Provide deployment of alert policy definitions from Azure Resources section of AMBA website

[judyer28]

Overview/Summary

Added a Deploy to Azure button for policy definitions for individual Azure resource type alerts. Also, removed '[[' from the Policy section of each alert so that users can easily copy and paste policy definition snippet to Azure portal.

This PR fixes/adds/changes/removes

1. Adds new policy generator and "policy-arm" directory under each resource type that contains policy templates used by Deploy to Azure button for resource type alert.
2. Fixes policy snippet for each resource type alert to remove "[[" so that the policy can be easily copied and pasted into Azure portal.

Breaking Changes

1. Replace me
2. Replace me

As part of this Pull Request I have

• Read the Contribution Guide and ensured this PR is compliant with the guide
• Checked for duplicate Pull Requests
• Associated it with relevant GitHub Issues or ADO Work Items (Internal Only)
• Ensured my code/branch is up-to-date with the latest changes in the main branch
• Ensured PR tests are passing
• Updated relevant and associated documentation (e.g. Contribution Guide, Docs etc.)

[arjenhuitema]

Hi @judyer28,

I have identified a few areas for your review.

I am questioning the necessity of maintaining the policy-arm folder along with its templates. There seems to be considerable code duplication merely for the deployment of individual policy definitions, which is quite a limited use case. The following points elaborate on this:

• The deployment does not include the Policy Assignment.
• There is a limit of 200 Policy or Initiative assignments at any given scope. Deploying and assigning policies individually will quickly meet this limit, which we should avoid recommending.

I strongly advocate for policies to be incorporated into an initiative and assigned per initiative. This responsibility should lie with the pattern owners.

[arjenhuitema]

Can you review, there are template validation errors in all templates:

Template validation failed: The template variable 'pidDeploymentName' is not valid: The template function 'managementGroup' is not valid. Please see https://aka.ms/arm-template-expressions for usage details.. Please see https://aka.ms/arm-template-expressions for usage details.

[judyer28]

I just tried to deploy this specific file and it deployed ok for me. Can you tell me how you are trying to deploy it? I just did a Custom Deployment in the portal, loaded the file and deployed without error.

[judyer28]

@arjenhuitema I looked at this again and I think it may be an issue with the template validator in VS Code. As far as I can tell 'managementGoup' is a valid template function. See here https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-scope#managementgroup

[judyer28]

Loaded template file shows no error on line 39 when loaded into portal:

[judyer28]

Appears to be known issue: microsoft/vscode-azurearmtools#1428

[arjenhuitema]

These should be tagged as "version": "1.0.0-preview",

Also the metadata should include "preview": true,

[judyer28]

Why should it have these? I do not see it in the docs. https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/2021-06-01/policydefinitions?pivots=deployment-language-arm-template. What is preview used for?

[arjenhuitema]

"Preview" indicates the Policy is still in preview, applicable to built-in policies as well. Generally, the versions end with "-preview." For example: https://www.azadvertizer.net/azpolicyadvertizer/4485d24b-a9d3-4206-b691-1fad83bc5007.html. Although not strictly required, these policies were auto-generated and remain in their initial release phase. They have yet to be thoroughly vetted.

[judyer28]

@arjenhuitema I added the version and preview information back into the template

[judyer28]

@arjenhuitema thanks for taking the time to review and provide feedback. Regarding:

• The deployment does not include the Policy Assignment.
• There is a limit of 200 Policy or Initiative assignments at any given scope. Deploying and assigning policies individually will quickly meet this limit, which we should avoid recommending.

I strongly advocate for policies to be incorporated into an initiative and assigned per initiative. This responsibility should lie with the pattern owners.

This feature is not meant for those users looking to apply a specific pattern such as ALZ. In those cases, users should go to the pattern section and follow the guidance there. This feature is meant for users not following a specific pattern and want to pick and choose specific alerts to deploy from the Azure Resources section of the AMBA website. This is a first step for those users to deploy the policy definitions. They can then include them in their own custom initiatives and assign them as they see fit. Future iterations of this could include automation for the custom initiatives and assignments.

[judyer28]

@arjenhuitema I believe I have addressed all comments. Please let me know if there is anything else needed.