Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v10 - slow exemption performance #580

Closed
roddick-mark opened this issue Apr 23, 2024 · 6 comments
Closed

v10 - slow exemption performance #580

roddick-mark opened this issue Apr 23, 2024 · 6 comments
Assignees
@techlake
Labels
feature request User is suggesting a new feature investigating

Comments

@roddick-mark
Copy link

roddick-mark commented Apr 23, 2024
edited
Loading

Describe the bug
In V10, the plan performance is slow when you have a large number of exemptions against individual resources.
We have around 5k exemptions and still processing after 2 hours.

This looks to be due to a call to Get-AzResource -ResourceId $scope -ErrorAction SilentlyContinue for each exemption against a resource ID.

https://github.com/Azure/enterprise-azure-policy-as-code/blob/7092b094e75b14d802f8623bf2fd3def53b77cb5/Scripts/Helpers/Get-AzPolicyExemptions.ps1#L151C25-L151C100

EPAC Version
10.1.2
@roddick-mark roddick-mark added the bug Something isn't working label Apr 23, 2024
@roddick-mark
Copy link
Author

roddick-mark commented Apr 24, 2024
edited
Loading

could we maybe utilise the deleteOrphanedExemptions switch, so the resource exist check doesn't happen?

@techlake techlake self-assigned this Apr 26, 2024
@techlake techlake added feature request User is suggesting a new feature and removed bug Something isn't working labels Apr 26, 2024
@techlake
Copy link
Contributor

techlake commented Apr 26, 2024
edited
Loading

Not currently, I could see a different kind of switch; (-DoNotValidateExemptedResources); I'll tag your issue as a Feature Request.

As a cybersecurity guy, I think 5000 Exemptions might indicate a different problem (please note that this pure speculation). If you like we could have a private chat, contact me privately (my LinkedIn link is on my GH profile page).

@roddick-mark roddick-mark changed the title v10 - Very slow exemption performance v10 - slow exemption performance Apr 26, 2024
@roddick-mark
Copy link
Author

roddick-mark commented Apr 26, 2024
edited
Loading

@techlake
Regarding the number of exemptions I agree, we have been trying to resolve this with our customer.

Regarding the resource check, is this something that is actually needed in Get-AzPolicyExemptions? Exemptions are child ID's of their resources so by default, if the resource no longer exists, the exemption doesn't either.

@techlake
Copy link
Contributor

Agreed, orthogonal concerns. I'll look into it today or Monday.

@techlake
Copy link
Contributor

techlake commented Apr 29, 2024
edited
Loading

Hi Mark, I have a solution, but need a private test. I sent you a message via LinkedIn.

  • I optimized the retrieval of resource existence - needs a test for a large number of resource-level exemptions
  • I added a switch parameter to Build-DeploymentPlans in case the above isn't enough of a performance gain.

@techlake techlake mentioned this issue May 2, 2024
Merged
@techlake
Copy link
Contributor

techlake commented May 2, 2024

Fixed in v10.2.2

@techlake techlake closed this as completed May 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@techlake techlake

Labels
feature request User is suggesting a new feature investigating
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@techlake @roddick-mark