Deployment Approval Overview
Under certain conditions a Template can require approval to be deplloyed. The conditions are listed below:
-
Where a Template has Approval Required switched on:
This would happen if the Template was deploying something of consequence, such as an expensive resource, an AWS account or similar.
Where this is switched on, every deployment of this Template would require approval by a user with permission to approve Templates. This is currently a Tenant admin or an Organization admin.
-
Where a Template fails organization policy checks:
Policies are set per Target type, when the plan for the Deployment has been created, it is processed by Open Policy Agent to check if it violates any policies, if it does, it is added to the approval queue for adminstrator appoval.
-
Where the monthly deployed cost is over a certain threshold:
A threshold can be set on the Tenant level such that any Deployments that will exceed this monthly cost will be directed for Tenant admin approval.
The Approvals console is where approvals are managed, administrators have access to this console. Check out Deployment Approval Administration for more information.
Check out OPA Scan Policies Overview for information on policy definitions.