Adding fixes (#570)

Azure · Apr 18, 2024 · 251f98d · 251f98d
1 parent b7c40ba
commit 251f98d
Show file tree

Hide file tree

Showing 18 changed files with 956 additions and 682 deletions.
diff --git a/Docs/Images/createGHBranch.jpg b/Docs/Images/createGHBranch.jpg
diff --git a/Docs/Images/releases.jpg b/Docs/Images/releases.jpg
diff --git a/Docs/Images/samplePRNotes.jpg b/Docs/Images/samplePRNotes.jpg
diff --git a/Docs/policy-exemptions.md b/Docs/policy-exemptions.md
diff --git a/Docs/settings-global-setting-file.md b/Docs/settings-global-setting-file.md
@@ -96,6 +96,8 @@ EPAC has a concept of an environment identified by a string (unique per reposito
   - `managedTenant`: Used when the `pacEnvironment` is in a lighthouse managed tenant, [see this example](#example-for-lighthouse-manged-tenant) It must contain:
     - `managingTenantId` - The tenantId of the managing tenant.
     - `managingTenantRootScope` - An array of all subscriptions that will need `additionalRoleAssignments` deployed to them.
+- `defaultContext`: In rare cases (typicaslly only when deploying to a lighthouse managed tenant) the default context (Get-azContext) of a user/SPN running a plan will  
+be set to a suscription where that user/SPN does not have sufficient priveleges.  Some checks have been built in so that in some cases when this happens EPAC is able to fix the context issue.  When it is not, a `defaultContext` subscription name must be provided.  This can be any subscription within the `deploymentRootScope`.
 
 ### DeployIfNotExists and Modify Policy Assignments need `managedIdentityLocation`
 

diff --git a/Schemas/global-settings-schema.json b/Schemas/global-settings-schema.json
@@ -48,6 +48,9 @@
                         "deploymentRootScope": {
                             "type": "string"
                         },
+                        "defaultContext": {
+                            "type": "string"
+                        },
                         "globalNotScopes": {
                             "type": "array",
                             "items": [

diff --git a/Scripts/Deploy/Build-DeploymentPlans.ps1 b/Scripts/Deploy/Build-DeploymentPlans.ps1
@@ -76,7 +76,7 @@ Clear-Variable -Name epacInfoStream -Scope global -Force -ErrorAction SilentlyCo
 $InformationPreference = "Continue"
 
 $pacEnvironment = Select-PacEnvironment $PacEnvironmentSelector -DefinitionsRootFolder $DefinitionsRootFolder -OutputFolder $OutputFolder -Interactive $Interactive
-$null = Set-AzCloudTenantSubscription -Cloud $pacEnvironment.cloud -TenantId $pacEnvironment.tenantId -Interactive $pacEnvironment.interactive
+$null = Set-AzCloudTenantSubscription -Cloud $pacEnvironment.cloud -TenantId $pacEnvironment.tenantId -Interactive $pacEnvironment.interactive -DeploymentDefaultContext $pacEnvironment.defaultContext
 
 # Telemetry
 if ($pacEnvironment.telemetryEnabled) {
@@ -177,7 +177,10 @@ elseif (!(Test-Path $policyExemptionsFolderForPacEnvironment -PathType Container
     $exemptionsAreNotManagedMessage = "Policy Exemptions folder '$policyExemptionsFolderForPacEnvironment' for PaC environment $($pacEnvironment.pacSelector) not found. Exemptions not managed by this EPAC instance."
     $exemptionsAreManaged = $false
 }
-if ($BuildExemptionsOnly) {
+$localBuildExemptionsOnly = $BuildExemptionsOnly
+# $localBuildExemptionsOnly = $true
+# $VerbosePreference = "Continue"
+if ($localBuildExemptionsOnly) {
     $null = $warningMessages.Add("Building only the Exemptions plan. Policy, Policy Set, and Assignment plans will not be built.")
     if ($exemptionsAreManaged) {
         $buildSelections.buildPolicyExemptions = $true

diff --git a/Scripts/Deploy/Deploy-PolicyPlan.ps1 b/Scripts/Deploy/Deploy-PolicyPlan.ps1
@@ -64,7 +64,7 @@ Clear-Variable -Name epacInfoStream -Scope global -Force -ErrorAction SilentlyCo
 
 $InformationPreference = "Continue"
 $pacEnvironment = Select-PacEnvironment $PacEnvironmentSelector -DefinitionsRootFolder $DefinitionsRootFolder -InputFolder $InputFolder -Interactive $Interactive
-$null = Set-AzCloudTenantSubscription -Cloud $pacEnvironment.cloud -TenantId $pacEnvironment.tenantId -Interactive $pacEnvironment.interactive
+$null = Set-AzCloudTenantSubscription -Cloud $pacEnvironment.cloud -TenantId $pacEnvironment.tenantId -Interactive $pacEnvironment.interactive -DeploymentDefaultContext $pacEnvironment.defaultContext
 $throttleLimit = $VirtualCores * 2
 
 # Telemetry

diff --git a/Scripts/Deploy/Deploy-RolesPlan.ps1 b/Scripts/Deploy/Deploy-RolesPlan.ps1
@@ -56,7 +56,7 @@ Clear-Variable -Name epacInfoStream -Scope global -Force -ErrorAction SilentlyCo
 
 $InformationPreference = "Continue"
 $pacEnvironment = Select-PacEnvironment $PacEnvironmentSelector -DefinitionsRootFolder $DefinitionsRootFolder -InputFolder $InputFolder  -Interactive $Interactive
-$null = Set-AzCloudTenantSubscription -Cloud $pacEnvironment.cloud -TenantId $pacEnvironment.tenantId -Interactive $pacEnvironment.interactive
+$null = Set-AzCloudTenantSubscription -Cloud $pacEnvironment.cloud -TenantId $pacEnvironment.tenantId -Interactive $pacEnvironment.interactive -DeploymentDefaultContext $pacEnvironment.defaultContext
 
 # Telemetry
 if ($pacEnvironment.telemetryEnabled) {

diff --git a/Scripts/Helpers/Build-AssignmentDefinitionAtLeaf.ps1 b/Scripts/Helpers/Build-AssignmentDefinitionAtLeaf.ps1
@@ -611,7 +611,7 @@ function Build-AssignmentDefinitionAtLeaf {
                         $requiredRoleAssignment = $null
                         if ($additionalRoleAssignment.crossTenant -eq $true) {
                             $requiredRoleAssignment = @{
-                                scope            = $scopeEntry.scope
+                                scope            = $additionalRoleAssignment.scope
                                 roleDefinitionId = $roleDefinitionId
                                 roleDisplayName  = $roleDisplayName
                                 description      = "Policy Assignment '$id': additional cross tenant Role Assignment deployed by: '$($PacEnvironment.deployedBy)'"
@@ -620,7 +620,7 @@ function Build-AssignmentDefinitionAtLeaf {
                         }
                         else {
                             $requiredRoleAssignment = @{
-                                scope            = $scopeEntry.scope
+                                scope            = $additionalRoleAssignment.scope
                                 roleDefinitionId = $roleDefinitionId
                                 roleDisplayName  = $roleDisplayName
                                 description      = "Policy Assignment '$id': additional Role Assignment deployed by: '$($PacEnvironment.deployedBy)'"

diff --git a/Scripts/Helpers/Build-AssignmentPlan.ps1 b/Scripts/Helpers/Build-AssignmentPlan.ps1
@@ -281,7 +281,7 @@ function Build-AssignmentPlan {
                     -ReplacedAssignment $false `
                     -DeployedRoleAssignmentsByPrincipalId $deployedRoleAssignmentsByPrincipalId
                 if ($identityStatus.requiresRoleChanges) {
-                    $null = $RoleAssignments.removed.AddRange($identityStatus.added)
+                    $null = $RoleAssignments.removed.AddRange($identityStatus.removed)
                     $RoleAssignments.numberOfChanges += ($identityStatus.numberOfChanges)
                 }
                 if ($identityStatus.isUserAssigned) {