You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the exemption scope is a Subscription, there is no issue. Allegedly this worked a year ago, but I'm admittedly skeptical. We only went live with EPAC like this week a year ago.
I reviewed v10 release notes and see the related breaking change - which aligns with when it may have worked previously around the time we went live. I applied the "fix", but it's not working.
"Field desiredState.includeResourceGroups is deprecated/removed. This change removes all Policy Assignments in resource groups not defined in the Policy Assignment definition files. To keep the previous behavior, add a pattern "/subscriptions//resourceGroups/" to the "excludedScopes"` array":
The above change still results in the same warning. Looking an other documentation suggests the note above is not even correct. Adding that pattern actually excludes resource group from policy scope...which is what I already seem to be experiencing.
It's like the resource group doesn't have the assignment, but it does - because trying to do the thing the policy is preventing, triggers a "deny" due to the policy.
I'm sure I'm missing something obvious, but I've been staring at it all day and I'm not seeing it.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi all!
Before opening an issue, I figured I'd post here to rule out user error if possible.
powershell: 7.4.7
epac: 10.8.1
For any exemption at a resource group scope for a policy assignment at parent management group scope, consistently getting:
WARNING: Exemption entry : No assignments found for exemption scope /subscriptions//resourceGroups/, skipping entry.
Example hierarchy:
If the exemption scope is a Subscription, there is no issue. Allegedly this worked a year ago, but I'm admittedly skeptical. We only went live with EPAC like this week a year ago.
I reviewed v10 release notes and see the related breaking change - which aligns with when it may have worked previously around the time we went live. I applied the "fix", but it's not working.
"Field desiredState.includeResourceGroups is deprecated/removed. This change removes all Policy Assignments in resource groups not defined in the Policy Assignment definition files. To keep the previous behavior, add a pattern "/subscriptions//resourceGroups/" to the "excludedScopes"` array":
"desiredState": {
"strategy": "full",
"keepDfcSecurityAssignments": true,
"excludedScopes": [
"/subscriptions//resourceGroups/"
]
}
The above change still results in the same warning. Looking an other documentation suggests the note above is not even correct. Adding that pattern actually excludes resource group from policy scope...which is what I already seem to be experiencing.
I re-read through https://azure.github.io/enterprise-azure-policy-as-code/policy-exemptions/#example-with-policydefinition-scopes-and-a-human-readable-name and see there have been some changes and improvement. I tried a json (vs. csv) "with policyDefinition and a single scope" and still get the same warning.
It's like the resource group doesn't have the assignment, but it does - because trying to do the thing the policy is preventing, triggers a "deny" due to the policy.
I'm sure I'm missing something obvious, but I've been staring at it all day and I'm not seeing it.
Thanks in advance!
Beta Was this translation helpful? Give feedback.
All reactions