From 42a9ec2d6ea471b91ee66b5e911562bb0c23a86d Mon Sep 17 00:00:00 2001
From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com>
Date: Wed, 11 Dec 2024 12:19:37 -0800
Subject: [PATCH] Update exemptions to fix policy assignments. (#186)

<!-- Thank you for submitting a Pull Request. Please fill out the
template below.-->
## Overview/Summary

Replace this with a brief description of what this Pull Request fixes,
changes, etc.

## This PR fixes/adds/changes/removes

1. Update exemptions to fix policy assignments.

### Breaking Changes

1. Need to destroy existing exemptions first. They redeploy the new
exemptions.

## Testing Evidence


![image](https://github.com/user-attachments/assets/951d71a3-4192-45ea-ae4a-cf55fc860774)


## As part of this Pull Request I have

- [x] Checked for duplicate [Pull
Requests](https://github.com/Azure/alz-terraform-accelerator/pulls)
- [ ] Associated it with relevant
[issues](https://github.com/Azure/alz-terraform-accelerator/issues), for
tracking and closure.
- [x] Ensured my code/branch is up-to-date with the latest changes in
the `main`
[branch](https://github.com/Azure/alz-terraform-accelerator/tree/main)
- [x] Performed testing and provided evidence.
- [x] Updated relevant and associated documentation.
---
 .../financial_services_landing_zone/locals.tf | 25 ++++++++++---------
 .../sovereign_landing_zone/locals.tf          | 17 +++++++------
 2 files changed, 22 insertions(+), 20 deletions(-)

diff --git a/templates/microsoft_cloud_for_industry/financial_services_landing_zone/locals.tf b/templates/microsoft_cloud_for_industry/financial_services_landing_zone/locals.tf
index 45e5af1..e6448a5 100644
--- a/templates/microsoft_cloud_for_industry/financial_services_landing_zone/locals.tf
+++ b/templates/microsoft_cloud_for_industry/financial_services_landing_zone/locals.tf
@@ -71,27 +71,28 @@ locals {
 
 locals {
   management_group_resource_id_format     = "/providers/Microsoft.Management/managementGroups/%s"
+  root_management_group_id                = format(local.management_group_resource_id_format, "${var.default_prefix}${var.default_postfix}")
   confidential_corp_management_group_id   = format(local.management_group_resource_id_format, "${var.default_prefix}-landingzones-confidential-corp${var.default_postfix}")
   confidential_online_management_group_id = format(local.management_group_resource_id_format, "${var.default_prefix}-landingzones-confidential-online${var.default_postfix}")
 
   # Policy exemptions
   default_policy_exemptions = {
-    "Confidential-Online-Location-Exemption" = {
-      name                            = "Confidential-Online-Location-Exemption"
-      display_name                    = "Confidential-Online-Location-Exemption"
-      description                     = "Exempt the confidential online management group from the FSI Global location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included."
+    "Confidential-Online-Data-Residency-Exemption" = {
+      name                            = "Confidential-Online-Data-Residency-Exemption"
+      display_name                    = "Confidential-Online-Data-Residency-Exemption"
+      description                     = "Exempt the confidential online management group from the FSI data residency location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included."
       management_group_id             = local.confidential_online_management_group_id
-      policy_assignment_id            = "${local.confidential_online_management_group_id}/providers/microsoft.authorization/policyassignments/enforce-fsi-conf"
-      policy_definition_reference_ids = ["AllowedLocationsForResourceGroups", "AllowedLocations"]
+      policy_assignment_id            = "${local.root_management_group_id}/providers/microsoft.authorization/policyassignments/so-01-data-residency"
+      policy_definition_reference_ids = ["Allowed locations for resource groups", "Allowed locations"]
       exemption_category              = "Waiver"
     }
-    "Confidential-Corp-Location-Exemption" = {
-      name                            = "Confidential-Corp-Location-Exemption"
-      display_name                    = "Confidential-Corp-Location-Exemption"
-      description                     = "Exempt the confidential corp management group from the FSI Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included."
+    "Confidential-Corp-Data-Residency-Exemption" = {
+      name                            = "Confidential-Corp-Data-Residency-Exemption"
+      display_name                    = "Confidential-Corp-Data-Residency-Exemption"
+      description                     = "Exempt the confidential corp management group from the FSI data residency location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included."
       management_group_id             = local.confidential_corp_management_group_id
-      policy_assignment_id            = "${local.confidential_corp_management_group_id}/providers/microsoft.authorization/policyassignments/enforce-fsi-conf"
-      policy_definition_reference_ids = ["AllowedLocationsForResourceGroups", "AllowedLocations"]
+      policy_assignment_id            = "${local.root_management_group_id}/providers/microsoft.authorization/policyassignments/so-01-data-residency"
+      policy_definition_reference_ids = ["Allowed locations for resource groups", "Allowed locations"]
       exemption_category              = "Waiver"
     }
   }
diff --git a/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf
index dafb630..5de2343 100644
--- a/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf
+++ b/templates/microsoft_cloud_for_industry/sovereign_landing_zone/locals.tf
@@ -27,6 +27,7 @@ locals {
   tenant_id                           = data.azurerm_client_config.current.tenant_id
   root_parent_management_group_id     = var.root_parent_management_group_id == "" ? local.tenant_id : var.root_parent_management_group_id
   management_group_resource_id_format = "/providers/Microsoft.Management/managementGroups/%s"
+  root_management_group_id            = format(local.management_group_resource_id_format, "${var.default_prefix}${var.default_postfix}")
   landingzones_management_group_id    = module.slz_management_groups.management_group_resource_ids["${var.default_prefix}-landingzones${var.default_postfix}"]
 
   management_management_group_id       = "${var.default_prefix}-platform-management${var.default_postfix}"
@@ -326,21 +327,21 @@ locals {
 
 locals {
   default_policy_exemptions = {
-    "Confidential-Online-Location-Exemption" = {
-      name                            = "Confidential-Online-Location-Exemption"
-      display_name                    = "Confidential-Online-Location-Exemption"
+    "Confidential-Online-Global-Location-Exemption" = {
+      name                            = "Confidential-Online-Global-Location-Exemption"
+      display_name                    = "Confidential-Online-Global-Location-Exemption"
       description                     = "Exempt the confidential online management group from the SLZ Global location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included."
       management_group_id             = local.confidential_online_management_group_id
-      policy_assignment_id            = "${local.confidential_online_management_group_id}/providers/microsoft.authorization/policyassignments/enforce-sovereign-conf"
+      policy_assignment_id            = "${local.root_management_group_id}/providers/microsoft.authorization/policyassignments/enforce-sovereign-global"
       policy_definition_reference_ids = ["AllowedLocationsForResourceGroups", "AllowedLocations"]
       exemption_category              = "Waiver"
     }
-    "Confidential-Corp-Location-Exemption" = {
-      name                            = "Confidential-Corp-Location-Exemption"
-      display_name                    = "Confidential-Corp-Location-Exemption"
+    "Confidential-Corp-Global-Location-Exemption" = {
+      name                            = "Confidential-Corp-Global-Location-Exemption"
+      display_name                    = "Confidential-Corp-Global-Location-Exemption"
       description                     = "Exempt the confidential corp management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included."
       management_group_id             = local.confidential_corp_management_group_id
-      policy_assignment_id            = "${local.confidential_corp_management_group_id}/providers/microsoft.authorization/policyassignments/enforce-sovereign-conf"
+      policy_assignment_id            = "${local.root_management_group_id}/providers/microsoft.authorization/policyassignments/enforce-sovereign-global"
       policy_definition_reference_ids = ["AllowedLocationsForResourceGroups", "AllowedLocations"]
       exemption_category              = "Waiver"
     }