Created
March 2, 2023 04:16
-
-
Save vukasinterzic/3f1779a142ca3cf7bd37373bb26bbc93 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Update-PolicyAssignmentExclusionList { | |
[CmdletBinding()] | |
param( | |
[Parameter(Mandatory = $true)] | |
[string]$PolicyAssignmentName, | |
[Parameter(Mandatory = $true)] | |
[string]$ResourceGroupName, | |
[Parameter(Mandatory = $true)] | |
[string]$Action | |
) | |
# Set the Azure context to the current subscription | |
Select-AzSubscription -SubscriptionId (Get-AzContext).Subscription.Id | |
# Get the policy assignment by name | |
$PolicyScope = "/subscriptions/$((Get-AzContext).Subscription.Id)" | |
$PolicyAssignment = Get-AzPolicyAssignment -Scope $PolicyScope | Where-Object { $_.Name -eq $PolicyAssignmentName } | |
if (!$PolicyAssignment) { | |
Write-Error "Policy assignment '$PolicyAssignmentName' does not exist." | |
} else { | |
# Get the resource group to modify | |
$ResourceGroup = Get-AzResourceGroup -Name $ResourceGroupName -ErrorAction SilentlyContinue | |
if (!$ResourceGroup) { | |
Write-Error "Resource group '$ResourceGroupName' does not exist." | |
} else { | |
# Get the existing exclusion list | |
$ExclusionList = $PolicyAssignment.Properties.NotScopes | |
# Add or remove the resource group from the exclusion list | |
if ($Action -eq "add") { | |
$ExclusionList += "/subscriptions/$((Get-AzContext).Subscription.Id)/resourceGroups/$ResourceGroupName" | |
} elseif ($Action -eq "remove") { | |
$ExclusionList = $ExclusionList | Where-Object { $_ -ne "/subscriptions/$((Get-AzContext).Subscription.Id)/resourceGroups/$ResourceGroupName" } | |
} | |
# Update the policy assignment with the new exclusion list | |
$PolicyAssignment.Properties.NotScopes = $ExclusionList | |
# NotScopes does not update if value is not provided. If the exclusion list is empty, set the NotScopes property to an empty array instead | |
if ($ExclusionList.Count -eq 0) { | |
$PolicyAssignment.Properties.NotScopes = @() | |
} | |
#Update the policy assignment | |
$PolicyAssignment | Set-AzPolicyAssignment | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment