patch1

.github/CODEOWNERS

@@ -6,5 +6,4 @@
 # review when someone opens a pull request.
 
 .github/CODEOWNERS @Azure/eslz-codeownersadmins
-.github/** @Azure/eslz-admins
-eslzArm/** @Azure/eslz-armteam
+*  @Azure/alz-core-team-technical

.github/ISSUE_TEMPLATE/Policy_Submission.yml

@@ -0,0 +1,84 @@
+name: Policy Submission
+description: Submit an Azure policy/initiative for Azure Landing Zone
+title: "[Policy]: "
+labels: ["policy"]
+projects: []
+assignees:
+  - springstone
+body:
+  - type: markdown
+    attributes:
+      value: Thanks for taking the time to fill out this policy submission!
+  - type: dropdown
+    id: policytype
+    attributes:
+      label: Policy Definition or Initiative
+      description: Are you proposing a policy definition or initiative definition?
+      options:
+        - Definition
+        - Initiative
+        - Not sure
+      default: 0
+    validations:
+      required: true
+  - type: dropdown
+    id: builtincustom
+    attributes:
+      label: Built-in/Custom
+      description: Is the policy definition or initiative built-in or are you proposing a custom one?
+      options:
+        - Built-in
+        - Custom
+        - Not sure
+      default: 0
+    validations:
+      required: true
+  - type: input
+    id: resourceid
+    attributes:
+      label: Built-in policy definition or initiative ID
+      description: If this is for a built in policy definition or initiative, please provide the resource ID
+      value: "<GUID>"
+    validations:
+      required: false
+  - type: textarea
+    id: description
+    attributes:
+      label: Custom policy definition or initiative description
+      description: If this is a custom policy definition or initiative, please provide a description of what it should do.
+      placeholder: A policy that
+      value: "A policy that does ..."
+    validations:
+      required: true
+  - type: dropdown
+    id: assignmentscope
+    attributes:
+      label: Scope
+      description: What scope (Management Group) should the policy definition or initiative be assigned to?
+      options:
+        - Intermediate Root
+        - Platform
+        - Connectivity
+        - Management
+        - Identity
+        - Landing Zones
+        - Corp
+        - Online
+        - Decommissioned
+        - Sandbox
+        - Multiple / Other
+      default: 0
+    validations:
+      required: true
+  - type: checkboxes
+    id: defaultassignment
+    attributes:
+      label: Default Assignment
+      description: Should the policy definition or initiative be assigned by default to the scope above in Azure Landing Zone?
+      options:
+        - label: "Yes"
+  - type: textarea
+    id: Comments
+    attributes:
+      label: Comments/thoughts
+      description: Do you have any additional comments/thoughts?

.github/actions-pester/PTF-TestPolicies.ps1

@@ -0,0 +1,63 @@
+Import-Module -Name $PSScriptRoot\PolicyPesterTestHelper.psm1 -Force -Verbose
+Import-Module Pester -Force
+
+function RunPester
+{
+    param (
+        [Parameter()]
+        [String]$PolicyTest
+    )
+
+    $pesterConfiguration = @{
+    Run    = @{
+        Container = New-PesterContainer -Path $PolicyTest
+        PassThru  = $true
+    }
+    Output = @{
+        Verbosity = 'Detailed'
+        CIFormat = 'Auto'
+    }
+    }
+    $result = Invoke-Pester -Configuration $pesterConfiguration
+    #exit $result.FailedCount
+}
+
+$ModifiedFiles = @(Get-PolicyFiles -DiffFilter "M")
+if ([String]::IsNullOrEmpty($ModifiedFiles))
+{
+    Write-Warning "These are the modified policies: $($ModifiedFiles)"
+}
+else
+{
+    Write-Warning "There are no modified policies"
+}
+
+$AddedFiles = @(Get-PolicyFiles -DiffFilter "A")
+if ([String]::IsNullOrEmpty($AddedFiles))
+{
+    Write-Warning "These are the added policies: $($AddedFiles)"
+}
+else
+{
+    Write-Warning "There are no added policies"
+}
+
+$ModifiedAddedFiles = $ModifiedFiles + $AddedFiles
+
+$ModifiedAddedFiles | ForEach-Object {
+
+    $PolicyFile = Split-Path $_ -Leaf
+    $PolicyFileClean = $PolicyFile -replace ".json", ""
+
+    $testPath = "tests/policy/$($PolicyFileClean).Tests.ps1"
+
+    if (Test-Path $testPath)
+    {
+        Write-Warning "Running pester tests on $PolicyFileClean"
+        RunPester($testPath)
+    }
+    else
+    {
+        Write-Warning "There are no tests for $PolicyFileClean"
+    }
+}

.github/actions-pester/PolicyPesterTestHelper.psm1

@@ -0,0 +1,133 @@
+<#
+.DESCRIPTION
+Uses git diff to return a list of policy definitions and policy set definition file paths.
+#>
+
+function Get-PolicyFiles
+{
+    [CmdletBinding(SupportsShouldProcess)]
+    param (
+        [Parameter()]
+        [String]$DiffFilter,
+
+        [Parameter()]
+        [String]$PolicyDir = "$($env:POLICY_DIR)",
+
+        [Parameter()]
+        [String]$PolicySetDir = "$($env:POLICYSET_DIR)",
+
+        [Parameter()]
+        [String]$PRBranch = "$($env:GITHUB_HEAD_REF)",
+
+        [Parameter()]
+        [String]$BaseBranch = "$($env:GITHUB_BASE_REF)"
+    )
+
+    $PolicyFiles = @(git diff --diff-filter=$DiffFilter --name-only origin/main $PRBranch -- $PolicyDir)
+    $PolicySetsFiles = @(git diff --diff-filter=$DiffFilter --name-only origin/main $PRBranch -- $PolicySetDir)
+
+    $PolicyAndSetFiles = $PolicyFiles + $PolicySetsFiles
+
+    $PolicyAndSetFiles | ForEach-Object {
+        return $_
+    }
+}
+
+function Remove-JSONMetadata {
+
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $true)]
+        [hashtable] $TemplateObject
+    )
+    $TemplateObject.Remove('metadata')
+
+    # Differantiate case: With user defined types (resources property is hashtable) vs without user defined types (resources property is array)
+    if ($TemplateObject.resources.GetType().BaseType.Name -eq 'Hashtable') {
+        # Case: Hashtable
+        $resourceIdentifiers = $TemplateObject.resources.Keys
+        for ($index = 0; $index -lt $resourceIdentifiers.Count; $index++) {
+            if ($TemplateObject.resources[$resourceIdentifiers[$index]].type -eq 'Microsoft.Resources/deployments' -and $TemplateObject.resources[$resourceIdentifiers[$index]].properties.template.GetType().BaseType.Name -eq 'Hashtable') {
+                $TemplateObject.resources[$resourceIdentifiers[$index]] = Remove-JSONMetadata -TemplateObject $TemplateObject.resources[$resourceIdentifiers[$index]].properties.template
+            }
+        }
+    } else {
+        # Case: Array
+        for ($index = 0; $index -lt $TemplateObject.resources.Count; $index++) {
+            if ($TemplateObject.resources[$index].type -eq 'Microsoft.Resources/deployments' -and $TemplateObject.resources[$index].properties.template.GetType().BaseType.Name -eq 'Hashtable') {
+                $TemplateObject.resources[$index] = Remove-JSONMetadata -TemplateObject $TemplateObject.resources[$index].properties.template
+            }
+        }
+    }
+
+    return $TemplateObject
+}
+
+function ConvertTo-OrderedHashtable {
+
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $true)]
+        [string] $JSONInputObject # Must be string to workaround auto-conversion
+    )
+
+    $JSONObject = ConvertFrom-Json $JSONInputObject -AsHashtable -Depth 99 -NoEnumerate
+    $orderedLevel = [ordered]@{}
+
+    if (-not ($JSONObject.GetType().BaseType.Name -eq 'Hashtable')) {
+        return $JSONObject # E.g. in primitive data types [1,2,3]
+    }
+
+    foreach ($currentLevelKey in ($JSONObject.Keys | Sort-Object -Culture 'en-US')) {
+
+        if ($null -eq $JSONObject[$currentLevelKey]) {
+            # Handle case in which the value is 'null' and hence has no type
+            $orderedLevel[$currentLevelKey] = $null
+            continue
+        }
+
+        switch ($JSONObject[$currentLevelKey].GetType().BaseType.Name) {
+            { $PSItem -in @('Hashtable') } {
+                $orderedLevel[$currentLevelKey] = ConvertTo-OrderedHashtable -JSONInputObject ($JSONObject[$currentLevelKey] | ConvertTo-Json -Depth 99)
+            }
+            'Array' {
+                $arrayOutput = @()
+
+                # Case: Array of arrays
+                $arrayElements = $JSONObject[$currentLevelKey] | Where-Object { $_.GetType().BaseType.Name -eq 'Array' }
+                foreach ($array in $arrayElements) {
+                    if ($array.Count -gt 1) {
+                        # Only sort for arrays with more than one item. Otherwise single-item arrays are casted
+                        $array = $array | Sort-Object -Culture 'en-US'
+                    }
+                    $arrayOutput += , (ConvertTo-OrderedHashtable -JSONInputObject ($array | ConvertTo-Json -Depth 99))
+                }
+
+                # Case: Array of objects
+                $hashTableElements = $JSONObject[$currentLevelKey] | Where-Object { $_.GetType().BaseType.Name -eq 'Hashtable' }
+                foreach ($hashTable in $hashTableElements) {
+                    $arrayOutput += , (ConvertTo-OrderedHashtable -JSONInputObject ($hashTable | ConvertTo-Json -Depth 99))
+                }
+
+                # Case: Primitive data types
+                $primitiveElements = $JSONObject[$currentLevelKey] | Where-Object { $_.GetType().BaseType.Name -notin @('Array', 'Hashtable') } | ConvertTo-Json -Depth 99 | ConvertFrom-Json -AsHashtable -NoEnumerate -Depth 99
+                if ($primitiveElements.Count -gt 1) {
+                    $primitiveElements = $primitiveElements | Sort-Object -Culture 'en-US'
+                }
+                $arrayOutput += $primitiveElements
+
+                if ($array.Count -gt 1) {
+                    # Only sort for arrays with more than one item. Otherwise single-item arrays are casted
+                    $arrayOutput = $arrayOutput | Sort-Object -Culture 'en-US'
+                }
+                $orderedLevel[$currentLevelKey] = $arrayOutput
+            }
+            Default {
+                # string/int/etc.
+                $orderedLevel[$currentLevelKey] = $JSONObject[$currentLevelKey]
+            }
+        }
+    }
+
+    return $orderedLevel
+}

.github/actions-pester/Test-BuildPolicies.Tests.ps1

@@ -0,0 +1,62 @@
+Describe 'UnitTest-BuildPolicies' {
+
+    BeforeAll {
+        Import-Module -Name $PSScriptRoot\PolicyPesterTestHelper.psm1 -Force -Verbose
+
+        New-Item -Name "buildout" -Type Directory
+
+        # Build the PR policies, initiatives, and role definitions to a temp folder
+        bicep build ./src/templates/policies.bicep --outfile ./buildout/policies.json
+        bicep build ./src/templates/initiatives.bicep --outfile ./buildout/initiatives.json
+        bicep build ./src/templates/roles.bicep --outfile ./buildout/customRoleDefinitions.json
+    }
+
+    Context "Check Policy Builds" {
+
+        It "Check policies build done" {
+            $prFile = "./eslzArm/managementGroupTemplates/policyDefinitions/policies.json"
+            $buildFile = "./buildout/policies.json"
+
+            $buildJson = Remove-JSONMetadata -TemplateObject (Get-Content $buildFile -Raw | ConvertFrom-Json -Depth 99 -AsHashtable)
+            $buildJson = ConvertTo-OrderedHashtable -JSONInputObject (ConvertTo-Json $buildJson -Depth 99)
+
+            $prJson = Remove-JSONMetadata -TemplateObject (Get-Content $prFile -Raw | ConvertFrom-Json -Depth 99 -AsHashtable)
+            $prJson = ConvertTo-OrderedHashtable -JSONInputObject (ConvertTo-Json $prJson -Depth 99)
+
+            # Compare files we built to the PR files
+            (ConvertTo-Json $buildJson -Depth 99) | Should -Be (ConvertTo-Json $prJson -Depth 99) -Because "the [policies.json] should be based on the latest [policies.bicep] file. Please run [` bicep build ./src/templates/policies.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/policies.json `] using the latest Bicep CLI version."
+        }
+
+        It "Check initiatives build done" {
+            $PRfile = "./eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json"
+            $buildFile = "./buildout/initiatives.json"
+
+            $buildJson = Remove-JSONMetadata -TemplateObject (Get-Content $buildFile -Raw | ConvertFrom-Json -Depth 99 -AsHashtable)
+            $buildJson = ConvertTo-OrderedHashtable -JSONInputObject (ConvertTo-Json $buildJson -Depth 99)
+
+            $prJson = Remove-JSONMetadata -TemplateObject (Get-Content $prFile -Raw | ConvertFrom-Json -Depth 99 -AsHashtable)
+            $prJson = ConvertTo-OrderedHashtable -JSONInputObject (ConvertTo-Json $prJson -Depth 99)
+
+            # Compare files we built to the PR files
+            (ConvertTo-Json $buildJson -Depth 99) | Should -Be (ConvertTo-Json $prJson -Depth 99) -Because "the [initiatives.json] should be based on the latest [initiatives.bicep] file. Please run [` bicep build ./src/templates/initiatives.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json `] using the latest Bicep CLI version."
+        }
+
+        It "Check role definitions build done" {
+            $PRfile = "./eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json"
+            $buildFile = "./buildout/customRoleDefinitions.json"
+
+            $buildJson = Remove-JSONMetadata -TemplateObject (Get-Content $buildFile -Raw | ConvertFrom-Json -Depth 99 -AsHashtable)
+            $buildJson = ConvertTo-OrderedHashtable -JSONInputObject (ConvertTo-Json $buildJson -Depth 99)
+
+            $prJson = Remove-JSONMetadata -TemplateObject (Get-Content $prFile -Raw | ConvertFrom-Json -Depth 99 -AsHashtable)
+            $prJson = ConvertTo-OrderedHashtable -JSONInputObject (ConvertTo-Json $prJson -Depth 99)
+
+            # Compare files we built to the PR files
+            (ConvertTo-Json $buildJson -Depth 99) | Should -Be (ConvertTo-Json $prJson -Depth 99) -Because "the [customRoleDefinitions.json] should be based on the latest [customRoleDefinitions.bicep] file. Please run [` bicep build ./src/templates/roles.bicep --outfile ./eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json `] using the latest Bicep CLI version."
+        }
+    }
+
+    AfterAll {
+        # These are not the droids you are looking for... 
+    }
+}