Patch ESLZ ARM

[krowlandson]

Overview/Summary

Minor updates to the ESLZ ARM templates to fix a few issues observed during development of the Terraform Module.

This PR fixes/adds/changes/removes

1. Fix naming for lzsManagementGroup variable
2. Fix value for sqlEncryptionPolicyAssignment variable
3. Update name for the following policies to improve clarity on purpose:
   1. Deny-Priv-Esc-AKS --> Deny-Priv-Escalation-AKS
   2. Deny-Privileged-AKS --> Deny-Priv-Containers-AKS
4. Update description for Deny-Subnet-Without-Nsg Policy Assignment
5. Update metadata.displayName for CognitiveServicesCMKEffect parameter in Enforce-Encryption-CMK Policy Set Definition to remove unusual whitespace character (discovered during testing, as per the below image)

Breaking Changes

n/a

Testing Evidence

These changes replicate values set in a working deployment using the Terraform version of ES.

For the update on Enforce-Encryption-CMK, please see the below evidence of how this change effects the resource in question:

As part of this Pull Request I have

• Checked for duplicate Pull Requests
• Associated it with relevant issues, for tracking and closure.
• Ensured my code/branch is up-to-date with the latest changes in the main branch
• Performed testing and provided evidence.
• Updated relevant and associated documentation.
• Updated the "What's New?" wiki page (located: /docs/wiki/whats-new.md)

[krowlandson]

I don't believe there are any specific updates needed on the "What's new" page as these are all covered under the existing descriptions, but please let me know if you think it needs an addition.

[jtracey93]

All looks good to me @krowlandson!

Just a couple of questions/notes:

1. Did you also change the Azure Backup Policy Assignment variable as the azBackupIdentityPolicyAssignment variable was never used?
2. You dont need to update the RIs in the docs/reference/xxxx/ folders now for Adventure Works, Contoso, WingTip & Trey separately anymore; only the files in eslzArm/ 👍

[krnese]

We are no longer using this template.

[krowlandson]

Any harm in this fix?

[krnese]

We are no longer using this template.

[krowlandson]

Any harm in this fix?

[krnese]

We are no longer using this template.

[krowlandson]

Any harm in this fix?

[krnese]

No harm, but we are planning to delete these files so I don't see any reason to why we need to update them

[krnese]

If identity subscription is enabled, we also recommend to assign VM Backup policy to the identity management group, hence we need a deterministic guid for the subsequent role assignment for that policy, so we need both these variables.

[krowlandson]

As azBackupIdentityPolicyAssignment isn't referenced anywhere else in the repository and the values are the same, how does this make a difference when an identity subscription is enabled?

[krnese]

It is it's own (optional) deployment name, and we cannot have duplicated resource name in the same ARM template.

[jtracey93]

Just my 2 cents here 😃

I have tested a deployment from @krowlandson's branch for this PR and it works 👍

Including the Backup policies involved also:

From my initial review, and re-review today, the ARM deployment names are unchanged just the reference to the deployment template URI and a de-duplication of a variable that holds this (which from looking at the current templates, it looks like the azBackupIdentityPolicyAssignment variable is not referenced anywhere as the azBackupLzPolicyAssignment is used for all nested deployments which do the assignments. Also as the conditionals are not based on these and other parameters/variables from the portal UX experience then I think this is all good 👍