Merge branch 'main' into Azure_Networking1

.github/workflows/test-portal.yml

@@ -142,6 +142,33 @@ jobs:
           inlineScript: ./src/scripts/Invoke-ActionRunEslzArmDeployment.ps1
           azPSVersion: "latest"
 
+      - name: Install PowerShell modules
+        shell: pwsh
+        run: |
+          Install-Module -Name "Az" -RequiredVersion "10.1.0" -Force -Scope CurrentUser -ErrorAction Stop
+          Update-AzConfig -DisplayBreakingChangeWarning $false
+
+      - name: Pester Test for Policies
+        shell: pwsh
+        run: |
+          Import-Module Pester -Force
+          $pesterConfiguration = @{
+            Run    = @{
+              Path = "tests/*.tests.ps1" 
+              PassThru  = $true
+            }
+            Output = @{
+              Verbosity = 'Detailed'
+              CIFormat = 'Auto'
+            }
+          }
+          $result = Invoke-Pester -Configuration $pesterConfiguration
+          exit $result.FailedCount
+        env:
+          SUBSCRIPTION_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION1_ID }}
+          SUBSCRIPTION2_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION2_ID }} #Used for policy tests that require a second subscription (e.g. cross subscription peering)
+          TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}          
+
       - name: Run eslzArm deployment (DESTROY)
         uses: azure/powershell@v1
         with:

.github/workflows/unit-test-policies.yml

@@ -31,7 +31,6 @@ jobs:
           fetch-depth: 0
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
-
       - name: Pester Test for Modified Policies
         shell: pwsh
         run: |

.gitignore

@@ -13,3 +13,5 @@
 
 # GitHub Super Linter
 super-linter.log
+
+src/data/eslzArm.test.deployment.json

docs/wiki/ALZ-Contribution-Guide.md

@@ -187,7 +187,7 @@ The policy definition files will be compiled into a `policies.json` file from th
 
 Once the policy work has been completed, a pull request should be submitted to the repository:
 
-![pr-example](media/pr-example.png)
+![pr-example](media/pr-example.png) 
 
 #### Versioning
 
@@ -211,12 +211,33 @@ When working within the policy files, to read parameters which are set at the to
 
 > **Note:** When testing the policy manually in the portal or another deployment outside of the ALZ Accelerator (Portal), you will need to remove the double escaping, `[[`, and revert to normal ,`[`'
 
+#### Testing
+
+A new requirement as of FY24-Q1 for all new custom policies is that new policies (with DENY effect at this time) MUST have a Pester test to validate the policy is working as expected. This is to validate that the policy is effective and to prevent any regressions in the future should there be any policy updates. The Pester test should be located in the `/tests/policy` folder in this repo, and should be named the same as the policy definition, but with a `.Tests.ps1` extension. For example, if the policy definition is `Deny-AppService-PrivateEndpoint.json`, the Pester test should be named `Deny-AppService-PrivateEndpoint.Tests.ps1`.
+
+There are many examples available already in the `/tests/policy` for the current list of DENY policies. The preferred and recommended approach is to use PowerShell Az as far as possible, however, there are some situations where REST API will be required (e.g., Deny-MgmtPorts-From-Internet with complex rules or any deployment requiring parameters not available in PowerShell Az modules). Examples of both methods are also available in the current policy test folder - an example that uses both methods [Deny-FileServices-InsecureAuth.Tests.ps1](/tests/policy/Deny-FileServices-InsecureAuth.Tests.ps1).\
+
+We have also included a [sample workflow](./ALZ-Policies-Test-Workflow-Sample) that can be used as a dedicated policy testing workflow in your own environments.
+
+To learn more about how we've implemented policy testing, please refer to [azure-policy-testing](https://github.com/fawohlsc/azure-policy-testing).
+
 #### Default assignments
 
 When working with policies that are assigned by default, these are located under the [eslzArm/managementGroupTemplates/policyAssignments](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/managementGroupTemplates/policyAssignments) folder. References to policy definitions are done through the assignments, so if any amendments are done to default assigned policies, they should be amended here too. A wiki to default assignments can be found [in the wiki](./ALZ-Policies).
 
 Policies in `eslzArm.json` file will also need updating if wanting to assign a new policy that is located. The file for this amendment [in eslzArm/eslzArm.json](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/eslzArm.json).
 
+### Portal Reference Implementation
+
+The portal reference implementation is a popular UI driven reference implementation for Azure landing zones, and is maintained as part of this repository. It is a great way to get started with Azure landing zones, and is a great way to learn about the underlying Azure landing zone guidance.
+
+When creating new policies that will be assigned by default by the portal reference architecture you are required to also include appropriate information and options in the portal experience (`eslzArm/eslz-portal.json`). Please do include appropriate selectors in line with the section (management group) that the policy is assigned to, and ensure that tooltips include links to the AzAdvertizer page for the policy or initiative.
+
+Example for the Key Vault initiative (note the tooltip):
+
+![Example of adding tooltip in portal experience](media/alz-contrib-portal1.png)
+
+
 ### Forking the repository and submitting a Pull Request
 
 To start contributing to this repository it is worth reviewing the developer workflow for contribution [which is documented in GitHub](https://docs.github.com/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork).

docs/wiki/ALZ-Deprecated-Services.md

@@ -37,3 +37,4 @@ Policies being deprecated:
 
 - Removed `ActivityLog` Solution as an option to be deployed into the Log Analytics Workspace, as this has been superseded by the Activity Log Insights Workbook, as documented [here.](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log-insights)
 - Removed `Service Map` solution as an option to be deployed, as this has been superseded by VM Insights, as documented [here.](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log-insights) Guidance on migrating and removing the Service Map solution can be found [here.](https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-migrate-from-service-map)
+

docs/wiki/ALZ-Policies-Test-Workflow-Sample.md

@@ -0,0 +1,83 @@
+# ALZ Policy Testing Workflow Sample
+
+``` YAML
+name: ALZ Tests for Policy
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+    branches:
+      - main
+      - TestingFramework # For testing purposes only update as needed based on branch name
+    paths:
+      - ".github/workflows/**"
+      - "tests/policy/**"
+      - "tests/utils/**"
+  workflow_dispatch:
+    inputs:
+      remarks:
+        description: "Reason for triggering the workflow run"
+        required: false
+        default: "Testing Azure Policies..."
+
+jobs:
+  test-alz-policies:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
+
+      - name: Install PowerShell modules
+        shell: pwsh
+        run: |
+          Install-Module -Name "Az" -RequiredVersion "10.1.0" -Force -Scope CurrentUser -ErrorAction Stop
+          Update-AzConfig -DisplayBreakingChangeWarning $false
+
+      - name: Azure login (OIDC)
+        uses: azure/login@v1
+        if: ${{ success() && env.AZURE_CLIENT_SECRET == '' }}
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
+        env:
+          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+
+      - name: Azure login (Client Secret)
+        uses: azure/login@v1
+        if: ${{ success() && env.AZURE_CLIENT_SECRET != '' }}
+        with:
+          creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+          enable-AzPSSession: true
+        env:
+          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}          
+
+      - name: Pester Test for Policies
+        shell: pwsh
+        run: |
+          Import-Module Pester -Force
+          $pesterConfiguration = @{
+            Run    = @{
+              Path = "tests/*.tests.ps1" 
+              PassThru  = $true
+            }
+            Output = @{
+              Verbosity = 'Detailed'
+              CIFormat = 'Auto'
+            }
+          }
+          $result = Invoke-Pester -Configuration $pesterConfiguration
+          exit $result.FailedCount
+        env:
+          SUBSCRIPTION_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION1_ID }}
+          SUBSCRIPTION2_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION2_ID }} #Used for policy tests that require a second subscription (e.g. cross subscription peering)
+          TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+```

docs/wiki/ALZ-Policies.md

@@ -4,6 +4,8 @@ Azure Policy and deployIfNotExist enables autonomy in the platform, and reduces
 
 > Please refer to [Policy Driven Governance](https://learn.microsoft.com/en-gb/azure/cloud-adoption-framework/ready/landing-zone/design-principles#policy-driven-governance) for further information.
 
+> **IMPORTANT NOTE:** ALZ priority is to provide a secure by default, Zero Trust aligned, configuration, and occasionally we will rely on `-preview` policies in our default assignments to meet our core objective. These preview policies are maintained by the Azure product owners and versioning is not in our control, however, we feel they are sufficiently important to be included in our releases. If the inclusion of preview policies is of concern, please review all ALZ default initiative assignments and remove any `-preview` policies that you are not comfortable with.
+
 ## FAQ and Tips
 
    We have added a dedicated [ALZ Policy FAQ and Tips](./ALZ-Policies-FAQ) based on common issues raised or questions asked by customers and partners.
@@ -88,7 +90,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin
 
 ### Platform
 
-This management group contains all the platform child management groups, like management, connectivity, and identity. There are currently no policies assigned at this management group
+This management group contains all the platform child management groups, like management, connectivity, and identity.
 
 <table>
 <tr><th>Management Group </th><th>Policy Configuration</th></tr>
@@ -101,10 +103,14 @@ This management group contains all the platform child management groups, like ma
 
 | **Policy Type**           | **Count** |
 | :---                      |   :---:   |
-| `Policy Definition Sets`  | **0**     |
+| `Policy Definition Sets`  | **1**     |
 | `Policy Definitions`      | **0**     |
 </td></tr> </table>
 
+| Assignment Name                                                            | Definition Name                                                            | Policy Type                       | Description                                                                                                                                                               | Effect(s) |
+| -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- |
+| **Enforce recommended guardrails for Azure Key Vault**       | **Enforce recommended guardrails for Azure Key Vault**       | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault: <ul><li>Key vaults should have soft delete enabled (Deny)<li>Key vaults should have purge protection enabled (Deny)<li>Key Vault secrets should have an expiration date (Audit)<li>Key Vault keys should have an expiration date (Audit)<li>Azure Key Vault should have firewall enabled (Audit)<li>Certificates should have the specified lifetime action triggers (Audit)<li>Keys should have more than the specified number of days before expiration (Audit < 90 days)<li>Secrets should have more than the specified number of days before expiration (Audit < 90 days)</ul>| Audit, Deny |
+
 ### Connectivity
 
 This management group contains a dedicated subscription for connectivity. This subscription will host the Azure networking resources required for the platform, like Azure Virtual WAN, Azure Firewall, and Azure DNS private zones. Policy assignment is predominantly focused on Azure DDoS Protection.

docs/wiki/Community-Calls.md

@@ -1,6 +1,7 @@
 ## In this Section
 
 - [In this Section](#in-this-section)
+- [September 2023](#25th-september-2023-25092023)
 - [April 2023](#27th-april-2023-27042023)
 - [January 2023](#31st-january-2023-31012023)
 - [May 2022](#2nd-may-2022-02052022)
@@ -9,10 +10,20 @@
 
 ---
 
-On this page you will find the meeting recordings and PowerPoint slides from previous Azure Landing Zone External Community Calls. To sign-up to the next Azure Landing Zone Extternal Community Call, head to: [https://aka.ms/alz/communitycallregister](https://aka.ms/alz/communitycallregister)
+On this page you will find the meeting recordings and PowerPoint slides from previous Azure Landing Zone External Community Calls. To sign-up to the next Azure Landing Zone External Community Call, head to: [https://aka.ms/alz/communitycallregister](https://aka.ms/alz/communitycallregister)
 
 > Short link to this page is [aka.ms/alz/community](https://aka.ms/alz/community)
 
+## 25th September 2023 (25/09/2023)
+
+### Recording
+
+[![Screenshot of Azure Landing Zones Community Call from September 2023 recording on YouTube](./media/community-calls/sept-2023/youtube-screenshot.png)](https://youtu.be/z8Ez1wt66FE)
+
+### Slides
+
+A PDF of the PowerPoint slides is available [here.](./media/community-calls/sept-2023/ALZ-Community-Call-25092023.pdf)
+
 ## 27th April 2023 (27/04/2023)
 
 ### Recording