From aa06593fa889db1d3ad4c079bf8f5f554c6afd78 Mon Sep 17 00:00:00 2001
From: Glenn Musa <4622125+glennmusa@users.noreply.github.com>
Date: Thu, 14 Oct 2021 09:22:06 +0000
Subject: [PATCH 1/2] default create_policy_assignment to false in tf

---
 src/terraform/mlz/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/terraform/mlz/variables.tf b/src/terraform/mlz/variables.tf
index e8ee28f0b..88a69466c 100644
--- a/src/terraform/mlz/variables.tf
+++ b/src/terraform/mlz/variables.tf
@@ -296,7 +296,7 @@ variable "jumpbox_linux_vm_version" {
 variable "create_policy_assignment" {
   description = "Assign Policy to deployed resources?"
   type        = bool
-  default     = true
+  default     = false
 }
 
 #################################

From 9cc53d66fb7a847a797970b22da04524726f7b0b Mon Sep 17 00:00:00 2001
From: Glenn Musa <4622125+glennmusa@users.noreply.github.com>
Date: Thu, 14 Oct 2021 09:34:39 +0000
Subject: [PATCH 2/2] update documentation

---
 docs/policies.md        |  4 ++--
 src/terraform/README.md | 24 ++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/docs/policies.md b/docs/policies.md
index 07d09e20c..fcf30ba3d 100644
--- a/docs/policies.md
+++ b/docs/policies.md
@@ -63,12 +63,12 @@ az deployment group create \
 
 ### Deploying with Terraform
 
-By default, the Terraform implementaiton at `src/terraform/mlz/main.tf` will assign the NIST 800-53 policies. You can disable this by providing a `false` value to the `create_policy_assignment` variable:
+The Terraform implementaiton at `src/terraform/mlz/main.tf` supports assigning NIST 800-53 policies. You can enable this by providing a `true` value to the `create_policy_assignment` variable:
 
 ```plaintext
 cd src/terraform/mlz
 terraform init
-terraform apply -var="create_policy_assignment=false"
+terraform apply -var="create_policy_assignment=true"
 ```
 
 After the resources are deployed, you will need to go into go into each assignment and retrieve the managed identity and modify its role access to contributor scoped to the associated resource group. This is due to the initiative including modify and deploy policies that act on resources, like deploying the require policy guest configuration extensions to VMs.
diff --git a/src/terraform/README.md b/src/terraform/README.md
index 1b5386d11..13ea4c99c 100644
--- a/src/terraform/README.md
+++ b/src/terraform/README.md
@@ -29,6 +29,8 @@ Read on to understand the [prerequisites](#Prerequisistes), how to get started,
 
 Deploying to a Cloud other than Azure Commercial? This requires updating the `azurerm` provider block `environment` and `metadata_host` values. Checkout the [Deploying to Other Clouds](#Deploying-to-Other-Clouds) documentation.
 
+Looking to assign Azure Policy? This template supports assigning NIST 800-53 policies. See the [policies documentation](../../docs/policies.md) for more information.
+
 ### Login to Azure CLI
 
 1. Log in using the Azure CLI
@@ -162,6 +164,28 @@ Here's the docs on `terraform destroy`: <https://www.terraform.io/docs/cli/comma
 
 This command will attempt to remove all the resources that were created by `terraform apply` and could take up to 45 minutes.
 
+## Assigning Azure Policy
+
+This template supports assigning NIST 800-53 policies. See the [policies documentation](../../docs/policies.md) for more information.
+
+You can enable this by providing a `true` value to the `create_policy_assignment` variable.
+
+At `apply` time:
+
+```plaintext
+terraform apply -var="create_policy_assignment=true"
+```
+
+Or, by updating `src/terraform/mlz/variables.tf`:
+
+```terraform
+variable "create_policy_assignment" {
+  description = "Assign Policy to deployed resources?"
+  type        = bool
+  default     = true
+}
+```
+
 ## Deploying new Spoke Networks
 
 Once you've deployed Mission LZ, you can use the Tier 3 module to deploy and peer new Spoke Networks and workloads to the Hub and Firewall.