Adding Azure policy exemptions to the deny assignment #3586
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Which issue this PR addresses:
Fixes https://issues.redhat.com/browse/XCMSTRAT-681
What this PR does / why we need it:
Currently, customers that need to submit Azure policy exemptions in the ARO resource group are unable to, as they're blocked by the deny assignment. For instance, many have an Azure Policy that states "Storage accounts should disable public network access", but are blocked from applying an exemption to that policy in Azure Policy. For some, doing so is needed for compliance.
Test plan for issue:
I'm unsure how we can properly test the deny assignment prior to pushing this change.
Is there any documentation that needs to be updated for this PR?
No
How do you know this will function as expected in production?
This changed is just scoped to policyExemptions
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure#required-permissions