Wildcard es_root NotScopes

[robsissons-contino]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Raising as a feature request but there may already be a suitable way to achieve this which I haven't come across:

We would like to add a "NotScope" to all policy assignments deployed through es_root to stop them being applied to the sandbox management group.

Currently the only ways I can see to do this would be using either archetype_config_overrides.tf or an extension/exclusion file for es_root.

The downside to either of these approaches is that we would have to list all policy assignments that currently exist in es_root and specify the assignment name in the overrides file. If/when an assignment name is updated in the CAF ES module we would then have to update the overrides.

Is your feature request related to a problem?

Customising Policy management

Describe the solution you'd like

Ideally what I would like is the ability to globally add a NotScope or other attribute to ALL policy assignments through a wildcard either in archetype_config_overrides.tf or an extension archetype file.

Is this possible?

Additional context

[matt-FFFFFF]

Hi, have you considered editing the assignment files? You can use templating and supply your own template file variables.

[robsissons-contino]

Can you clarify how you mean to edit the assignment files? I am aware that we can specify new assignment files in our local /lib/ directory but we want to modify settings in assignment files managed by the upstream module.

Regarding templating - can you expand on this? I am aware that we have the option to pass variables to existing assignments but not sure how we would use this method to add a "NotScope" which doesn't appear to accept any variables?

There is mention of 'templating' on this wiki page but the link is broken when trying to find this page:

https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BVariables%5D-template_file_variables

Thanks in advance!

[robsissons-contino]

Hi @matt-FFFFFF - are you able to advise on the above?

[MarcelHeek]

just tagging along as I would like to know some more on the "templating" possibility, is there some documentation available on that on how it should be used in the context of this module?

[robsissons-contino]

Hi @matt-FFFFFF - could you clarify your statement regarding editing the assignment files? Interested to see if there is an option I have missed.

[matt-FFFFFF]

If you look at this file you will see some templating in action:

terraform-azurerm-caf-enterprise-scale/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json

Lines 5 to 10 in c1eef34

	"location": "${default_location}",
	"dependsOn": [],
	"properties": {
	"description": "Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.",
	"displayName": "Audit virtual machines for Trusted Launch support",
	"policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch",

The default_location and root-scope_resource_id are replaced by the module when the file is read.

You can extend this replacement with the var.template_file_vars.

E.g.

template_file_vars = {
  my_data = "my_value"
}

Then in the policy assignment file (copy it into your custom lib folder), you can edit the values to be static strings or use the ${my_data} value.