Azure · oZakari · Feb 27, 2024 · Feb 21, 2024 · Feb 21, 2024 · Feb 21, 2024
diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
@@ -101,6 +101,9 @@ param parExcludedPolicyAssignments array = []
 @sys.description('Set Parameter to true to Opt-out of deployment telemetry')
 param parTelemetryOptOut bool = false
 
+@sys.description('Effect type for sovereign policy definitions')
+param parSovereigntyPolicyEffect string = 'Deny'
+
 var varLogAnalyticsWorkspaceName = split(parLogAnalyticsWorkspaceResourceId, '/')[8]
 
 var varLogAnalyticsWorkspaceResourceGroupName = split(parLogAnalyticsWorkspaceResourceId, '/')[4]
@@ -524,9 +527,12 @@ module modPolicyAssignmentIntRootEnforceSovereigntyGlobal '../../../policy/assig
         #disable-next-line no-loc-expr-outside-params
         value: !(empty(parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations)) ? parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations : array(deployment().location)
       }
+      effect: {
+        value: parSovereigntyPolicyEffect
+      }
     }
     parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignGlobal.libDefinition.identity.type
-    parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignGlobal.libDefinition.properties.enforcementMode
+    parPolicyAssignmentEnforcementMode: parTopLevelPolicyAssignmentSovereigntyGlobal.parTopLevelSovereigntyGlobalPoliciesEnable ? 'Default' : varPolicyAssignmentEnforceSovereignGlobal.libDefinition.properties.enforcementMode
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1560,9 +1566,12 @@ module modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf '../../../
       allowedVirtualMachineSKUs: {
         value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value
       }
+      effect: {
+        value: parSovereigntyPolicyEffect
+      }
     }
     parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type
-    parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode
+    parPolicyAssignmentEnforcementMode: parLandingZoneMgConfidentialEnable ? 'Default' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
@@ -1589,9 +1598,12 @@ module modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf '../../../po
       allowedVirtualMachineSKUs: {
         value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value
       }
+      effect: {
+        value: parSovereigntyPolicyEffect
+      }
     }
     parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereignConf.libDefinition.identity.type
-    parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode
+    parPolicyAssignmentEnforcementMode: parLandingZoneMgConfidentialEnable ? 'Default' : varPolicyAssignmentEnforceSovereignConf.libDefinition.properties.enforcementMode
     parTelemetryOptOut: parTelemetryOptOut
   }
 }

diff --git a/...licy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/...licy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md
@@ -26,6 +26,7 @@ parVmBackupExclusionTagName | No       | Name of the tag to use for excluding VM
 parVmBackupExclusionTagValue | No       | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter.
 parExcludedPolicyAssignments | No       | Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry
+parSovereigntyPolicyEffect | No       | Effect type for sovereign policy definitions
 
 ### parTopLevelManagementGroupPrefix
 
@@ -182,6 +183,14 @@ Set Parameter to true to Opt-out of deployment telemetry
 
 - Default value: `False`
 
+### parSovereigntyPolicyEffect
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Effect type for sovereign policy definitions
+
+- Default value: `Deny`
+
 ## Snippets
 
 ### Parameter file
@@ -260,6 +269,9 @@ Set Parameter to true to Opt-out of deployment telemetry
         },
         "parTelemetryOptOut": {
             "value": false
+        },
+        "parSovereigntyPolicyEffect": {
+            "value": "Deny"
         }
     }
 }