Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set-AzPolicyAssignment Command Loses Description and Display Name #25362

Open
DFRZ7 opened this issue Jun 24, 2024 · 4 comments
Open

Set-AzPolicyAssignment Command Loses Description and Display Name #25362

DFRZ7 opened this issue Jun 24, 2024 · 4 comments
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Policy Azure Resource Policy Service Attention This issue is responsible by Azure service team.

Comments

@DFRZ7
Copy link

DFRZ7 commented Jun 24, 2024

Description

While testing the Set-AzPolicyAssignment command with the latest version, we noticed the following behavior:

Policy Enforcement Mode and Non-Compliant Messages: These properties are maintained correctly when running the command.

Description and Display Name: These properties are lost when executing the command directly.

Issue script & Debug output

# Connect to Azure
Note: Policy assignment is set to DoNotEnforce, for testing.

Get-AzPolicyAssignment -Id "/subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyAssignments/<PolicyAssignmentId>"

# Set the subscription context
Set-AzContext -SubscriptionId "<SubscriptionId>"

# Assign a policy with the Set-AzPolicyAssignment command
Set-AzPolicyAssignment -Id "/subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyAssignments/<PolicyAssignmentId>" -EnforcementMode Default

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Microsoft Windows 10.0.22635
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

Get-InstalledModule -Name Az -AllVersions

Version              Name                                Repository           Description
-------              ----                                ----------           -----------
12.0.0               Az                                  PSGallery            Microsoft Azure PowerShell - Cmdlets to manage resources in Azure. This module is compatib…

Get-InstalledModule -Name Az.Resources -AllVersions

Version              Name                                Repository           Description
-------              ----                                ----------           -----------
7.1.0                Az.Resources                        PS

Error output

Example Output Before Changing Enforcement Mode:

Metadata                     : @{parameterScopes=; createdBy=<CreatedById>; createdOn=5/27/2024 7:36:55 PM; updatedBy=<UpdatedById>; updatedOn=6/24/2024 6:17:53 PM}
NonComplianceMessage         : 
NotScope                     : 
Parameter                    : @{profileName=}
Description                  : This is a test
DisplayName                  : DiagOpenAI
EnforcementMode              : DoNotEnforce
Id                           : /subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyAssignments/<PolicyAssignmentId>
IdentityPrincipalId          : 
IdentityTenantId             : 
IdentityType                 : 
IdentityUserAssignedIdentity : Microsoft.Azure.PowerShell.Cmdlets.Policy.Models.IdentityUserAssignedIdentities
Location                     : 
Name                         : <PolicyAssignmentName>
Override                     : {}
PolicyDefinitionId           : /subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyDefinitions/<PolicyDefinitionId>
ResourceSelector             : {}
SystemDataCreatedAt          : 5/27/2024 7:36:55 PM
SystemDataCreatedByType      : User
SystemDataLastModifiedAt     : 6/24/2024 6:17:53 PM
SystemDataLastModifiedByType : User
Type                         : Microsoft.Authorization/policyAssignments

Example Output After Changing Enforcement Mode:

Metadata                     : @{createdBy=<CreatedById>; createdOn=5/27/2024 7:36:55 PM; updatedBy=<UpdatedById>; updatedOn=6/24/2024 6:43:50 PM}
NonComplianceMessage         : 
NotScope                     : 
Parameter                    : @{profileName=}
Description                  : 
DisplayName                  : 
EnforcementMode              : Default
Id                           : /subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyAssignments/<PolicyAssignmentId>
IdentityPrincipalId          : 
IdentityTenantId             : 
IdentityType                 : 
IdentityUserAssignedIdentity : Microsoft.Azure.PowerShell.Cmdlets.Policy.Models.IdentityUserAssignedIdentities
Location                     : 
Name                         : <PolicyAssignmentName>
Override                     : 
PolicyDefinitionId           : /subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyDefinitions/<PolicyDefinitionId>
ResourceSelector             : 
SystemDataCreatedAt          : 5/27/2024 7:36:55 PM
SystemDataCreatedByType      : User
SystemDataLastModifiedAt     : 6/24/2024 6:43:50 PM
SystemDataLastModifiedByType : User
Type                         : Microsoft.Authorization/policyAssignments

Example of workaround:

Piping the output of Get to the Set:

Get-AzPolicyAssignment -Id "/subscriptions/<SubscriptionId>/providers/Microsoft.Authorization/policyAssignments/<PolicyAssignmentId>" | Set-AzPolicyAssignment

Nonetheless, documentation does not state this, so it could be somewhat confusing.
@DFRZ7 DFRZ7 added bug This issue requires a change to an existing behavior in the product in order to be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Jun 24, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported needs-triage This is a new issue that needs to be triaged to the appropriate team. and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Jun 24, 2024
@isra-fel isra-fel added Policy Azure Resource Policy Service Attention This issue is responsible by Azure service team. and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Jun 26, 2024
@isra-fel
Copy link
Member

@mentat9 Hi Chris, making sure you know this. Thanks

@mentat9
Copy link
Member

mentat9 commented Jun 27, 2024

This will be fixed in the next Az.Policy release.

mentat9 added a commit to mentat9/azure-powershell that referenced this issue Jun 27, 2024
@mentat9
Fix for GH issue:
9b15ab3 
Azure#25362
Correct/improve some tests
@mentat9 mentat9 mentioned this issue Jun 27, 2024
Closed
6 tasks
@isra-fel
Copy link
Member

cc @VeryEarly

@DFRZ7
Copy link
Author

DFRZ7 commented Jun 27, 2024

Thank you @mentat9

mentat9 added a commit to mentat9/azure-powershell that referenced this issue Jun 27, 2024
@mentat9
Fix for GH issue:
0085559 
Azure#25362
Correct/improve some tests
@mentat9 mentat9 mentioned this issue Jun 27, 2024
Merged
6 tasks
VeryEarly added a commit that referenced this issue Jun 28, 2024
@mentat9 @VeryEarly
Versioning enhancements + fixes (#25394)
86a5a6f 
* Fix for IcM: https://portal.microsofticm.com/imp/v5/incidents/details/515228129/summary - Policy import - Issue with OP (requires serialization of null values)
Fix for GH issue: #25334
Fix for handling string ID value of -PolicyDefinition parameter to New-AzPolicyAssignment
Fix properties (IAny) dropped from serialization in versioned types
Add explicit -DefinitionVersion parameter to New-AzPolicyAssignment
Add -Scope examples for New-AzPolicyExemption
Add -Tag 'LiveOnly' to tests creating two largest recording files
Complete support for getting and assigning versioned policy definitions and sets
Fix for serialization issue with empty arrays in PolicyParameterObject (reported by Walgreens)
Fix for GH issue: #24971
Fix for IcM: https://portal.microsofticm.com/imp/v5/incidents/details/510594116/summary - Get-AzPolicyExemption requests unnecessary parameter for Get-AzPolicyExemption in v12
Fix for -Scope parameter handling at resource instance level

* Fix for GH issue:
#25362
Correct/improve some tests

* Add setup/cleanup resource to fix a test

* Re-record tests

* Wider fix for property round-trip through Update-
Improve global test cleanup

* Re-record tests

* Fix parameter name for `Get-AzManagementGroup`

* Fix parameter name for `Get-AzManagementGroup`

---------

Co-authored-by: Yabo Hu <yabhu@microsoft.com>
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Policy Azure Resource Policy Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@isra-fel @mentat9 @DFRZ7