Allow defining multiple PAC Selectors for policy exemptions using top-level scopes property

[andersthorbeck]

Is your feature request related to a problem? Please describe.
There should be a way to share policy exemptions across multiple EPAC environments without having to duplicate all the exemption details across multiple files (one per EPAC environment directory).

Describe the solution you'd like
The policy assignments schema scopes property supports specifying the applicable EPAC environments (and scopes therein) using the PAC Selector. It would be great if this were also possible with the exemptions, so that we in a single exemption file could specify exemptions which could apply across multiple EPAC environments.

This does not seem to currently be possible, as the PAC selector can currently only be specifed via the file path:

The pacEnvironment (see global-settings.jsonc) is represented with a folder structure under the folder policyExemptions, such as epac-dev, tenant, ... A missing folder indicates that the pacEnvironment's Exemptions are not managed by this solution. [...]

A typical folder structure might look like this:

Definitions
  policyExemptions
    epac-dev
      <name>.csv of <name>.json
    tenant
      <name>.csv of <name>.json

Describe alternatives you've considered
The current alternative is to duplicate the exemptions across multiple directories, one per applicable EPAC environment, but this is undesirable as it breaks with the DRY principle, and makes it more difficult to get an overview of which exemptions apply where and refactor them later.

Additional context
This is particularly useful in cases where you want to migrate subscriptions from a management group in an older EPAC environment, to a similar management group in a newer EPAC environment, for example for a controlled rollout of a stricter policy regime than you've had thus far.

In such cases, it's good to be able to specify that exemptions scoped to a single subscription, resource group or resource should apply regardless of which of the specified EPAC environments the resource resides within, without having to duplicate the exemption. That way, the exemptions don't get in the way of the migration.

[andersthorbeck]

Duplicating exemptions per EPAC environment is problematic not just because duplication itself is problematic, but also because it leads to a lot of misleading warnings of

WARNING: Exemption entry 0: No assignments found for exemption scope /subscriptions/12345678-abcd-1234-1234-1234567890ab, skipping entry.

or

WARNING: Exemption entry 1: Exemption scope /subscriptions/12345678-abcd-1234-1234-1234567890ab/resourceGroups/my-resource-group not found in current scope tree for root /providers/Microsoft.Management/managementGroups/my-management-group, skipping entry.

in the case where scope your exemptions to subscriptions or resources which (naturally) exist only in one of the two EPAC environments, but which will eventually be moved to the other.

The sanity checks EPAC performs could then supply these warnings only if the scope is not found (or does not have assignments) in any of the specified EPAC environments, and we would have fewer misleading warnings (and thus less warning fatigue).

[andersthorbeck]

The big problem of duplication is that unless you always remember that the exemptions are duplicated, and you need to perform any changes to all the copies of the same exemption files, then you'll soon end up in a situation where your exemptions inadvertently diverge, and have different behaviour in different EPAC environments.

[apybar]

@andersthorbeck - Will discuss with the team internally on this tomorrow and respond by tomorrow afternoon.

[apybar]

@andersthorbeck - We will tag this as an "enhancement - future" item. We agree it needs to be created however there are a lot of updates regarding Policy Exemptions that would need to be done in parallel.