You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
`Microsoft.ApiManagement/service/policyRestrictions`: `scope` is the ARM resource ID of an existing policy document (e.g. `${apim.id}/policies/policy`, or the equivalent for an api/operation/product policy). Enum-like values (`'All'`, `'Tenant'`, etc.) and relative paths (`'/policies/policy'`) compile but fail at deploy with `"The specified scope is not supported for policy restriction."`
105
105
106
-
`scope`is a **path to a policy document**, not a free-form enum. `'All'` compiles in Bicep but deployment fails with:
106
+
Inferred from the sibling `SubscriptionContractProperties.scope`in the same definitions file (description says `"Scope like /products/{productId}"` but real examples use full ARM IDs, e.g. `/subscriptions/{sub}/.../service/{name}/products/{id}`). All Microsoft policy-restriction examples use the placeholder string `"Sample Path to the policy document."`, so this is the best inference; verify by deployment. Classic Developer/Premium SKU only.
107
107
108
-
> ValidationError: "The specified scope is not supported for policy restriction."
Copy file name to clipboardExpand all lines: .squad/agents/securityexpert/history.md
+5-1Lines changed: 5 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,4 +19,8 @@
19
19
20
20
## Learnings
21
21
22
-
- When using PowerShell transcript/trace logging, always pass `-UseMinimalHeader` to `Start-Transcript` to prevent machine/host environment details from being written to logs.
22
+
-`Start-Transcript -UseMinimalHeader` keeps machine/host details out of logs.
23
+
-**ARM async-operation URLs** (`Azure-AsyncOperation` / `Location`) include `t/c/s/h` query params that act as short-lived bearer credentials. Regex-mask them. <https://learn.microsoft.com/azure/azure-resource-manager/management/async-operations>
24
+
-**`x-ms-routing-request-id`** carries `REGION:UTC:GUID` — mask the whole value, not just the GUID. <https://learn.microsoft.com/azure/azure-resource-manager/management/request-limits-and-throttling>
25
+
-**PowerShell `Start-Transcript` double-emits native stderr** when paired with `2>&1 | Write-Host`. Either regex-mask in `Protect-LogLine` (so both copies get masked) or redirect the child's stderr to a pipe via `System.Diagnostics.Process` so the transcript never sees the raw line. Both layers together = defense in depth.
26
+
-**Do not mask all GUIDs.** Azure built-in role-definition IDs and ARM template hashes are public constants useful for debugging. Anchor secret regex to the path segment, header name, or query-parameter context that makes the value sensitive.
Rewrote [tests/integration/all-resource-types/MaskingHelpers.psm1](tests/integration/all-resource-types/MaskingHelpers.psm1) around `System.Diagnostics.Process` with `RedirectStandardOutput/Error = $true` so the child's raw bytes bypass PowerShell's ErrorRecord promotion and never reach the parent transcript. Per-stream `Start-ThreadJob` readers drain into `ConcurrentQueue[string]`s; main runspace polls every 100 ms and emits through `Protect-LogLine`.
167
+
168
+
Breaking signature: helpers now take `-Arguments [string[]]` instead of `-Command [scriptblock]`. All four call sites updated.
169
+
170
+
Gotchas for future PowerShell work:
171
+
172
+
-`Register-ObjectEvent` Action handlers do not drain reliably while the main runspace is in `Start-Sleep`. Use `Start-ThreadJob` (PS 7+) to bypass the engine event pump.
173
+
-`$x = if ($cond) { [List[T]]::new() }` assigns `$null` — PowerShell enumerates the empty list. Use `$x = $null; if ($cond) { $x = ... }`.
174
+
-`ProcessStartInfo.StandardOutputEncoding/StandardErrorEncoding` default to OEM on Windows; force UTF-8 or `az --debug` output mangles.
0 commit comments