Open ekrengel opened 4 years ago
I see two ways to accomplish this in practice:
The latter puts more power in the hands of individual infrastructure devs to override rules, so is not ideal for truly mandatory compliance rules.
But for the majority of "best practices" rules, it seems the ability of the deployment to opt-out with a tag like PublicAccessApprovedBy: "Luke Hoban"
would be a lot more flexible.
This is partly just a question for what we do for our own (and example) policy packs as best practice. But may play into general features we want to support.
There may be resources we want to exempt from a certain policy. The ability to exempt a resource or stack from a policy should be baked into the configuration schema like we do with enforcement levels.
See relevant slack convo