-
Notifications
You must be signed in to change notification settings - Fork 234
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Excluded Scopes Not Working As Expected #425
Comments
Actually, this beahvior seems to be occurring in both AzureCloud and AzureUSGovernment. Reran our build plan in AzureCloud, and it is also deleting policies assigned at the subscription level. Maybe the "/subscriptions/*" isn't working as expected? |
This was initially by design. We should add this as an option. |
Do you mean that "/subscriptions/*" was never working? And that it should be added as a feature? We can work around it by listing every subscription with the GUID, but that is rather tedious when you have a lot of exclusions. |
Correct. It shouldn't be hard. I'll look into it later |
Thanks. |
I will add a bool flag "excludeSubscriptions" to desired State. Wild cards cannot work (long story). I plan to implement this by the end of the week. |
I believe this is fixed. @glsutter can you test it against your scenario? |
I should be able to test this week. Will let you know how it goes. Thanks for the update. |
@techlake - Heinrich, sorry, I completely lost track of this item. But I just did a test and it didn't work as expected. The plan output included the deletion of 8 policy assignments at subscription level. I checked the Assigned By property on those assignments and it was NOT the pacOwnerid we're using. |
Do I need a specific version of EPAC for testing this change? We're running 10.0.0. |
I tried adding "excludeSubscriptions" under DesiredState first. Plan deleted some subscription assignments. Then I moved in under the |
Checking to see if I still get a gh-issues-to-ado workflow error when posting. |
In our pacSelector element in global-settings.jsonc, we have an excludedScopes like:
Our intent is for EPAC to ignore all subscription managed policies.
This seems to work in AzureCloud, but in AzureUSGovernment, the Build-DeploymentPlans.ps1 script reports that several subscription level policies will be deleted. For example, we see output like:
Delete 'Sandbox Policies' at /subscriptions/acb84c94-9bdf-43e8-982e-609c060c87b2
We don't see any obvious reason this behavior would be different between AzureCloud and AzureUSGovernment.
Any thoughts on what is happening and/or how we might debug?
Thanks
The text was updated successfully, but these errors were encountered: