Patch policy library for Azure China #253

faister · 2022-06-01T06:20:59Z

Overview/Summary

This PR ensures policy definitions/policy set definitions along with policy assignments all work in Azure China. Internal SE backlog item here. This is because there are some policy definition differences in China especially wrt to the MS Defender for Cloud policies, hence there was a separate policy assignment definition in the upstream enterprise-scale repo.

Just to be sure, re-tested the entire deployment flow as per https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow and made some fixes.

This PR fixes/adds/changes/removes

Tested default policy assignments by introducing a new infra-as-code\bicep\modules\policy\assignments\alzDefaults\mc-alzDefaultPolicyAssignments.bicep file.
Added separate lib/china folder under infra-as-code\bicep\modules\policy\assignments\lib\china\policy_assignments. Also added default policy assignments which would work in Azure China.
Updated and tested Mooncake workflow file, and script to create separate lib/china folder under policy/assignments.
Added customer usage attribution module in customRoleDefinitions module.
Also fixes the deployment errors during MC testing found by @jfaurskov in Module Bicep template and parameter file hygiene #227

Breaking Changes

None

Testing Evidence

Tested workflow manual run successfully in my forked repo

As part of this Pull Request I have

Read the Contribution Guide and ensured this PR is compliant with the guide
Checked for duplicate Pull Requests
Associated it with relevant GitHub Issues
(ALZ Bicep Core Team Only) Associated it with relevant ADO Items
Ensured my code/branch is up-to-date with the latest changes in the main branch
Performed testing and provided evidence.
Updated tests (if required) Unit - Linting - E2E (End-To-End)
Updated relevant and associated documentation (e.g. Contribution Guide, Module READMEs, Wiki Docs etc.)
If relevant, created or updated Code Tours here

…/ALZ-Bicep into patch-policy-library-china

…o run

…er/ALZ-Bicep into patch-policy-library-china

infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep

...icy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json

.../modules/policy/definitions/lib/china/policy_definitions/_mc_policyDefinitionsBicepInput.txt

jfaurskov

Nice work @faister :-) Added a couple of suggestions. Also If you could merge with main and put the validation of the mc-alzdefaultpolicyassignments into the /tests/pipelines/mc-base-unit-validate.yml pipeline in place of the current alzdefaultpolicyassignments (line 81 - 87) that would be ace!

…policy-library-china

…alzDefaultPolicyAssignments.bicep Co-authored-by: Jan Faurskov <22591930+jfaurskov@users.noreply.github.com>

…er/ALZ-Bicep into patch-policy-library-china

faister · 2022-06-29T05:27:01Z

Nice work @faister :-) Added a couple of suggestions. Also If you could merge with main and put the validation of the mc-alzdefaultpolicyassignments into the /tests/pipelines/mc-base-unit-validate.yml pipeline in place of the current alzdefaultpolicyassignments (line 81 - 87) that would be ace!

Thanks @jfaurskov, done updated tests/pipelines/mc-base-unit-validate.yml and tested it in az cli successfully. see attached output.
Az CLI Validate Alz Default policy assignments-succeeded.txt

jfaurskov · 2022-06-29T08:22:26Z

/azp run ValidateAzCloud

jfaurskov · 2022-06-29T08:22:44Z

/azp run ValidateMcCloud

azure-pipelines · 2022-06-29T08:22:55Z

Azure Pipelines successfully started running 1 pipeline(s).

jfaurskov · 2022-06-29T08:45:06Z

/azp run ValidateAzCloud

azure-pipelines · 2022-06-29T08:45:17Z

Azure Pipelines successfully started running 1 pipeline(s).

jfaurskov · 2022-06-29T08:48:13Z

/azp run ValidateAzCloud

azure-pipelines · 2022-06-29T08:48:22Z

Azure Pipelines successfully started running 1 pipeline(s).

actions-user and others added 30 commits January 11, 2022 05:32

Update Policy Library for Azure China (automated)

56a093d

Update Policy Library for Azure China (automated)

cf85d6f

Update Policy Library for Azure China (automated)

2e9b87d

Update Policy Library for Azure China (automated)

be7e5b3

Update Policy Library for Azure China (automated)

ceba1a9

Update Policy Library for Azure China (automated)

20d646c

fixed conflicts

34d477b

Merge branch 'patch-policy-library-china' of https://github.com/Azure…

36f693f

…/ALZ-Bicep into patch-policy-library-china

Create main.yml

8ecf1ec

Update Invoke-PolicyToBicep-China.ps1

e5ee956

creating lib\china\policy_assignments folder structure for workflow t…

20995e2

…o run

update to Invoke-PolicyToBicep-China.ps1

3c4a097

Update Invoke-PolicyToBicep-China.ps1

ef929db

updated policy assignment section for Mooncake

240eaf7

creating lib/china/policy_assignments path

52d74a4

Update Policy Library for Azure China (automated)

94f36ee

adding source policy assignment path for China

345a089

Merge branch 'patch-policy-library-china' of https://github.com/faist…

7e03389

…er/ALZ-Bicep into patch-policy-library-china

Adding policy assignments folder for China

cc36eed

populate assignments folder from es source

613ae3b

Merge branch 'Azure:main' into main

49f14cd

Merge branch 'main' of https://github.com/Azure/ALZ-Bicep

b4d925b

Merge branch 'main' of https://github.com/faister/ALZ-Bicep

7220c04

added _mc_policyAssignmentsBicepInput.txt

c202d4b

test

98dc776

test

af4061a

Update Policy Library for Azure China (automated)

5977270

try parsing policyAssignments for global regions

465f0d0

update

cdbb835

populated policy assignment files for Mooncake

2567dcf