Question - How to exclude inheritance of Deploy-Resource-Diag initiative?

cmohams9 commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Is your feature request related to a problem?

I would like to exclude sandbox MG inheriting Deploy-Resource-Diag and some other initiatives. What is the best practice to achieve this?

Describe the solution you'd like

Exclude Sandbox MG from certain policy inheritance

Additional context

krowlandson commented 2 years ago

Thank you for the question @cmohams9

We generally advise that the top-level Policy Assignments should be applied consistently across all Subscriptions, but to achieve the above we would recommend using policy exemptions.

This won't be possible with the module alone, but can be created in Terraform using the azurerm_management_group_policy_exemption resource assigned to your sandbox management group.

I think this is a better approach than removing the assignments at the intermediate root, and then having to re-assign to the platform, landing-zones and decommissioned management groups.

Hope this helps, but please let us know if you have any further questions regarding this.

cmohams9 commented 2 years ago

Thanks , I will try out the exemption option and get back to you if any questions.

Sujith

From: Kevin Rowlandson @.> Date: Monday, 26 September 2022 at 2:16 PM To: Azure/terraform-azurerm-caf-enterprise-scale @.> Cc: Sujith Mohammed @.>, Mention @.> Subject: Re: [Azure/terraform-azurerm-caf-enterprise-scale] Question - How to exclude inheritance of Deploy-Resource-Diag initiative? (Issue #466)

Thank you for the question @cmohams9https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcmohams9&data=05%7C01%7CSujith.Mohammed%40jci.com%7Cd73ea2ef69694e22031e08da9fa81d47%7Ca1f1e2147ded45b681a19e8ae3459641%7C0%7C0%7C637997841636426313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GCN%2Bh3YusgclQjX%2F81z7OdlMxNNiOqS%2FTUCT%2FkL6Upg%3D&reserved=0

We generally advise that the top-level Policy Assignments should be applied consistently across all Subscriptions, but to achieve the above we would recommend using policy exemptionshttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fazure%2Fgovernance%2Fpolicy%2Fconcepts%2Fexemption-structure&data=05%7C01%7CSujith.Mohammed%40jci.com%7Cd73ea2ef69694e22031e08da9fa81d47%7Ca1f1e2147ded45b681a19e8ae3459641%7C0%7C0%7C637997841636426313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aYyDCtD4F6aT6SGQa8je9UTRUy6ErktPQlqv5z7kn94%3D&reserved=0.

This won't be possible with the module alone, but can be created in Terraform using the azurerm_management_group_policy_exemptionhttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fregistry.terraform.io%2Fproviders%2Fhashicorp%2Fazurerm%2Flatest%2Fdocs%2Fresources%2Fmanagement_group_policy_exemption&data=05%7C01%7CSujith.Mohammed%40jci.com%7Cd73ea2ef69694e22031e08da9fa81d47%7Ca1f1e2147ded45b681a19e8ae3459641%7C0%7C0%7C637997841636426313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=p27jIEJh%2FzCeiNHb0bE518uK4MWe6wDQ4Pg0ISa1UHQ%3D&reserved=0 resource assigned to your sandbox management group.

I think this is a better approach than removing the assignments at the intermediate root, and then having to re-assign to the platform, landing-zones and decommissioned management groups.

Hope this helps, but please let us know if you have any further questions regarding this.

— Reply to this email directly, view it on GitHubhttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fterraform-azurerm-caf-enterprise-scale%2Fissues%2F466%23issuecomment-1257810520&data=05%7C01%7CSujith.Mohammed%40jci.com%7Cd73ea2ef69694e22031e08da9fa81d47%7Ca1f1e2147ded45b681a19e8ae3459641%7C0%7C0%7C637997841636426313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=crdzKrihPpjOhXzhSa3Waf1OFrwNicRwT%2Fx8mVKbKrk%3D&reserved=0, or unsubscribehttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAWBFJYNQD5ORPMKD4O4A273WAFZWDANCNFSM6AAAAAAQUCMFNI&data=05%7C01%7CSujith.Mohammed%40jci.com%7Cd73ea2ef69694e22031e08da9fa81d47%7Ca1f1e2147ded45b681a19e8ae3459641%7C0%7C0%7C637997841636426313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IJ9CwCkVr6AzHvBG4nINCi%2F6uR0LPDKwWxRVm9LE3MU%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.***>

ghost commented 2 years ago

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within 7 days of this comment.

krowlandson commented 2 years ago

Trigger ADO Sync

ghost commented 2 years ago

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within 7 days of this comment.

Azure / terraform-azurerm-caf-enterprise-scale