Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

notScopes for subscriptions wildcard pattern #831

Open
riosengineer opened this issue Nov 28, 2024 · 14 comments
Open

notScopes for subscriptions wildcard pattern #831

riosengineer opened this issue Nov 28, 2024 · 14 comments
Assignees
Labels
feature request User is suggesting a new feature

Comments

@riosengineer
Copy link
Contributor

riosengineer commented Nov 28, 2024

Hi team!

I have some policyAssignments that I only need to apply to production subscriptions but I am applying the scope at the parent management group. These assignments are monitoring/custom alert metrics. They need to auto-inherit any new subs that get created for production but not for the subsequent lower subs, e.g.

management_group <- policyAssignment applied to this scope
   somesub-dev-thing <- want to exclude this from the assignment
   somesub-test-thing <- and this
   somesub-prod-thing

We add this setup often for new applications. Therefore, adding individual sub IDs is not very feasible in the notScopes. I want to add a notScopes like:

  "scope": {
    "epac-prod": [
      "/providers/Microsoft.Management/managementGroups/mg_landing_zones"
    ]
  },
  "notScopes": {
    "epac-prod": [
      "/subscriptions/sub-dev*", <- doesn't seem to work 
      "/subscriptions/sub-tst*" , <- as above
      "/subscriptions/*/resourceGroups/rg-uks-dev*", 
      "/subscriptions/*/resourceGroups/rg-uks-tst*" 
    ]
  }
}

This way I can exclude these assignments from all subscriptions that are dev / test because they do not need these policyAssignments. It seems this works great for the resource group pattern, but it does not seem to work for the subscription level. I can manually add the subscription exclusions in the assignment in the Portal however.

Should I be approaching this in a different way?

EDIT: Also, I guess, this ask would apply to the policyExemptions too for ease of exemptions

@anwather
Copy link
Collaborator

anwather commented Nov 28, 2024 via email

@riosengineer
Copy link
Contributor Author

riosengineer commented Nov 28, 2024

Unfortunately I wouldn't be able to go down that road. we have a landing zone MG and then many app specific MGs as a child under this, so each of those contain the dev/test/prod setup.

Thanks for replying. I just wanted to make sure I wasn't missing anything. I would love the feature naturally... 😄

I suppose without the wildcard support for subs, my portal changes would get overwritten on my next EPAC deployment anyway? @anwather

@anwather
Copy link
Collaborator

Thats correct. We can put this as a feature request though and get it done.

@riosengineer
Copy link
Contributor Author

riosengineer commented Nov 28, 2024

Thats correct. We can put this as a feature request though and get it done.

Awesome. Thank you 💪 edit: the exemptions support would be amazing too, so I can keep my compliance nice and green 🙃 @anwather

@apybar
Copy link
Collaborator

apybar commented Nov 28, 2024

@riosengineer - The exemptions is something already on the roadmap I plan on working on before EOY.

See --> #687

@anwather anwather self-assigned this Dec 5, 2024
@anwather anwather added the feature request User is suggesting a new feature label Dec 5, 2024
@anwather
Copy link
Collaborator

anwather commented Dec 5, 2024

@riosengineer - can you clone this repo and run from the scripts\deploy\Build-DeploymentPlans using the branch - feature/aw/issue828. I've made a change in there to test whether this would work. You will have to specify a subscription pattern as below:-

"scope": {
    "epac-prod": [
      "/providers/Microsoft.Management/managementGroups/mg_landing_zones"
    ]
  },
  "notScopes": {
    "epac-prod": [
      "/subscriptions/subscriptionsPattern/sub-dev*", 
      "/subscriptions/subscriptionsPattern/sub-tst*" , 
      "/subscriptions/*/resourceGroups/rg-uks-dev*", 
      "/subscriptions/*/resourceGroups/rg-uks-tst*" 
    ]
  }
}

It uses a -like to check the pattern against a subscription name so normal rules apply for wildcards. Run the plan and check the output to see if it correctly calculates the scope. Seems to work with my limited testing but if it is good for you I'll get some input from the team as to how we want to present it in the assignment JSON file.

@riosengineer
Copy link
Contributor Author

@riosengineer - can you clone this repo and run from the scripts\deploy\Build-DeploymentPlans using the branch - feature/aw/issue828. I've made a change in there to test whether this would work. You will have to specify a subscription pattern as below:-

"scope": {
    "epac-prod": [
      "/providers/Microsoft.Management/managementGroups/mg_landing_zones"
    ]
  },
  "notScopes": {
    "epac-prod": [
      "/subscriptions/subscriptionsPattern/sub-dev*", 
      "/subscriptions/subscriptionsPattern/sub-tst*" , 
      "/subscriptions/*/resourceGroups/rg-uks-dev*", 
      "/subscriptions/*/resourceGroups/rg-uks-tst*" 
    ]
  }
}

It uses a -like to check the pattern against a subscription name so normal rules apply for wildcards. Run the plan and check the output to see if it correctly calculates the scope. Seems to work with my limited testing but if it is good for you I'll get some input from the team as to how we want to present it in the assignment JSON file.

Hey @anwather. Thanks for this. Is it this: https://github.com/Azure/enterprise-azure-policy-as-code/tree/feature/aw/issue831/ ?

As I don't see a branch with the issue 828 but I see the commit about subscriptionPatterns in 831. I did try with 831 cloned (using ./Scripts/Deploy/Build-DeploymentPlans.ps1, using my /Definitions folder but, to be honest, my output JSON seems the same to when I run it via the normal EPAC pwsh module I have installed (which I assume is running the current release version of Build-DeploymentPlans).

My notScopes is:

"notScopes": {
    "epac-prod": [
      "/subscriptions/subscriptionsPattern/sub-dev*", 
      "/subscriptions/subscriptionsPattern/sub-tst*" , 
      "/subscriptions/*/resourceGroups/rg-uks-dev*",
      "/subscriptions/*/resourceGroups/rg-uks-tst*"
    ]
  }
}

Here's some of the json output, looks like it is happily excluding the RGs as normal, but not sure what the sub pattern should look like, but it seems like it's not there, unless I am doing something wrong.

Image

Any ideas?

@anwather
Copy link
Collaborator

anwather commented Dec 5, 2024

Oops I made a mistake - can you please pull the latest commit and try again?

@riosengineer
Copy link
Contributor Author

riosengineer commented Dec 6, 2024

Oops I made a mistake - can you please pull the latest commit and try again?

Works great now! Thanks :)

Image

@glsutter
Copy link

glsutter commented Jan 6, 2025

Our team is also interested in this feature. What release will it be in?

@anwather
Copy link
Collaborator

anwather commented Jan 6, 2025

@glsutter I'm still doing some testing an documentation update on this - hopefully later this week / early next.

If you want you can test using the branch /feature/aw/issue831 - any feedback would be great.

@anwather
Copy link
Collaborator

anwather commented Jan 7, 2025

This is published as a pre-release - v10.7.6-beta - also in PowerShell gallery for testing. Any feedback is welcome

@glsutter
Copy link

glsutter commented Jan 7, 2025

Thanks Anthony. Pattern matching in notScopes will help us deal with one-off resources for testing. Like a test VNet that will go away in a day or two.

@anwather
Copy link
Collaborator

anwather commented Jan 7, 2025

@glsutter - just to clarify this will allow for matching on subscription names e.g. /subscriptions/subscriptionsPattern/*-dev would cover sub1-dev, sub2-dev, sub3-dev etc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature request User is suggesting a new feature
Projects
None yet
Development

No branches or pull requests

4 participants