Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing policyAssignments definitionVersion attribute #1769

Open
sshockley opened this issue Sep 17, 2024 · 2 comments
Open

Missing policyAssignments definitionVersion attribute #1769

sshockley opened this issue Sep 17, 2024 · 2 comments
Labels
bug Something isn't working Needs: Triage 🔍 Needs triaging by the team
Milestone
policy-refresh-fy...

Comments

@sshockley
Copy link

Describe the bug
Policy assignments generated from Enterprise-Scale templates are created successfully, but are missing the required definitionVersion attribute.

Steps to reproduce
Create a policy assignment from the Enterprise Scale repo, e.g.:

NAME="DENY-VMUnmanagedDiskPolicyAssignment"
file="eslzArm/managementGroupTemplates/policyAssignments/${NAME}.json"
az deployment mg create \
        --name "alz-${NAME}" \
        --location ${REGION} \
        --management-group-id ${MGID} \
        --template-file "${file}"

Edit the policy assignment in the Azure portal UI
Note the Version (preview) is marked as required.
image

Note that this is in US Gov GCC High, not sure if that matters here.

Related PR:
Azure/azure-rest-api-specs#29383

Not sure if they're upstream to you and you can just sync the changes via script. Thanks.
@sshockley sshockley added the bug Something isn't working label Sep 17, 2024
@sshockley
Copy link
Author

Semi-related, it looks like the USGovernment policy versions are different? I kind of expected that, but I didn't exped USGovernment to have a higher version.

Commercial policy (8.2.0):
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json

USGovernment policy (9.1.0):
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Kubernetes/IngressHttpsOnly.json

@Springstone
Copy link
Member

@sshockley Thanks for submitting this issue. We are aware of the changes as a result of the implementation of Policy Versioning. Currently there is no impact for deployed instances of ALZ, as with the release of Policy Versioning, the product group backfilled all assignments to pin to the current major version. However, new deployments may be impacted if a new major version of an existing policy is published.
We're currently planning how/when we will implement given the significant engineering effort and other priorities.

For your second issue, this is possible as resource providers are not the same in all clouds, and as such the US Gov policy may be ahead in version.

Stay tuned for versioning support in ALZ.

@Springstone Springstone added this to the policy-refresh-fy25-q2 milestone Oct 11, 2024
@Springstone Springstone added the Needs: Triage 🔍 Needs triaging by the team label Oct 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Needs: Triage 🔍 Needs triaging by the team
Projects
None yet
Milestone
policy-refresh-fy25-q2
Development

No branches or pull requests
2 participants
@sshockley @Springstone