Context

When using the auto-attach feature for policies, you might want to apply a policy to all stacks except for specific ones. While the `autoattach:*` label applies a policy to all stacks, there may be cases where you need to exclude certain stacks from this global policy attachment.

Answer

There are two recommended approaches to handle this scenario:

Option 1: Use Specific Labels

Instead of using `autoattach:*`, create a specific label for the stacks you want to include:

1. Add a label like `autoattach:security-checks` to your policy

2. Apply the `security-checks` label to all stacks that should inherit the policy

3. Skip adding the label to any stacks you want to exclude

Option 2: Use Policy Code Logic

If you prefer using `autoattach:*`, you can add conditional logic within the policy code to exclude specific stacks:

1. Keep the `autoattach:*` label on your policy

2. Within the policy code, add conditions to check for specific stack attributes such as:

   • Organization name

   • Stack name

   • Repository

Note: There is currently no built-in way to exclude specific stacks using negative matching in the auto-attach label syntax (such as "autoattach:not(stack_id)"). This limitation exists for security reasons.

For more information about policy auto-attachment, you can refer to the official documentation.