Exemptions not removed from Azure when removed from CSV about enterprise-azure-policy-as-code HOT 12 CLOSED

So the exemptions removed from the CSV are not in the outputted plan file?

from enterprise-azure-policy-as-code.

This is correct.

tested on EPAC v 8.4.2, pwsh 7.3.8

Confirmed that the exemption is created and has the correct metadata tag. When I remove the row from the CSV I see this in my plan summary (note this is a testing pacselector so my test exemption was the only entry):

Policy Exemption counts:
    0 unchanged
    0 orphaned
    0 expired
    0 changes

Interestingly, if I re-run the plan it wants to try and recreate the exemption, as though it cannot find the exemption to confirm that it already exists:

Policy Exemption counts:
    0 unchanged
    0 orphaned
    0 expired
    1 changes:
        new     = 1
        update  = 0
        replace = 0
        delete  = 0

For information, this environment has the following configuration in our globalsettings:

{
            "pacSelector": "xxxx",
            "cloud": "AzureCloud",
            "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            "deploymentRootScope": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx",
            "desiredState": {
                "strategy": "ownedOnly",
                "includeResourceGroups": true
            }
        }

Have now just tested re-running the deployment and it consitently wants to recreate this exemption:

Create new Exemptions (1)
---------------------------------------------------------------------------------------------------
test_exemption1(/subscriptions/***/resourceGroups/xxxxxxxxxxxxxxxx/providers/Microsoft.Web/sites/testwebapp/providers/Microsoft.Authorization/policyExemptions/test_exemption1)

Note - in our production environment we have over 22k exemptions and the plan does not try to recreate the exemptions. The global settings are also set to ownedOnly. The main difference with our production environment is that the root scope is a management group, rather than a subscription.

I will create a test exemption in our production environment and report back my findings.

from enterprise-azure-policy-as-code.

The fact that you state that if you re-run the plan (presumably after adding the exemption back to the csv) it processes it as a new exemption makes me think that there is some difference between what is in the csv file and what is in Azure. Can you run an export of that pac and compare the exported csv to the csv you are running the plan for.

from enterprise-azure-policy-as-code.

Unfortunately the plan wants to create the exemption each time without modifying the CSV file at all.

I have performed a similar test in our production environment however this has worked as expected - a second build does not want to "recreate" the exemption, and removing from the CSV results in the exemption being removed.

As requested I performed an export and can confirm that the exemptions added through these tests were not included in the exported "all-exemptions.csv" file.

I can only assume this is a permission issue with the SPN we are using in this environment. Can anyone advise what permissions we are missing for the ability to read these exemptions so I can raise with the IAM team to review?

Many thanks again for the EPAC team's support!

from enterprise-azure-policy-as-code.

Required roles are defined here. https://azure.github.io/enterprise-azure-policy-as-code/ci-cd-pipeline/#service-connections-for-devops-cicd

from enterprise-azure-policy-as-code.

Checked all roles and tested a plan with a global admin account at the same scope to confirm - same issue so not role/permissions related.

Done some further testing on this in a sandbox environment and can reproduce if I have a pacSelector scoped at a subscription. Difference between the two pac environments in globalsettings.json:

"pacEnvironments": [
        {
            "pacSelector": "tenant",
            "cloud": "AzureCloud",
            "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/xxxxMG",
            "desiredState": {
                "strategy": "ownedOnly"
            }
        },
        {
            "pacSelector": "tenant2",
            "cloud": "AzureCloud",
            "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            "deploymentRootScope": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            "desiredState": {
                "strategy": "ownedOnly"
            }
        }
    ]

"tenant" performs as expected and can see the exemption once it is created.
"tenant2" reproduces the error and cannot see the exemption so keeps trying to recreate

I have confirmed that I can see the exemption when performing a graph query and have also tested using the same syntax used in the helper script "Get-AzPolicyExemptionsAtScopeRestMethod.ps1" - the exemption is visible.

If i use the "export-AzPolicyResources" cmdlet with the "tenant" pacSelector then i can see the exported exemptions
Performing the same export with the "tenant2" pacSelector exports no exemptions at all.

from enterprise-azure-policy-as-code.

can anyone replicate this?

from enterprise-azure-policy-as-code.

from enterprise-azure-policy-as-code.

from enterprise-azure-policy-as-code.

What happens when you remove the row from the CSV in that PAC environment? Are the exemptions removed?

Have not tested with JSON exemptions but assume the same behaviour

Please can we also remove the additional thread information which exposes email addresses in the body of the comments?

from enterprise-azure-policy-as-code.

Any update on this? I notice that the thread is marked as awaiting response?

from enterprise-azure-policy-as-code.

Unable to reproduce

from enterprise-azure-policy-as-code.