Scope '$inheritedDefinitionsScopes' not found in environment about enterprise-azure-policy-as-code HOT 7 CLOSED

________________________________ From: Daniel Zabinski ***@***.***> Sent: Tuesday, October 10, 2023 12:49:51 AM To: Azure/enterprise-azure-policy-as-code ***@***.***> Cc: Subscribed ***@***.***> Subject: [Azure/enterprise-azure-policy-as-code] Scope '$inheritedDefinitionsScopes' not found in environment (Issue #387) I am attempting to build a policy plan for a child Management Group with an initiative assigned that references a custom Policy Definition that exists in the parent Management Group. As an illustration: ROOT MG - policyDef1 | CHILD MG, Definition Root Scope | -policySet, includes policyDef1 The CHILD MG is the Definition Root Scope, and has ROOT MG listed under inheritedDefinitionsScopes When I run build-deploymentplans -PacEnvironmentSelector "CHILD" -DefinitionsRootFolder "./Definitions" -OutputFolder "./Output" I get the error Scope '/providers/Microsoft.Management/managementGroups/ROOT' not found in environment My PacEnvironment is set up as the following: "pacSelector": "CHILD", "cloud": "AzureCloud", "tenantId": "MYTENANT", "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/CHILD", "inheritedDefinitionsScopes": [ "/providers/Microsoft.Management/managementGroups/ROOT" ], "desiredState": { "strategy": "ownedOnly", "includeResourceGroups": false, "excludedScopes": [], "excludedPolicyDefinitions": [], "excludedPolicySetDefinitions": [], "excludedPolicyAssignments": [] I've traced this down and I think this is an issue with the Get-AzScopeTree not taking the inheritedDefinitionsScopes into consideration when it's building the $ScopeTable. The Build-NotScopes -ScopeTable $ScopeTable -ScopeList $customPolicyDefinitionScopes -NotScopeIn $excludedScopesRaw command is passing $customPolicyDefinitionScopes which includes the definition root scope and the inherited definitions scope, but the $ScopeTable from Get-AzScopeTree does not include it so when it's looping through and checking each entry it throws that error. If I remove the inheritedDefinitionsScopes, then I run into the following error much later in processing: Write-Error: \EnterprisePolicyAsCode\8.2.4\internal\functions\Build-PolicySetPolicyDefinitionIds.ps1:45 Line | 45 | $policyId = Confirm-PolicyDefinitionUsedExists ` | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Policy | '/providers/Microsoft.Management/managementGroups/ROOT/providers/Microsoft.Authorization/policyDefinitions/ef14017d-8b46-48a4-ae4a-c5ddb7cc15e6' not found. Write-Error: \EnterprisePolicyAsCode\8.2.4\functions\Build-DeploymentPlans.ps1:124 Line | 124 | Build-PolicySetPlan ` | ~~~~~~~~~~~~~~~~~~~~~ | POLICYSETNAME: One or more invalid Policy entries referenced in Policy Set 'POLICYSETNAME' | from 'POLICYSETNAME.jsonc'. — Reply to this email directly, view it on GitHub<#387> or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACWCJVR3RHXY32TB24LRLQTX6P6H7BFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJLJONZXKZNENZQW2ZNLORUHEZLBMRPXI6LQMWBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTLDTOVRGUZLDORPXI6LQMWSUS43TOVS2M5DPOBUWG44SQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKJTGM3TCNRSHAZTRAVEOR4XAZNFNFZXG5LFUV3GC3DVMWVDCOJTGMYTEMRWGYYKO5DSNFTWOZLSUZRXEZLBORSQ>. You are receiving this email because you are subscribed to this thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.