-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inherited custom policy definitions are not available right after management group creation #918
Comments
Hi @magodo , this is primarily because of ARM's cache that keeps the mg information. As for solutions --
Please feel free to let me know if that works. |
@han-msazure Thank you for the quick response! But what do you mean by log in/out if I'm calling the API directly from CLI? |
Hi @magodo. Thank you for getting back. Could you try 'armclient login' or 'armclient clearcache' to refresh the token? |
@han-msazure I'm using Azure SDK and ensure to get a refreshed token before sending the API. I don't think it has something to do with the token. Just want to be clear here is that what we want ultimately is a way to know when can we assign/query policy definitions for the mgmt group after it is created. |
@magodo Please wait for 30mins after the MG is created. |
@han-msazure Is there any official documentation that annouce this limitation, so that we can reference to? |
@magodo We don't have a documentation for this scenario at the moment, but we would definitely improve it in the future. |
@han-msazure Is there any work item/issue that can be tracked? |
@magodo No there isn't. |
Actually we do -- Manage your resources with management groups
|
@han-msazure Thank you for the link! I've locally verified that refreshing the token works! BTW, do you mind share more insight on how this works behind the scenes? I mean there are other azure resources (e.g. keyvault) are suffering ARM caching issues like a LIST on the |
@magodo That would be a better question for key vault team to answer instead of policy or mg team. |
I have a parent mgmt group, in which I have defined a custom policy definition. Then (after waiting for hours), I try to create a child mgmt group:
PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/7d97724c-c7fb-4b22-bbf8-c615fff88efe?api-version=2020-05-01 HTTP/2.0
Wait until the creation LRO finishes:
Additionally, I'll try to
GET
this child mgmt group until it returns 200 (the first several calls will return 403):Right after this, I try to list the policy definitions with in this child mgmt group and expect that the custom policy definition I created above is inherited and included in the list result:
GET https://management.azure.com/providers/Microsoft.Management/managementGroups/7d97724c-c7fb-4b22-bbf8-c615fff88efe/providers/Microsoft.Authorization/policyDefinitions?api-version=2021-06-01 HTTP/2.0
(Also I'll follow the
nextLink
in the response until iteration done)However, the custom policy definition can't be found in the list.
After waiting several minutes and try again, the custom policy definition is included in the list result.
In another try, I directly read the custom policy definition id and assign it to the child mgmt group right after it is created:
PUT https://management.azure.com//providers/Microsoft.Management/managementGroups/e0a965d1-b3e3-48ac-9b66-0793096f4a47/providers/Microsoft.Authorization/policyAssignments/example-policy?api-version=2021-06-01
But it returns:
Similarly, after waiting several minutes and try again, the assignment succeed.
I assume the reason might because there are sync issue between the policy RP and the mgmt group, which means the "creation success" return value from mgmt group doesn't necessarily mean all the inherited custom policy definitions are available in it.
From the client's point of view, is there something we can check to see when do the custom policy definitions are inherited in the child mgmt group? If the only solution for now is just to delay, then is there any official guidance on how long should we wait for?
The text was updated successfully, but these errors were encountered: