Azure Landing Zones Documentation
Home GitHub Issue Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Azure Landing Zones Documentation
  2. /
  3. Accelerator
  4. /
  5. Starter Modules
  6. /
  7. Terraform - Azure Verified Modules for Platform Landing Zone (ALZ)
  8. /
  9. Options
  10. /
  11. 9 - Change a policy assignment enforcement mode
Edit page

9 - Change a policy assignment enforcement mode

You can change the policy assignment enforcement mode to DoNotEnforce or Disabled for any policy assignment. This is useful if you want to disable a policy assignment for a specific management group.

To do this, you need to add the policy assignment to the policy_assignments_to_modify section of the management_group_settings configuration.

First you need to identify the policy assignment name:

  1. Find the policy assignment you wish to modify in the library
  2. Open the policy assignment file and find the name property and take a note of it.

Next, you need to identify the archetype(s) (management group definitions) that the policy assignment is applied to:

  1. Find the archetype in the library

  2. Open the archetype file and check the policy_assignments property. If the policy assignment is there, then and take a note of the archetype name property.

  3. Open the alz.alz_architecture_definition.json file find the archetype name from the previous step in the archetypes property. Take note of the management group name property.

    If you have updated any management group IDs, then you need to open your customized alz.alz_architecture_definition.json file instead to find the correct management group name.

Now you have the policy assignment name and the management group name, so you can construct the config you need to add. The configuration is structured as follows:

1
2
3
4
5
6
7

"<management-group-name>" = {
  policy_assignments = {
    "<policy-assignment-name>" = {
      enforcement_mode = "<enforcement-mode>"
    }
  }
}
  • <management-group-name> is the name of the management assigned the archetype you identified earlier.
  • <policy-assignment-name> is the name of the policy assignment you identified earlier.
  • <enforcement-mode> is the enforcement mode you want to set. This could be DoNotEnforce or Disabled.

For example, to set the enforcement mode of DDOS protection plan on the connectivity management group add the following section to management_group_settings > policy_assignments_to_modify block setting:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

management_group_settings = {
  ...
  policy_assignments_to_modify = {
    "connectivity" = {
      policy_assignments = {
        "Enable-DDoS-VNET" = {
          enforcement_mode = "DoNotEnforce"
        }
      }
    }
  }
}
gdoc_arrow_left_alt 8 - IP Address Ranges 10 - Remove a policy assignment gdoc_arrow_right_alt