Merge branch 'Azure:main' into main

.github/ISSUE_TEMPLATE/Policy_Submission.yml

@@ -0,0 +1,84 @@
+name: Policy Submission
+description: Submit an Azure policy/initiative for Azure Landing Zone
+title: "[Policy]: "
+labels: ["policy"]
+projects: []
+assignees:
+  - springstone
+body:
+  - type: markdown
+    attributes:
+      value: Thanks for taking the time to fill out this policy submission!
+  - type: dropdown
+    id: policytype
+    attributes:
+      label: Policy Definition or Initiative
+      description: Are you proposing a policy definition or initiative definition?
+      options:
+        - Definition
+        - Initiative
+        - Not sure
+      default: 0
+    validations:
+      required: true
+  - type: dropdown
+    id: builtincustom
+    attributes:
+      label: Built-in/Custom
+      description: Is the policy definition or initiative built-in or are you proposing a custom one?
+      options:
+        - Built-in
+        - Custom
+        - Not sure
+      default: 0
+    validations:
+      required: true
+  - type: input
+    id: resourceid
+    attributes:
+      label: Built-in policy definition or initiative ID
+      description: If this is for a built in policy definition or initiative, please provide the resource ID
+      value: "<GUID>"
+    validations:
+      required: false
+  - type: textarea
+    id: description
+    attributes:
+      label: Custom policy definition or initiative description
+      description: If this is a custom policy definition or initiative, please provide a description of what it should do.
+      placeholder: A policy that
+      value: "A policy that does ..."
+    validations:
+      required: true
+  - type: dropdown
+    id: assignmentscope
+    attributes:
+      label: Scope
+      description: What scope (Management Group) should the policy definition or initiative be assigned to?
+      options:
+        - Intermediate Root
+        - Platform
+        - Connectivity
+        - Management
+        - Identity
+        - Landing Zones
+        - Corp
+        - Online
+        - Decommissioned
+        - Sandbox
+        - Multiple / Other
+      default: 0
+    validations:
+      required: true
+  - type: checkboxes
+    id: defaultassignment
+    attributes:
+      label: Default Assignment
+      description: Should the policy definition or initiative be assigned by default to the scope above in Azure Landing Zone?
+      options:
+        - label: "Yes"
+  - type: textarea
+    id: Comments
+    attributes:
+      label: Comments/thoughts
+      description: Do you have any additional comments/thoughts?

.github/actions-pester/PTF-TestPolicies.ps1

@@ -0,0 +1,63 @@
+Import-Module -Name $PSScriptRoot\PolicyPesterTestHelper.psm1 -Force -Verbose
+Import-Module Pester -Force
+
+function RunPester
+{
+    param (
+        [Parameter()]
+        [String]$PolicyTest
+    )
+
+    $pesterConfiguration = @{
+    Run    = @{
+        Container = New-PesterContainer -Path $PolicyTest
+        PassThru  = $true
+    }
+    Output = @{
+        Verbosity = 'Detailed'
+        CIFormat = 'Auto'
+    }
+    }
+    $result = Invoke-Pester -Configuration $pesterConfiguration
+    #exit $result.FailedCount
+}
+
+$ModifiedFiles = @(Get-PolicyFiles -DiffFilter "M")
+if ([String]::IsNullOrEmpty($ModifiedFiles))
+{
+    Write-Warning "These are the modified policies: $($ModifiedFiles)"
+}
+else
+{
+    Write-Warning "There are no modified policies"
+}
+
+$AddedFiles = @(Get-PolicyFiles -DiffFilter "A")
+if ([String]::IsNullOrEmpty($AddedFiles))
+{
+    Write-Warning "These are the added policies: $($AddedFiles)"
+}
+else
+{
+    Write-Warning "There are no added policies"
+}
+
+$ModifiedAddedFiles = $ModifiedFiles + $AddedFiles
+
+$ModifiedAddedFiles | ForEach-Object {
+
+    $PolicyFile = Split-Path $_ -Leaf
+    $PolicyFileClean = $PolicyFile -replace ".json", ""
+
+    $testPath = "tests/policy/$($PolicyFileClean).Tests.ps1"
+
+    if (Test-Path $testPath)
+    {
+        Write-Warning "Running pester tests on $PolicyFileClean"
+        RunPester($testPath)
+    }
+    else
+    {
+        Write-Warning "There are no tests for $PolicyFileClean"
+    }
+}

.github/workflows/test-portal.yml

@@ -25,6 +25,8 @@ env:
   GITHUB_PR_ID: ${{ github.event.pull_request.id }}
   TEMP_SUBSCRIPTIONS_JSON_PATH: "./src/data/subscriptions.json"
   TEMP_DEPLOYMENT_OBJECT_PATH: "./src/data/eslzArm.test.deployment.json"
+  POLICY_DIR: "src/resources/Microsoft.Authorization/policyDefinitions"
+  POLICYSET_DIR: "src/resources/Microsoft.Authorization/policySetDefinitions"  
 
 permissions:
   contents: read
@@ -65,6 +67,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v3
         with:
+          fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
           persist-credentials: false
 
@@ -149,21 +152,10 @@ jobs:
           Update-AzConfig -DisplayBreakingChangeWarning $false
 
       - name: Pester Test for Policies
-        shell: pwsh
-        run: |
-          Import-Module Pester -Force
-          $pesterConfiguration = @{
-            Run    = @{
-              Path = "tests/*.tests.ps1" 
-              PassThru  = $true
-            }
-            Output = @{
-              Verbosity = 'Detailed'
-              CIFormat = 'Auto'
-            }
-          }
-          $result = Invoke-Pester -Configuration $pesterConfiguration
-          exit $result.FailedCount
+        uses: azure/powershell@v1
+        with:
+          inlineScript: ./.github/actions-pester/PTF-TestPolicies.ps1
+          azPSVersion: "latest"
         env:
           SUBSCRIPTION_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION1_ID }}
           SUBSCRIPTION2_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION2_ID }} #Used for policy tests that require a second subscription (e.g. cross subscription peering)

.github/workflows/update-alz-tools.yml

@@ -81,7 +81,7 @@ jobs:
         run: |
           mapfile -t CHECK_GIT_STATUS < <(git status -s)
           printf "%s\n" "${CHECK_GIT_STATUS[@]}"
-          echo "::set-output name=changes::${#CHECK_GIT_STATUS[@]}"
+          echo "changes=${#CHECK_GIT_STATUS[@]}" >> "$GITHUB_OUTPUT"
 
       - name: Add files, commit and push
         if: steps.git_status.outputs.changes > 0

.github/workflows/update-portal.yml

@@ -80,6 +80,9 @@ jobs:
       - name: Update policies
         run: bicep build ./src/templates/policies.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/policies.json
 
+      - name: Update policy set definitions (initiatives)
+        run: bicep build ./src/templates/initiatives.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json
+
       - name: Update roles
         run: bicep build ./src/templates/roles.bicep --outfile ./eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json
 

.github/workflows/wiki-sync.yml

@@ -23,6 +23,9 @@ jobs:
     name: Sync docs/wiki to Wiki
     if: github.repository == 'Azure/Enterprise-Scale' || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
+    permissions: 
+     contents: write
+
     steps:
       - name: Checkout Source Repo
         uses: actions/checkout@v2

README.md

@@ -1,4 +1,4 @@
-# Enterprise-Scale - Reference Implementation
+# Azure Landing Zones (Enterprise-Scale) - Reference Implementation
 
 [![Average time to resolve an issue](http://isitmaintained.com/badge/resolution/azure/enterprise-scale.svg)](http://isitmaintained.com/project/azure/enterprise-scale "Average time to resolve an issue")
 [![Percentage of issues still open](http://isitmaintained.com/badge/open/azure/enterprise-scale.svg)](http://isitmaintained.com/project/azure/enterprise-scale "Percentage of issues still open")
@@ -11,21 +11,21 @@ To find out more about the Azure landing zones reference implementation, please
 
 ## Objective
 
-The Enterprise-Scale architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture. It will continue to evolve alongside the Azure platform and is ultimately defined by the various design decisions that organizations must make to define their Azure journey.
+The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture. It will continue to evolve alongside the Azure platform and is ultimately defined by the various design decisions that organizations must make to define their Azure journey.
 
-The Enterprise-Scale architecture is modular by design and allows organizations to start with foundational landing zones that support their application portfolios, and the architecture enables organizations to start as small as needed and scale alongside their business requirements regardless of scale point.
+The Azure Landing Zones (Enterprise-Scale) architecture is modular by design and allows organizations to start with foundational landing zones that support their application portfolios, and the architecture enables organizations to start as small as needed and scale alongside their business requirements regardless of scale point.
 
 ![Animated image showing the modularity of Azure landing zones](./docs/wiki/media/ESLZ.gif)
 
 ---
 
-_The Enterprise-Scale architecture represents the strategic design path and target technical state for your Azure environment._
+_The Azure Landing Zones (Enterprise-Scale) architecture represents the strategic design path and target technical state for your Azure environment._
 
 ---
 
 Not all enterprises adopt Azure in the same way, so the Enterprise-Scale architecture may vary between customers. Ultimately, the technical considerations and design recommendations of the Enterprise-Scale architecture may lead to different trade-offs based on the customer's scenario. Some variation is expected, but if core recommendations are followed, the resulting target architecture will put the customer on a path to sustainable scale.
 
-The Enterprise-Scale reference implementations in this repository are intended to support Enterprise-Scale Azure adoption and provides prescriptive guidance based on authoritative design for the Azure platform as a whole.
+The Azure Landing Zones (Enterprise-Scale) reference implementations in this repository are intended to support Enterprise-Scale Azure adoption and provides prescriptive guidance based on authoritative design for the Azure platform as a whole.
 
 | Key customer landing zone requirement | Enterprise-Scale reference implementations |
 |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -42,26 +42,24 @@ The Enterprise-Scale reference implementations in this repository are intended t
 
 ## Conditions for success
 
-To fully leverage this reference implementation in this repository, readers must have a collaborative engagement with key customer stakeholders across critical technical domains, such as identity, security, and networking. Ultimately, the success of cloud adoption hinges on cross-discipline cooperation within the organization, since key requisite Enterprise-Scale design decisions are cross cutting, and to be authoritative must involve domain Subject Matter Expertise (SME) and stakeholders within the customer. It is crucial that the organization has defined their [Enterprise-Scale Architecture](./docs/EnterpriseScale-Architecture.md) following the design principles and critical design areas.
+To fully leverage this reference implementation in this repository, readers must have a collaborative engagement with key customer stakeholders across critical technical domains, such as identity, security, and networking. Ultimately, the success of cloud adoption hinges on cross-discipline cooperation within the organization, since key requisite Enterprise-Scale design decisions are cross cutting, and to be authoritative must involve domain Subject Matter Expertise (SME) and stakeholders within the customer. It is crucial that the organization has defined their [Azure Landing Zones (Enterprise-Scale) Architecture](./docs/EnterpriseScale-Architecture.md) following the design principles and critical design areas.
 
-It is also assumed that readers have a broad understanding of key Azure constructs and services in order to fully contextualize the prescriptive recommendations contained within Enterprise-Scale.
+It is also assumed that readers have a broad understanding of key Azure constructs and services in order to fully contextualize the prescriptive recommendations contained within Azure Landing Zones (Enterprise-Scale).
 <!--
 ![Enterprise-Scale ](./docs/wiki/media/ES-process.png)
 -->
 
-## Deploying Enterprise-Scale Architecture in your own environment
+## Deploying Azure Landing Zones (Enterprise-Scale Architecture) in your own environment
 
-The Enterprise-Scale architecture is modular by design and allows customers to start with foundational Landing Zones that support their application portfolios, regardless of whether the applications are being migrated or are newly developed and deployed to Azure. The architecture can scale alongside the customer's business requirements regardless of scale point. In this repository we are providing the following five templates representing different scenarios composed using ARM templates.
+The Azure Landing Zones (Enterprise-Scale Architecture) is modular by design and allows customers to start with foundational Landing Zones that support their application portfolios, regardless of whether the applications are being migrated or are newly developed and deployed to Azure. The architecture can scale alongside the customer's business requirements regardless of scale point. In this repository we are providing the following five templates representing different scenarios composed using ARM templates.
 
-| Reference implementation | Description | ARM Template | Link |
-|:-------------------------|:-------------|:-------------|------|
-| Contoso | On-premises connectivity using Azure vWAN |[![Deploy To Azure](https://learn.microsoft.com/en-us/azure/templates/media/deploy-to-azure.svg)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2FeslzArm.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2Feslz-portal.json) | [Detailed description](./docs/reference/contoso/Readme.md) |
-| AdventureWorks | On-premises connectivity with Hub & Spoke  |[![Deploy To Azure](https://learn.microsoft.com/en-us/azure/templates/media/deploy-to-azure.svg)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2FeslzArm.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2Feslz-portal.json) | [Detailed description](./docs/reference/adventureworks/README.md) |
-| WingTip | Azure without hybrid connectivity |[![Deploy To Azure](https://learn.microsoft.com/en-us/azure/templates/media/deploy-to-azure.svg)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2FeslzArm.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2Feslz-portal.json) | [Detailed description](./docs/reference/wingtip/README.md) |
-| Trey Research | On-premises connectivity with Hub and Spoke for small Enterprises | [![Deploy To Azure](https://learn.microsoft.com/en-us/azure/templates/media/deploy-to-azure.svg)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2Fdocs%2Freference%2Ftreyresearch%2FarmTemplates%2Fes-lite.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2Fdocs%2Freference%2Ftreyresearch%2FarmTemplates%2Fportal-es-lite.json) | [Detailed description](./docs/reference/treyresearch/README.md) |
-| Azure Gov | Reference implementation that can be deployed to Azure gov and includes all options in a converged experience | [![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.svg?sanitize=true)](https://portal.azure.us/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2FeslzArm.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2Ffairfaxeslz-portal.json) | N/A
+[![Deploy To Azure](https://learn.microsoft.com/en-us/azure/templates/media/deploy-to-azure.svg)](https://aka.ms/alz/portal)
 
-> The Bicep version is now available in Public Preview here: [https://github.com/Azure/ALZ-Bicep](https://github.com/Azure/ALZ-Bicep)
+You can find all of the implementation options for Azure Landing Zones here: [aka.ms/alz/aac](https://aka.ms/alz/aac#platform)
+
+## Azure Landing Zones Roadmap
+
+The Azure Landing Zones (Enterprise-Scale) architecture is continuously updated to align with advancements in the Azure platform and insights from customer feedback. For detailed information on future updates, please refer to the roadmap at: [Azure Landing Zones Roadmap](https://aka.ms/alz/roadmap)
 
 ## Contributing
 

docs/reference/adventureworks/README.md

@@ -25,10 +25,10 @@ Please refer to the [Enterprise-Scale Landing Zones User Guide](https://github.c
 
 If customer started with a Enterprise-Scale foundation deployment, and if the business requirements changes over time, such as migration of on-premise applications to Azure that requires hybrid connectivity, you will simply create the **Connectivity** Subscription, place it into the **Platform > Connectivity** Management Group and assign Azure Policy for the hub and spoke network topology.
 
-## Pre-requisites
+## Prerequisites
 
-To deploy this ARM template, your user/service principal must have Owner permission at the Tenant root.
-See the following [instructions](../../EnterpriseScale-Setup-azure.md) on how to grant access.
+To deploy this ARM template, there are a number of prerequisites that must be met.
+See [here](../../wiki/Deploying-ALZ-Pre-requisites.md) for more details.
 
 ### Optional prerequisites
 

docs/reference/contoso/Readme.md

@@ -22,10 +22,10 @@ Please refer to [Enterprise-Scale Landing Zones User Guide](https://github.com/A
 
 If customer started with a Enterprise-Scale foundation deployment, and if the business requirements changes over time, such as migration of on-prem applications to Azure that requires hybrid connectivity, you will simply create the **Connectivity** Subscription and place it into the **Platform > Connectivity** Management Group and assign Azure Policy for the VWAN network topology.
 
-## Pre-requisites
+## Prerequisites
 
-To deploy this ARM template, your user/service principal must have Owner permission at the Tenant root.
-See the following [instructions](../../EnterpriseScale-Setup-azure.md) on how to grant access.
+To deploy this ARM template, there are a number of prerequisites that must be met.
+See [here](../../wiki/Deploying-ALZ-Pre-requisites.md) for more details.
 
 ### Optional prerequisites