Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

global-settings.jsonc deploymentRootScope as subscription #785

Closed
nicholaslanger opened this issue Oct 17, 2024 · 3 comments · Fixed by #796
Closed

global-settings.jsonc deploymentRootScope as subscription #785

nicholaslanger opened this issue Oct 17, 2024 · 3 comments · Fixed by #796
Assignees
@apybar
Labels
documentation Improvements or additions to documentation

Comments

@nicholaslanger
Copy link

Hi EPAC folks,

My team is currently attempting to leverage EPAC to deploy and manage policies / sets / assignments in multiple tenants. I'm currently attempting to run the plan script against a dev pacEnvironment defined in my global-settings.jsonc file, however I'm not sure I want to run it with a root scope of a management group but rather at the subscription level. Is this possible? What format should the deploymentRootScope look like in global-settings.jsonc file if so?

Let me know what you think. Thanks!
@apybar apybar self-assigned this Oct 17, 2024
@apybar
Copy link
Collaborator

apybar commented Oct 17, 2024
edited
Loading

Hey @nicholaslanger

You should be able to update the global-settings to set your deployment root scope at the subscription level. Here is the format for the setting your Root Scopes:

Management Groups:
/providers/Microsoft.Management/managementGroups/{management-group-name}
 
Subscriptions:
/subscriptions/{subscription-id}
 
Resource Groups:
/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}

Your global-settings.jsonc should look something like this:

`{
    "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/global-settings-schema.json",
    "pacOwnerId": "00000000-0000-0000-0000-000000000000",
    "pacEnvironments": [
        {
            "pacSelector": "epac-dev",
            "cloud": "AzureCloud",
            "tenantId": "00000000-0000-0000-0000-000000000000",
            "deploymentRootScope": "/subscriptions/< YOUR SUBSCRPTION ID HERE >",
            "desiredState": {
                "strategy": "full",
                "keepDfcSecurityAssignments": false,
                "doNotDisableDeprecatedPolicies": false
            },
            "skipResourceValidationForExemptions": false,
            "managedIdentityLocation": "eastus2"
        }
    ]
}`

@nicholaslanger
Copy link
Author

this worked! thanks. the docs weren't very clear on the necessary prefix of '/subscriptions/'

the docs only mention using a management group so it was hard to determine how to set it.

@apybar apybar reopened this Oct 17, 2024
@apybar
Copy link
Collaborator

apybar commented Oct 17, 2024

@nicholaslanger - I'll reopen this ticket and will make sure the documentation is updated before I close this.

@apybar apybar added the documentation Improvements or additions to documentation label Oct 17, 2024
@anwather anwather mentioned this issue Oct 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@apybar apybar

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update documentation Azure/enterprise-azure-policy-as-code
2 participants
@nicholaslanger @apybar