Excluded Scopes Not Working As Expected

[glsutter]

In our pacSelector element in global-settings.jsonc, we have an excludedScopes like:

"excludedScopes": [ 
	"/subscriptions/*" // Ignore all subscription level policies 
]

Our intent is for EPAC to ignore all subscription managed policies.

This seems to work in AzureCloud, but in AzureUSGovernment, the Build-DeploymentPlans.ps1 script reports that several subscription level policies will be deleted. For example, we see output like:

Delete 'Sandbox Policies' at /subscriptions/acb84c94-9bdf-43e8-982e-609c060c87b2

We don't see any obvious reason this behavior would be different between AzureCloud and AzureUSGovernment.

Any thoughts on what is happening and/or how we might debug?

Thanks

[glsutter]

Actually, this beahvior seems to be occurring in both AzureCloud and AzureUSGovernment. Reran our build plan in AzureCloud, and it is also deleting policies assigned at the subscription level.

Maybe the "/subscriptions/*" isn't working as expected?

[techlake]

This was initially by design. We should add this as an option.

[glsutter]

Do you mean that "/subscriptions/*" was never working? And that it should be added as a feature?

We can work around it by listing every subscription with the GUID, but that is rather tedious when you have a lot of exclusions.

[techlake]

Correct. It shouldn't be hard. I'll look into it later

[glsutter]

Thanks.

[techlake]

I will add a bool flag "excludeSubscriptions" to desired State. Wild cards cannot work (long story). I plan to implement this by the end of the week.

[techlake]

I believe this is fixed.

@glsutter can you test it against your scenario?

[glsutter]

I should be able to test this week. Will let you know how it goes. Thanks for the update.

[glsutter]

@techlake - Heinrich, sorry, I completely lost track of this item. But I just did a test and it didn't work as expected. The plan output included the deletion of 8 policy assignments at subscription level.

I checked the Assigned By property on those assignments and it was NOT the pacOwnerid we're using.

[glsutter]

Do I need a specific version of EPAC for testing this change? We're running 10.0.0.

[glsutter]

I tried adding "excludeSubscriptions" under DesiredState first. Plan deleted some subscription assignments. Then I moved in under the
"excludedScopes": [
"/subscriptions/*" // Ignore all subscription level policies
]
approach and that deleted some subscription assignments.
Not sure where I should be adding the new element.

[glsutter]

Checking to see if I still get a gh-issues-to-ado workflow error when posting.