Feature: Add LZ Child MG Flex for ALZ Default Policy Assignments & Ad…

…d Release Checks (#559)

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

.github/pester/release.tests.ps1

@@ -0,0 +1,57 @@
+[CmdletBinding()]
+param (
+  [Parameter(Mandatory = $false)]
+  [string]
+  $versionFilePath = "./version.json"
+)
+
+Describe "version.json file tests" {
+
+  Context "version.json file tests" {
+
+    BeforeAll {
+      $versionFile = Get-Content $versionFilePath -Raw | ConvertFrom-Json
+      $gitRepoLatestTag = git describe --tags --abbrev=0
+      $releaseNotesUrlSplitLast = $versionFile.releaseNotes.Split("/")[-1]
+      $releaseNotesUrlStart = "https://github.com/Azure/alz-bicep/releases/tag/v"
+
+      # Download the previous version.json file from the repo
+      $previousVersionRawUrl = "https://raw.githubusercontent.com/Azure/alz-bicep/$gitRepoLatestTag/version.json"
+      $previousVersionOutputFile = "./previousVersion.json"
+      Invoke-WebRequest -Uri $previousVersionRawUrl -OutFile $previousVersionOutputFile
+      $PreviousVersionFile = Get-Content $previousVersionOutputFile -Raw | ConvertFrom-Json
+    }
+
+    It "version.json file exists" {
+      $versionFile | Should -Not -BeNullOrEmpty
+    }
+
+    It "version.json file contains the required properties" {
+      $versionFile.version | Should -Not -BeNullOrEmpty
+      $versionFile.gitTag | Should -Not -BeNullOrEmpty
+      $versionFile.releaseNotes | Should -Not -BeNullOrEmpty
+      $versionFile.releaseDateTimeUTC | Should -Not -BeNullOrEmpty
+    }
+
+    It "version.json file version property has been updated and increased from the latest git tag" {
+      $versionFile.version | Should -BeGreaterThan $PreviousVersionFile.version
+    }
+
+    It "version.json file gitTag property has been updated and increased from the latest git tag" {
+      $versionFile.gitTag | Should -BeGreaterThan $PreviousVersionFile.gitTag
+    }
+
+    It "version.json file releaseNotes property has been updated and URL last split on / does not match the latest git tag" {
+      $releaseNotesUrlSplitLast | Should -Not -Be $gitRepoLatestTag
+    }
+
+    It "version.json file releaseNotes property is a valid URL and has the correct format" {
+      $versionFile.releaseNotes | Should -BeLike "$releaseNotesUrlStart*"
+    }
+
+    It "version.json file releaseDateTimeUTC property has been updated and UTC time/date stamp if newer than the last value" {
+      $versionFile.releaseDateTimeUTC | Should -BeGreaterThan $PreviousVersionFile.releaseDateTimeUTC
+    }
+
+  }
+}

.github/workflows/code-review.yml

@@ -35,7 +35,7 @@ jobs:
           VALIDATE_YAML: true
           VALIDATE_EDITORCONFIG: true
           # Added exclusion in workflow for generated documentation. PR #304
-          FILTER_REGEX_EXCLUDE: ".*generateddocs/.*.bicep.md"
+          FILTER_REGEX_EXCLUDE: (.*generateddocs/.*.bicep.md$|.*.tests.ps1)
 
   markdown-link-check:
     name: Markdown Link Check

.github/workflows/release-tests.yml

@@ -0,0 +1,41 @@
+name: Pre-Release Tests
+
+on:
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch: {}
+
+jobs:
+  release-tests:
+    name: Pre-Release Tests
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repo
+        id: checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Pester Tests
+        id: pester
+        if: contains(github.head_ref, 'release')
+        uses: azure/powershell@v1
+        with:
+          inlineScript: |
+            Import-Module Pester -Force
+            $pesterConfiguration = @{
+              Run    = @{
+                Container = New-PesterContainer -Path "./.github/pester/release.tests.ps1"
+                PassThru  = $true
+              }
+              Output = @{
+                Verbosity = 'Detailed'
+              }
+            }
+            $result = Invoke-Pester -Configuration $pesterConfiguration
+            exit $result.FailedCount
+          azPSVersion: "latest"
+
+

infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep

@@ -13,6 +13,9 @@ param parTopLevelManagementGroupSuffix string = ''
 @sys.description('Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups.')
 param parPlatformMgAlzDefaultsEnable bool = true
 
+@sys.description('Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or onlone Management Groups.')
+param parLandingZoneChildrenMgAlzDefaultsEnable bool = true
+
 @sys.description('The region where the Log Analytics Workspace & Automation Account are deployed.')
 param parLogAnalyticsWorkSpaceAndAutomationAccountLocation string = 'eastus'
 
@@ -1097,7 +1100,7 @@ module modPolicyAssignmentLzsAuditAppGwWaf '../../../policy/assignments/policyAs
 
 // Modules - Policy Assignments - Corp Management Group
 // Module - Policy Assignment - Deny-Public-Endpoints
-module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicEndpoints.libDefinition.name)) {
+module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicEndpoints.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) {
   scope: managementGroup(varManagementGroupIds.landingZonesCorp)
   name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPublicEndpoints
   params: {
@@ -1113,7 +1116,7 @@ module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/po
 }
 
 // Module - Policy Assignment - Deploy-Private-DNS-Zones
-module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(varPrivateDnsZonesResourceGroupSubscriptionId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployPrivateDNSZones.libDefinition.name))) {
+module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(varPrivateDnsZonesResourceGroupSubscriptionId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployPrivateDNSZones.libDefinition.name)) && parLandingZoneChildrenMgAlzDefaultsEnable) {
   scope: managementGroup(varManagementGroupIds.landingZonesCorp)
   name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployPrivateDnsZones
   params: {
@@ -1290,7 +1293,7 @@ module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments
 }
 
 // Module - Policy Assignment - Deny-Public-IP-On-NIC
-module modPolicyAssignmentLzsCorpDenyPipOnNic '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.name)) {
+module modPolicyAssignmentLzsCorpDenyPipOnNic '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) {
   scope: managementGroup(varManagementGroupIds.landingZonesCorp)
   name: varModuleDeploymentNames.modPolicyAssignmentLzsCorpDenyPipOnNic
   params: {
@@ -1306,7 +1309,7 @@ module modPolicyAssignmentLzsCorpDenyPipOnNic '../../../policy/assignments/polic
 }
 
 // Module - Policy Assignment - Deny-HybridNetworking
-module modPolicyAssignmentLzsCorpDenyHybridNet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyHybridNetworking.libDefinition.name)) {
+module modPolicyAssignmentLzsCorpDenyHybridNet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyHybridNetworking.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) {
   scope: managementGroup(varManagementGroupIds.landingZonesCorp)
   name: varModuleDeploymentNames.modPolicyAssignmentLzsCorpDenyHybridNet
   params: {
@@ -1322,7 +1325,7 @@ module modPolicyAssignmentLzsCorpDenyHybridNet '../../../policy/assignments/poli
 }
 
 // Module - Policy Assignment - Audit-PeDnsZones
-module modPolicyAssignmentLzsCorpAuditPeDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentAuditPeDnsZones.libDefinition.name)) {
+module modPolicyAssignmentLzsCorpAuditPeDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentAuditPeDnsZones.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) {
   scope: managementGroup(varManagementGroupIds.landingZonesCorp)
   name: varModuleDeploymentNames.modPolicyAssignmentLzsCorpAuditPeDnsZones
   params: {

infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md

@@ -9,6 +9,7 @@ Parameter name | Required | Description
 parTopLevelManagementGroupPrefix | No       | Prefix for the management group hierarchy.
 parTopLevelManagementGroupSuffix | No       | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix
 parPlatformMgAlzDefaultsEnable | No       | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups.
+parLandingZoneChildrenMgAlzDefaultsEnable | No       | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or onlone Management Groups.
 parLogAnalyticsWorkSpaceAndAutomationAccountLocation | No       | The region where the Log Analytics Workspace & Automation Account are deployed.
 parLogAnalyticsWorkspaceResourceId | No       | Log Analytics Workspace Resource ID.
 parLogAnalyticsWorkspaceLogRetentionInDays | No       | Number of days of log retention for Log Analytics Workspace.
@@ -45,6 +46,14 @@ Management, Identity and Connectivity Management Groups beneath Platform Managem
 
 - Default value: `True`
 
+### parLandingZoneChildrenMgAlzDefaultsEnable
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or onlone Management Groups.
+
+- Default value: `True`
+
 ### parLogAnalyticsWorkSpaceAndAutomationAccountLocation
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
@@ -156,6 +165,9 @@ Set Parameter to true to Opt-out of deployment telemetry
         "parPlatformMgAlzDefaultsEnable": {
             "value": true
         },
+        "parLandingZoneChildrenMgAlzDefaultsEnable": {
+            "value": true
+        },
         "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": {
             "value": "eastus"
         },