Fixes (#600)

Azure · May 1, 2024 · f69f4ce · f69f4ce
1 parent 5007d79
commit f69f4ce
Show file tree

Hide file tree

Showing 34 changed files with 3,798 additions and 295 deletions.
diff --git a/Docs/ci-cd-overview.md b/Docs/ci-cd-overview.md
@@ -163,7 +163,6 @@ For saving the output related to ```Build-DeploymentPlans``` there is global var
 | `OutputFolder` | Output folder path for plan files. Defaults to environment variable `$env:PAC_OUTPUT_FOLDER` or `./Output`. |
 | `DevOpsType` | If set, outputs variables consumable by conditions in a DevOps pipeline. Default: not set. |
 | `BuildExemptionsOnly` | If set, only builds the Exemptions plan. This useful to fast-track Exemption when utilizing [Release Flow](#advanced-cicd-with-release-flow) Default: not set. |
-| `VirtualCores` | **Deprecated - DO NOT USE** -- Number of (virtual) cores available to calculate the deployment plan. Defaults to 4. |
 
 
 ### Deploy-PolicyPlan.ps1
@@ -173,7 +172,6 @@ Deploys Policies, Policy Sets, Policy Assignments, and Policy Exemptions at thei
 |Parameter | Explanation |
 |----------|-------------|
 | `InputFolder` | Input folder path for plan files. Defaults to environment variable `$env:PAC_INPUT_FOLDER`, `$env:PAC_OUTPUT_FOLDER` or `./Output`. |
-| `VirtualCores` | **Deprecated - DO NOT USE** -- Number of (virtual) cores available to deploy Policy objects in parallel. Defaults to 4. |
 
 ### Deploy-RolesPlan.ps1
 

diff --git a/Docs/operational-scripts-reference.md b/Docs/operational-scripts-reference.md
@@ -35,10 +35,6 @@ Suppresses prompt for confirmation to delete existing file in interactive mode
 
 Include Policies with effect Manual. Default: do not include Polcies with effect Manual.
 
-#### **Deprecated - DO NOT USE** -- `-VirtualCores <Int16>`
-
-Number of virtual cores to use for the operation. Default is 4.
-
 ## Script `New-AzRemediationTasks`
 
 The New-AzRemediationTasks PowerShell creates remediation tasks for all non-compliant resources in the current AAD tenant. If one or multiple remediation tasks fail, their respective objects are added to a PowerShell variable that is outputted for later use in the Azure DevOps Pipeline.

diff --git a/Docs/policy-exemptions.md b/Docs/policy-exemptions.md
@@ -65,7 +65,7 @@ EPAC injects `deployedBy` into the `metadata` section. This is a string that ide
 The following properties can be used to specify the Policy or Policies to be exempted.
 
 > [!CAUTION]
-> `assignmentScopeValidation` value `DoNotValidate` only works reliably for Option **B**. It may work for Option **A** and **C** in some cases, but it is not recommended. EPAC cannot gracefully handle this and display a specific error message. Instead, it will display a generic error message with the following text `"Exemption entry $($entryNumber): No assignments found for scope $($currentScope), skipping entry."`.
+> `assignmentScopeValidation` value `DoNotValidate` only works for Option **B**. It may work for Option **A** and **C** in some cases, but it is not recommended. EPAC cannot gracefully handle this and display a specific error message. Instead, it will display a generic error message with the following text `"Exemption entry $($entryNumber): No assignments found for scope $($currentScope), skipping entry."`.
 
 ### Option **A**: Policy definition Ids or Names
 

diff --git a/Docs/settings-global-setting-file.md b/Docs/settings-global-setting-file.md
@@ -89,15 +89,17 @@ EPAC has a concept of an environment identified by a string (unique per reposito
   - `managedIdentityLocation`: see [DeployIfNotExists and Modify Policy Assignments need `managedIdentityLocation`](#deployifnotexists-and-modify-policy-assignments-need-managedidentitylocation)
 - Optional:
   - `globalNotScopes`: see [Excluding scopes for all Assignments with `globalNotScopes`](#excluding-scopes-for-all-assignments-with-globalnotscopes)
+  - `skipResourceValidationForExemptions`: disables checking the resource existence for Policy Exemptions. Default is false. This can be useful if you have a massive amount of exemptions and the validation is taking too long.
+  - `doNotDisableDeprecatedPolicies`: **NOT YET IMPLEMENTED**: Planed feature will automatically set effect for deprecated Policies to "Disabled" when using the CSV file. This setting can be used to override that behavior by setting it to `true`. Default is `false`.
   - `deployedBy`: populates the `metadata` fields. It defaults to `epac/$pacOwnerId/$pacSelector`. We recommend to use the default.
     - Policy Definitions, Policy Set Definitions and Policy Exemptions - `metadata.deployedBy`.
     - Policy Assignments - `metadata.assignedBy` since Azure Portal displays it as 'Assigned by'.
     - Role Assignments - add the value to the `description` field since Role assignments do not contain `metadata`.
   - `managedTenant`: Used when the `pacEnvironment` is in a lighthouse managed tenant, [see this example](#example-for-lighthouse-manged-tenant) It must contain:
     - `managingTenantId` - The tenantId of the managing tenant.
     - `managingTenantRootScope` - An array of all subscriptions that will need `additionalRoleAssignments` deployed to them.
-- `defaultContext`: In rare cases (typicaslly only when deploying to a lighthouse managed tenant) the default context (Get-azContext) of a user/SPN running a plan will  
-be set to a suscription where that user/SPN does not have sufficient priveleges.  Some checks have been built in so that in some cases when this happens EPAC is able to fix the context issue.  When it is not, a `defaultContext` subscription name must be provided.  This can be any subscription within the `deploymentRootScope`.
+- `defaultContext`: In rare cases (typically only when deploying to a lighthouse managed tenant) the default context (Get-azContext) of a user/SPN running a plan will  
+be set to a subscription where that user/SPN does not have sufficient privileges.  Some checks have been built in so that in some cases when this happens EPAC is able to fix the context issue.  When it is not, a `defaultContext` subscription name must be provided.  This can be any subscription within the `deploymentRootScope`.
 
 ### DeployIfNotExists and Modify Policy Assignments need `managedIdentityLocation`
 

diff --git a/Scripts/Deploy/Build-DeploymentPlans.ps1 b/Scripts/Deploy/Build-DeploymentPlans.ps1
@@ -53,21 +53,13 @@ param (
 
     [Parameter(HelpMessage = "If set, outputs variables consumable by conditions in a DevOps pipeline.")]
     [ValidateSet("ado", "gitlab", "")]
-    [string] $DevOpsType = "",
-
-    [Parameter(HelpMessage = "Deprecated.")]
-    [Int16] $VirtualCores = 0
+    [string] $DevOpsType = ""
 )
 
 $PSDefaultParameterValues = @{
     "Write-Information:InformationVariable" = "+global:epacInfoStream"
 }
 
-if ($VirtualCores -gt 0) {
-    Write-Warning "VirtualCores parameter is deprecated. parallel processing is no longer supported. Please remove the parameter!" -WarningAction Continue
-    $VirtualCores = 0
-}
-
 Clear-Variable -Name epacInfoStream -Scope global -Force -ErrorAction SilentlyContinue
 
 # Dot Source Helper Scripts
@@ -315,8 +307,7 @@ if ($buildSelections.buildAny) {
     # Convert Policy and PolicySetDefinition to detailed Info
     $combinedPolicyDetails = Convert-PolicyResourcesToDetails `
         -AllPolicyDefinitions $allDefinitions.policydefinitions `
-        -AllPolicySetDefinitions $allDefinitions.policysetdefinitions `
-        -VirtualCores 4
+        -AllPolicySetDefinitions $allDefinitions.policysetdefinitions
 
     # Populate allAssignments
     $deployedPolicyAssignments = $deployedPolicyResources.policyassignments.managed

diff --git a/Scripts/Deploy/Deploy-PolicyPlan.ps1 b/Scripts/Deploy/Deploy-PolicyPlan.ps1
@@ -44,17 +44,9 @@ param (
     [string] $InputFolder,
 
     [Parameter(HelpMessage = "Use switch to indicate interactive use")]
-    [switch] $Interactive,
-
-    [Parameter(HelpMessage = "Deprecated.")]
-    [Int16] $VirtualCores = 0
+    [switch] $Interactive
 )
 
-if ($VirtualCores -gt 0) {
-    Write-Warning "VirtualCores parameter is deprecated. parallel processing is no longer supported. Please remove the parameter!" -WarningAction Continue
-    $VirtualCores = 0
-}
-
 $PSDefaultParameterValues = @{
     "Write-Information:InformationVariable" = "+global:epacInfoStream"
 }

diff --git a/Scripts/Helpers/Add-HelperScripts.ps1 b/Scripts/Helpers/Add-HelperScripts.ps1
@@ -104,6 +104,7 @@
 
 . "$PSScriptRoot/RestMethods/Get-AzPolicyAssignmentRestMethod.ps1"
 . "$PSScriptRoot/RestMethods/Get-AzPolicyExemptionsRestMethod.ps1"
+. "$PSScriptRoot/RestMethods/Get-AzResourceListRestMethod.ps1"
 . "$PSScriptRoot/RestMethods/Get-AzRoleAssignmentsRestMethod.ps1"
 . "$PSScriptRoot/RestMethods/Get-AzRoleDefinitionsRestMethod.ps1"
 . "$PSScriptRoot/RestMethods/Remove-AzResourceByIdRestMethod.ps1"