Use notScopes with alzDefaults not working

[msundman78]

Let us know the feedback or general question

I wanted to exclude a MgmtGroup using notScopes in the Deploy-ASC-Monitoring alzDefault Policy module by editing:

infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json

{
  "name": "Deploy-ASC-Monitoring",
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2019-09-01",
  "properties": {
    "description": "Enable Monitoring in Microsoft Defender for Cloud.",
    "displayName": "Enable Monitoring in Microsoft Defender for Cloud",
    "notScopes": ["/providers/Microsoft.Management/managementGroups/led-sandbox"],
    "parameters": {},
    },
    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
    "scope": null,
    "enforcementMode": "Default"
  },
  "location": null,
  "identity": {
    "type": "None"
  }
}

However, the notScopes property is passed on to the modPolicyAssignmentIntRootDeployAscMonitoring module in alzDefaultPolicyAssignments.bicep, so I had to also add this line to get it working:

parPolicyAssignmentNotScopes: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.notScopes

// Module - Policy Assignment - Deploy-ASC-Monitoring
module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployASCMonitoring.libDefinition.name)) {
  scope: managementGroup(varManagementGroupIds.intRoot)
  name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAscMonitoring
  params: {
    parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployASCMonitoring.definitionId
    parPolicyAssignmentName: varPolicyAssignmentDeployASCMonitoring.libDefinition.name
    parPolicyAssignmentDisplayName: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.displayName
    parPolicyAssignmentDescription: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.description
    parPolicyAssignmentParameters: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.parameters
    parPolicyAssignmentNotScopes: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.notScopes
    parPolicyAssignmentIdentityType: varPolicyAssignmentDeployASCMonitoring.libDefinition.identity.type
    parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.enforcementMode
    parTelemetryOptOut: parTelemetryOptOut
  }
}

Shouldn't this parameter always be passed along to all Policy Assignment modules used by alzDefaults so we only have to edit the parameter files for the policy?

Code of Conduct

• I agree to follow this project's Code of Conduct

[oZakari]

Hey @msundman78, I appreciate you bringing this up. However, as alzDefaultPolicyAssignments is our opinionated approach for handling policy for the ALZ architecture and is in alignment with the Enterprise-Scale repo in terms of the assignment scopes, I think we will these out for this particular module at this point in time.