diff --git a/Scripts/Helpers/Build-PolicyPlan.ps1 b/Scripts/Helpers/Build-PolicyPlan.ps1 index b528f8c9..48ff6295 100644 --- a/Scripts/Helpers/Build-PolicyPlan.ps1 +++ b/Scripts/Helpers/Build-PolicyPlan.ps1 @@ -49,12 +49,13 @@ function Build-PolicyPlan { $definitionProperties = Get-PolicyResourceProperties -PolicyResource $definitionObject $name = $definitionObject.name - + $id = "$deploymentRootScope/providers/Microsoft.Authorization/policyDefinitions/$name" $displayName = $definitionProperties.displayName $description = $definitionProperties.description $metadata = Get-DeepCloneAsOrderedHashtable $definitionProperties.metadata $mode = $definitionProperties.mode + $version = $definitionProperties.version $parameters = $definitionProperties.parameters $policyRule = $definitionProperties.policyRule if ($null -ne $metadata) { @@ -114,6 +115,7 @@ function Build-PolicyPlan { displayName = $displayName description = $description mode = $mode + version = $version metadata = $metadata parameters = $parameters policyRule = $policyRule @@ -193,7 +195,7 @@ function Build-PolicyPlan { Write-Information "New '$($displayName)'" } } - + $strategy = $PacEnvironment.desiredState.strategy foreach ($id in $deleteCandidates.Keys) { diff --git a/Scripts/Helpers/Build-PolicySetPlan.ps1 b/Scripts/Helpers/Build-PolicySetPlan.ps1 index 57e9e183..c9989287 100644 --- a/Scripts/Helpers/Build-PolicySetPlan.ps1 +++ b/Scripts/Helpers/Build-PolicySetPlan.ps1 @@ -49,6 +49,7 @@ function Build-PolicySetPlan { $displayName = $definitionProperties.displayName $description = $definitionProperties.description $metadata = Get-DeepCloneAsOrderedHashtable $definitionProperties.metadata + $version = $definitionProperties.version $parameters = $definitionProperties.parameters $policyDefinitions = $definitionProperties.policyDefinitions $policyDefinitionGroups = $definitionProperties.policyDefinitionGroups @@ -182,6 +183,7 @@ function Build-PolicySetPlan { displayName = $displayName description = $description metadata = $metadata + version = $version parameters = $parameters policyDefinitions = $policyDefinitionsFinal policyDefinitionGroups = $policyDefinitionGroupsFinal diff --git a/Scripts/Helpers/Confirm-PolicyDefinitionsInPolicySetMatch.ps1 b/Scripts/Helpers/Confirm-PolicyDefinitionsInPolicySetMatch.ps1 index 370c9b45..5c4be8ed 100644 --- a/Scripts/Helpers/Confirm-PolicyDefinitionsInPolicySetMatch.ps1 +++ b/Scripts/Helpers/Confirm-PolicyDefinitionsInPolicySetMatch.ps1 @@ -28,8 +28,8 @@ function Confirm-PolicyDefinitionsInPolicySetMatch { return $false } for ($i = 0; $i -le $Object1.Count; $i++) { - $item1 = $Object1[$i] - $item2 = $Object2[$i] + $item1 = $Object1[$i] # this is the Azure Policy definition set + $item2 = $Object2[$i] # this is the local policy definition set if ($item1 -ne $item2) { $policyDefinitionReferenceIdMatches = $item1.policyDefinitionReferenceId -eq $item2.policyDefinitionReferenceId if (!$policyDefinitionReferenceIdMatches) { @@ -39,24 +39,15 @@ function Confirm-PolicyDefinitionsInPolicySetMatch { if (!$policyDefinitionIdMatches) { return $false } - if ($null -ne $item2.definitionVersion) { - # ignore auto-generated definitionVersion, only compare if Policy definition entry has a definitionVersion - $deployedPolicyDefinitionVersion = $Definitions[$item1.policyDefinitionId].properties.version - if ($null -eq $deployedPolicyDefinitionVersion) { - # Custom policy definition - version is in a different place - $deployedPolicyDefinitionVersion = $Definitions[$item1.policyDefinitionId].metadata.version - } - # $definitionVersionMatches = $item1.definitionVersion -eq $item2.definitionVersion - # if (!$definitionVersionMatches) { - # return $false - # } - $definitionVersionMatches = Compare-SemanticVersion -Version1 $deployedPolicyDefinitionVersion -Version2 $item2.definitionVersion - if ($definitionVersionMatches -ne 0) { - Write-Verbose "Definition Id: $($item1.policyDefinitionId)" - Write-Verbose "DefinitionVersion does not match: Azure: $deployedPolicyDefinitionVersion, Local: $($item2.definitionVersion)" - return $false - } + + # Validate the Azure definitionVersion with the local definitionVersion, if the local definitionVersion doesn't exist and the Azure definitionVersion is not equal to latest policy version then return false + $definitionVersionMatches = Compare-SemanticVersion -Version1 $($item1.definitionVersion ?? $Definitions[$item1.policyDefinitionId].properties.version ?? '1.*.*') -Version2 $($item2.definitionVersion ?? $Definitions[$item1.policyDefinitionId].properties.version ?? '1.*.*') + if ($definitionVersionMatches -ne 0) { + Write-Verbose "Definition Id: $($item1.policyDefinitionId)" + Write-Verbose "DefinitionVersion does not match: Azure: $($item1.definitionVersion), Local: $($item2.definitionVersion)" + return $false } + $groupNames1 = $item1.groupNames $groupNames2 = $item2.groupNames if ($null -eq $groupNames1 -and $null -eq $groupNames2 -and $i -eq $Object1.Count) { @@ -79,7 +70,7 @@ function Confirm-PolicyDefinitionsInPolicySetMatch { return $false } } - + $parametersUsageMatches = Confirm-ParametersUsageMatches ` -ExistingParametersObj $item1.parameters ` -DefinedParametersObj $item2.parameters `