[Terraform] Check some allow-list before deploying Policy

[glennmusa]

Benefit/Result/Outcome

So that policy assignment doesn't fail if it's not supported in my cloud.

(Originally a part of #454 but broken up so that it's an independent task and can be triaged separately.)

Description

The policy assignment in a Terraform deployment may fail if some of the policies packaged in MLZ are not supported in a given cloud. Perhaps it's a good idea to create some allow-list of environments to compare before attempting to create policy assignments e.g.:

locals {
  mlz_policy_environments = ["public", "usgovernment"] # terraform azurerm environments where the MLZ policies are supported
}

module "hub-policy-assignment" {
  count = var.create_policy_assignment && contains(local.mlz_policy_environments, lower(var.environment)) ? 1 : 0
}

Acceptance Criteria

• The Terraform implementation of MLZ only deploys policies into the clouds we know support the policies packaged in MLZ
• Implement equivalent on Bicep

[shawngib]

With issue #459 we solved for deployment in different clouds forcing opt-in I think in this issue we are doing something that is no longer required minus some additional documentation verbiage in readme like 'Policy assignments only supported in Commercial and Government'?

The end goal is not to allow customers to set something like 'enable policies' to true and in the end not have it enabled because a hidden logic refuses to make it so. Since we can't output 'We didn't do what you asked because it would break!'.

Recommend closing.

[brooke-hamilton]

Closing per @shawngib's recommendation.