-
Notifications
You must be signed in to change notification settings - Fork 251
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
notScopes for subscriptions wildcard pattern #831
Comments
Just a thought but why not add another management group under the assignment scope, and then add your dev/test subs under that and exclude the management group?
Patterns aren't supported for subscriptions at this stage - we'd have to add it as a feature.
|
Unfortunately I wouldn't be able to go down that road. we have a landing zone MG and then many app specific MGs as a child under this, so each of those contain the dev/test/prod setup. Thanks for replying. I just wanted to make sure I wasn't missing anything. I would love the feature naturally... 😄 I suppose without the wildcard support for subs, my portal changes would get overwritten on my next EPAC deployment anyway? @anwather |
Thats correct. We can put this as a feature request though and get it done. |
Awesome. Thank you 💪 edit: the exemptions support would be amazing too, so I can keep my compliance nice and green 🙃 @anwather |
@riosengineer - The exemptions is something already on the roadmap I plan on working on before EOY. See --> #687 |
@riosengineer - can you clone this repo and run from the
It uses a |
Hey @anwather. Thanks for this. Is it this: https://github.com/Azure/enterprise-azure-policy-as-code/tree/feature/aw/issue831/ ? As I don't see a branch with the issue 828 but I see the commit about subscriptionPatterns in 831. I did try with 831 cloned (using My notScopes is: "notScopes": {
"epac-prod": [
"/subscriptions/subscriptionsPattern/sub-dev*",
"/subscriptions/subscriptionsPattern/sub-tst*" ,
"/subscriptions/*/resourceGroups/rg-uks-dev*",
"/subscriptions/*/resourceGroups/rg-uks-tst*"
]
}
} Here's some of the json output, looks like it is happily excluding the RGs as normal, but not sure what the sub pattern should look like, but it seems like it's not there, unless I am doing something wrong. Any ideas? |
Oops I made a mistake - can you please pull the latest commit and try again? |
Our team is also interested in this feature. What release will it be in? |
@glsutter I'm still doing some testing an documentation update on this - hopefully later this week / early next. If you want you can test using the branch |
This is published as a pre-release - v10.7.6-beta - also in PowerShell gallery for testing. Any feedback is welcome |
Thanks Anthony. Pattern matching in notScopes will help us deal with one-off resources for testing. Like a test VNet that will go away in a day or two. |
@glsutter - just to clarify this will allow for matching on subscription names e.g. /subscriptions/subscriptionsPattern/*-dev would cover sub1-dev, sub2-dev, sub3-dev etc |
Hi team!
I have some policyAssignments that I only need to apply to production subscriptions but I am applying the scope at the parent management group. These assignments are monitoring/custom alert metrics. They need to auto-inherit any new subs that get created for production but not for the subsequent lower subs, e.g.
We add this setup often for new applications. Therefore, adding individual sub IDs is not very feasible in the notScopes. I want to add a
notScopes
like:This way I can exclude these assignments from all subscriptions that are dev / test because they do not need these policyAssignments. It seems this works great for the resource group pattern, but it does not seem to work for the subscription level. I can manually add the subscription exclusions in the assignment in the Portal however.
Should I be approaching this in a different way?
EDIT: Also, I guess, this ask would apply to the policyExemptions too for ease of exemptions
The text was updated successfully, but these errors were encountered: