gbr759
commented
1 year ago We do this as part of our standard offering for LZ although in a slightly different structure, I think it should be a standard CAF MG for brownfield migrations. We deploy a "Staging" MG, but as a child of intermediate root. That way the notscopes can be set, and everything applied to "Corp" can be added to to the "Staging" MG as audit policies for anything brownfield. This allows for policy fails to be remediated before moving to the MGs where deny policies are set.
mehliku
Community Note
Description
In order to support brownfield solution migration, there is a need to support archetype_config_oveerides for custom landing zone.
This will allow customer to create a Staging custom landing zone and deploy the same policy assignment as root/landing zone where it is enforced, but use the override with 'DoNotEnforce' in the Staging management group.
This approach would simplify and reduce potential errors by avoiding creating / maintaining similar policy assignment
Is your feature request related to a problem?
The variable "archetype_config_overrides" does not work for management groups specified by the 'custom_landing_zones' input variable as documented here.
Describe the solution you'd like
Enable "archetype_config_overrides" for 'custom_landing_zones'
A potential simple workaround would be to add a Staging management group at the same level as the Landing Zone in the core Mangement Group IDs.
Additional context