Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard

Published 20 hours ago verified publisher icon Azure

Missing policyAssignments definitionVersion attribute

Open sshockley opened this issue 1 year ago • 2 comments

Describe the bug Policy assignments generated from Enterprise-Scale templates are created successfully, but are missing the required definitionVersion attribute.

Steps to reproduce Create a policy assignment from the Enterprise Scale repo, e.g.:

NAME="DENY-VMUnmanagedDiskPolicyAssignment"
file="eslzArm/managementGroupTemplates/policyAssignments/${NAME}.json"
az deployment mg create \
        --name "alz-${NAME}" \
        --location ${REGION} \
        --management-group-id ${MGID} \
        --template-file "${file}"

Edit the policy assignment in the Azure portal UI Note the Version (preview) is marked as required. image

Note that this is in US Gov GCC High, not sure if that matters here.

Related PR: Azure/azure-rest-api-specs#29383

Not sure if they're upstream to you and you can just sync the changes via script. Thanks.

sshockley avatar Sep 17 '24 19:09 sshockley

Semi-related, it looks like the USGovernment policy versions are different? I kind of expected that, but I didn't exped USGovernment to have a higher version.

Commercial policy (8.2.0): https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json

USGovernment policy (9.1.0): https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Kubernetes/IngressHttpsOnly.json

sshockley avatar Sep 17 '24 19:09 sshockley

@sshockley Thanks for submitting this issue. We are aware of the changes as a result of the implementation of Policy Versioning. Currently there is no impact for deployed instances of ALZ, as with the release of Policy Versioning, the product group backfilled all assignments to pin to the current major version. However, new deployments may be impacted if a new major version of an existing policy is published. We're currently planning how/when we will implement given the significant engineering effort and other priorities.

For your second issue, this is possible as resource providers are not the same in all clouds, and as such the US Gov policy may be ahead in version.

Stay tuned for versioning support in ALZ.

Springstone avatar Sep 24 '24 07:09 Springstone