is an orphaned exemption is one where there is no assignment id available.

[robsissons-contino]

Done some further tests on this:

1. Removing or renaming the directory so no exemption files are processed removes the prompt in the build plan so no exemptions would be removed.

2. If I put the directory back and add a file with a single exemption for our EPAC instance to manage (still in ownedOnly) then the list of orphaned exemptions returns to the plan advising they would be deleted.

Also reviewed the current estate and can confirm that the exemptions being listed are correctly identified as "orphaned" as they are both expired and the policy which the exemption was created for no longer exists. Requested that the current policy team review and remove these however I still believe that when deploying in "ownedOnly" the existing exemptions should not be in scope for removal, regardless of their status.

Note - the build plan does not attempt to delete exemptions which are just expired and not orphaned (the definition which the exemption was created against still exists).

Hope this helps to triage.

[anwather]

My question would be if an exemption is orphaned would there be a valid case for leaving it deployed? The assignment is missing and it is expired so removing it makes sense.. Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: robsissons-contino ***@***.***> Sent: Thursday, September 21, 2023 7:40:59 PM To: Azure/enterprise-azure-policy-as-code ***@***.***> Cc: Comment ***@***.***>; Assign ***@***.***>; Subscribed ***@***.***> Subject: Re: [Azure/enterprise-azure-policy-as-code] 8.2.4 removing Exemptions in OwnedOnly mode (Issue #364) Done some further tests on this: 1. Removing or renaming the directory so no exemption files are processed removes the prompt in the build plan so no exemptions would be removed. 2. If I put the directory back and add a file with a single exemption for our EPAC instance to manage (still in ownedOnly) then the list of orphaned exemptions returns to the plan advising they would be deleted. Also reviewed the current estate and can confirm that the exemptions being listed are correctly identified as "orphaned" as they are both expired and the policy which the exemption was created for no longer exists. Requested that the current policy team review and remove these however I still believe that when deploying in "ownedOnly" the existing exemptions should not be in scope for removal, regardless of their status. Note - the build plan does not attempt to delete exemptions which are just expired and not orphaned (the definition which the exemption was created against still exists). Hope this helps to triage. — Reply to this email directly, view it on GitHub<#364 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACWCJVTQE474D6T547EGNQDX3QDSXBFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVIZDOMRVHE4DSNBXHCSG4YLNMWUWQYLTL5WGCYTFNSWHG5LCNJSWG5C7OR4XAZNMJFZXG5LFINXW23LFNZ2KM5DPOBUWG44TQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKJTGM3TCNRSHAZTRAVEOR4XAZNFNFZXG5LFUV3GC3DVMWVDCOJQGI3DQMBXHA4YFJDUPFYGLJLMMFRGK3FFOZQWY5LFVIZDOMRVHE4DSNBXHCTXI4TJM5TWK4VGMNZGKYLUMU>. You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[robsissons-contino]

Agree that these exemptions are no longer required and should be removed but they are not managed by EPAC and so when running in OwnedOnly mode they should not be in scope for EPAC to remove.

The team will manually remove these before we take full ownership of the environment with EPAC but still believe this is not the expected behaviour from EPAC

[anwather]

My thoughts around this feature request are:-

• EPAC is designed to be the source of truth for Azure Policy in an environment
• We do however acknowledge that customers may have a distributed policy team or require the ability to deploy EPAC in a staggered approach
• The desired state strategy was developed to give EPAC the ability to modify only policy objects that are tagged with an owner id.
• A policy exemption that has been deployed by EPAC will also have this id attached - and the corresponding assignment.
• Remove the assignment would leave the exemption in an orphaned state - and provide no value.
• We have extended this functionality to remove all orphaned exemptions in an environment since they provide no value.

The only reason I can think of to ever keep these extensions would be for reporting (possibly) and this could be done by performing an export of the policy resources and keeping a copy of the exported exemptions.

I think we should open this up to the EPAC user base and ask for input into what should be done.

@techlake - interested in your thoughts on this (when you get a chance).

[techlake]

I'll look at it tomorrow Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: Anthony Watherston ***@***.***> Sent: Thursday, September 21, 2023 9:55:32 PM To: Azure/enterprise-azure-policy-as-code ***@***.***> Cc: Heinrich Gantenbein ***@***.***>; Mention ***@***.***> Subject: Re: [Azure/enterprise-azure-policy-as-code] 8.2.4 removing Exemptions in OwnedOnly mode (Discussion #367) My thoughts around this feature request are:- * EPAC is designed to be the source of truth for Azure Policy in an environment * We do however acknowledge that customers may have a distributed policy team or require the ability to deploy EPAC in a staggered approach * The desired state strategy was developed to give EPAC the ability to modify only policy objects that are tagged with an owner id. * A policy exemption that has been deployed by EPAC will also have this id attached - and the corresponding assignment. * Remove the assignment would leave the exemption in an orphaned state - and provide no value. * We have extended this functionality to remove all orphaned exemptions in an environment since they provide no value. The only reason I can think of to ever keep these extensions would be for reporting (possibly) and this could be done by performing an export of the policy resources and keeping a copy of the exported exemptions. I think we should open this up to the EPAC user base and ask for input into what should be done. @techlake<https://github.com/techlake> - interested in your thoughts on this (when you get a chance). — Reply to this email directly, view it on GitHub<#367 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABTITRLHWZKTDNPGJNHOHMTX3TOYJANCNFSM6AAAAAA5CLB64A>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[techlake]

History:

• Ownership was (until recently) was determined by ownership of the Assignment.
• The problem is the ownership gets lost when the Assignment is deleted or is done higher than the deployment root.
• I recently changed this to include metadata pacOwnerId for Exemptions as well. This solves multiple issues including the one discussed here.
• However
  • Exemptions use a double approach to Ownership, using both its own metadata and the Assignment metadata
  • And anything owned by anybody, if orphaned gets deleted.

My $0.02:

• Keep the double determination of ownership
• NEW: strictly only delete orphaned Exemption the same way as other Policy resources, therefore eliminating this issue.

[anwather]

Fixed in #385