Skip to content

Documentation fails if main and stage are different tenants #1155

New issue
New issue
Open
Open
Documentation fails if main and stage are different tenants#1155
Assignees
apybar
Labels
bugSomething isn't working
@starkilla2003

Description

@starkilla2003
starkilla2003
opened on Dec 4, 2025

Describe the bug

When using Build-PolicyDocumentation.ps1 with the -PacSelector parameter in a multi-tenant environment (where each tenant has separate pipelines with isolated access), the script processes all documentation files in the policyDocumentations folder, regardless of the -PacSelector value. This causes authentication failures when a pipeline tries to process documentation for environments it cannot access.

The -PacSelector parameter currently only filters entries within documentAllAssignments in a given file, but does not:

  1. Skip entire documentation files that don't match the selector
  2. Filter documentPolicySets entries based on the selector

This makes it impossible to maintain a single repository with documentation definitions for multiple isolated tenants without implementing workarounds in the pipeline.

To Reproduce

  1. Configure EPAC with two PAC environments in global-settings.jsonc representing separate tenants:

    • stage (Tenant A with Service Connection A)
    • main (Tenant B with Service Connection B)

  2. Create two documentation files in Definitions/policyDocumentations/:

    • stage-documentation.jsonc with "pacEnvironment": "stage"
    • main-documentation.jsonc with "pacEnvironment": "main"

  3. Set up separate Azure DevOps pipelines:

    • Stage pipeline: authenticated to Tenant A only, triggered on stage branch
    • Main pipeline: authenticated to Tenant B only, triggered on main branch

  4. In the stage pipeline, run:

    Build-PolicyDocumentation -PacSelector "stage" -Interactive $false

  5. Observe that the script attempts to process both documentation files, including main-documentation.jsonc, which requires authentication to Tenant B.

Expected behavior

When -PacSelector is specified, the script should:

  1. Skip entire documentation files where none of the pacEnvironment values in documentAllAssignments or documentPolicySets match the selector
  2. Filter documentPolicySets entries to only process entries where pacEnvironment matches the selector (similar to how documentAllAssignments is filtered)
  3. Allow a single documentation file with multiple environments defined, processing only the sections matching the selector

This would enable:

  • Multi-tenant setups with isolated pipelines to use a shared repository
  • Each pipeline to generate documentation only for its accessible tenant
  • Maintaining all documentation definitions in a single file or folder structure without manual file filtering in pipelines

Screenshots

Error output when stage pipeline attempts to process main documentation:

===================================================================================================
Processing documentation definitions in folder './Definitions/policyDocumentations'
===================================================================================================
Number of documentation definition files = 2
Reading and Processing 'main-documentation.jsonc'
The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Wrong cloud or tenant logged in by SPN:
	Required cloud = AzureCloud, tenantId = <tenant-b-id>
	If you are running this script interactive, specify script parameter -Interactive $true.

EPAC Version

Version: 10.12.0

Environment

  • Azure DevOps Pipelines
  • Ubuntu-latest agent
  • PowerShell 7.x

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions