Exclude archetype not working for management, connectivity or sandbox

[owejak]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.0.8

azure provider: 3.0.2

module: 2.3.1

Description

Describe the bug

We are trying to disable some azure policies using the exclude archetype, this applies to the root or our custom landing zones, but doesn't apply to management, connectivity, decommissioned or sandbox

Steps to Reproduce

File is called "archetype_exclusion_decommissioned.json"

{
"exclude_es_decommissioned": {
    "policy_assignments": [
        "Deploy-ASC-Monitoring",
        "Deploy-AzActivity-Log",
        "Deploy-LX-Arc-Monitoring",
        "Deploy-MDFC-Config",
        "Deploy-Resource-Diag",
        "Deploy-VM-Monitoring",
        "Deploy-VMSS-Monitoring",
        "Deploy-WS-Arc-Monitoring"
    ],
    "policy_definitions": [],
    "policy_set_definitions": [],
    "role_definitions": [],
    "archetype_config": {
    "parameters": {},
    "access_control": {}
    }
}
}

This file with Terraform plan

Screenshots

This is what we get when se do exclude_es_root:

This is what we get when planning with exclude_es_decommissioned:

[jtracey93]

Hi @owejak,

These polices are assigned at the intermediate root management group "es_root" so you would need to exclude them from there.

Or use the "notScopes" to exclude those policies from taking effect on the decommissioned management group.

Hope that helps

Thanks

Jack

[jtracey93]

This has been handled over email

[krowlandson]

Trigger ADO Sync