Feature Request - On/Off switch to control policy assignments about terraform-azurerm-caf-enterprise-scale HOT 6 CLOSED

One way to exclude the policy assignments you can remove these lines from here https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/main/modules/archetypes/lib/archetype_definitions/archetype_definition_es_identity.tmpl.json#L4-L7

from terraform-azurerm-caf-enterprise-scale.

Hi,

Is it just the assignments you want to remove, or all policy artefacts?

from terraform-azurerm-caf-enterprise-scale.

I would like to make sure no assignments are done. Right now, the way I am doing it is via archetype_exclusion_es_.tmpl.json files where I have to list every single policy assignments, policy definitions and policy set definitions to exclude.
If I understand things correctly, these will be defined in EPAC... correct?

What if you release new policies or deprecate some of them. I will have to keep updating those exclusions in the JSON file.
It would be simpler if we could have a global switch that disables any kind of policy work in this module so that I can be assured that only EPAC will deploy and manage policies.

from terraform-azurerm-caf-enterprise-scale.

If you want to exclude all policies then use archetype_config_overrides and set the archetype for the management groups to default_empty.

This will mean you only deploy the MG structure.

from terraform-azurerm-caf-enterprise-scale.

OK, I think this could work for us. However, it looks like I would miss out on custom role definitions and any kind of "archetype_config" that could be defined at a later time. Do you foresee any issues there?

from terraform-azurerm-caf-enterprise-scale.

It's only role defs, we don't plan on expanding archetype config beyond its current capabilities.

from terraform-azurerm-caf-enterprise-scale.