Terraform module to create policies with optional assignments and exemptions creation. The module supports a file based approach compatible with the default azure policy definition files.
Is your feature request related to a problem? Please describe.
It would be helpful to support quite regularly needed arguments from the used resources in the policy assignment submodule.
Describe the solution you'd like
Add an additional parameter called identity to assignments.
As system-assigned MIs are really needed for the policy assignment, the value can be declared as bool.
Describe alternatives you've considered
Implement the identity argument as in the native assignment as block, which would allow to reference also the role definition, which will be associated with it.
Is your feature request related to a problem? Please describe.
It would be helpful to support quite regularly needed arguments from the used resources in the policy assignment submodule.
Describe the solution you'd like
Add an additional parameter called non_compliance_message to assignments.
Describe the bug
Looking at here it is clear that MG exemptions for MG assignments won't work, as their "path" is not incremental or based on their relation with each other.
To Reproduce/Test
Make an assignment at MG scope and add an exemption for a child MG.
Currently, assignments and exemptions are within one module.
This makes this module very bloated. To increase readability it should be split into two separate submodules.
Is your feature request related to a problem? Please describe.
The configuration file is very big and provides a bad overview.
Describe the solution you'd like
Move to a more file-based approach.
Describe alternatives you've considered
None
Additional context
Instead of maintaining a folder for policies, we should maintain two folders - one for policies and one for initiatives, and one for the assignments (+ exemptions). The policies and initiatives should be per file and the assignments should be concatenated over all files where each file holds an individual list.
Is your feature request related to a problem? Please describe.
The policy set resource supports adding parameter values for each policy reference. The module right now does not.
Describe the solution you'd like
The list of references can probably be adjusted to a list of maps or objects instead of just a list of strings.