enterprise-azure-policy-as-code icon indicating copy to clipboard operation
enterprise-azure-policy-as-code copied to clipboard

Published 20 hours ago verified publisher icon Azure

Policy Exemptions handling - Enhancement request

Open arrerezai opened this issue 9 months ago • 5 comments

Describe the solution you'd like

  • Review and update the schema to reflect EPAC v10+. For instance, policyId and policyName are not correct values as they are called policyDefinitionId and policyDefinitionName
  • Ensure all manually created exemptions get removed by running EPAC. Just the way policy assignments are, exemptions should also only be controlled through EPAC. As of v10.2.4, the logic is only adding exemptions, not deleting existing ones that are created in parallel in the Portal (or through something else other than EPAC)
  • Remove the unuseful merging of the displayName. Whenever EPAC is run, it merges the subscriptionId and the assignmentId to the displayName that the user has inserted in the code him/herself. This makes the freedom of choice for a meaningful displayName very limited as the max allowed number of characters for the displayName (the exemption name that can be viewed in the Portal) is 128 chars altogether
  • Create logic to strip the displayName if it exceeds the max allowed characters (same goes for the description, which has a max allowed number of 512). Having it stripped is better than having the run fail. An alternative is to describe in EPAC documentation that max amount of chars for displayName is 128-length of subscriptionId-length of assignmentId, forcing the folks to use short displayNames

arrerezai avatar May 06 '24 13:05 arrerezai

@arrerezai for the exemption are you running with desired state strategy set to full?

anwather avatar May 17 '24 04:05 anwather

For point 2 - desired state strategy set to full - EPAC is not deleting exemptions and I can reproduce - @apybar - I'll create a new issue from this and fix.

anwather avatar May 17 '24 05:05 anwather

@apybar - fixed point 2 in #636

anwather avatar May 17 '24 06:05 anwather

@arrerezai - what still from the list above is persisting? Or am I good to close this issue?

apybar avatar Jun 24 '24 15:06 apybar

@apybar, while #1 and #2 were the most important ones and are solved, #3 and #4 are related to each other and are still to be overseen. Having the displayName merged with subId and assId is still a thing, which I think is totally unnecessary and like earlier mentioned, limits the freedom of having an own (more) meaningful name. Also, there should exist some logic to strip all parameters that exceed the total number of allowed chars imo, but I guess you need to have your say in that?

arrerezai avatar Jun 24 '24 16:06 arrerezai

@arrerezai - I updated the documentation for point #4 and will push that out soon. Point #3 I will discuss internally and respond asap.

apybar avatar Jul 19 '24 16:07 apybar

As for the merging of "displayName", this applies when using "PolicyDefintionID" and "Policy DisplayName". This is needed to distinguish the difference between the two when creating the exemption. Therefore, this is actually required to operate correctly and create the exemption.

It is recommended to use the Justification box for any description or additional text.

apybar avatar Jul 24 '24 21:07 apybar