[pull] main from Azure:main

.github/workflows/scorecard.yml

@@ -59,7 +59,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: SARIF file
           path: results.sarif
@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
         with:
           sarif_file: results.sarif

.github/workflows/test-portal.yml

@@ -104,12 +104,42 @@ jobs:
           inlineScript: ./src/scripts/Invoke-ActionRemoveOrphanedRBAC.ps1
           azPSVersion: "latest"
 
-      - name: Generate eslzArm configuration
-        id: config
+      - name: Check test label set
+        if: |
+          ${{ contains(github.event.pull_request.labels.*.name, 'Test: Standard') || contains(github.event.pull_request.labels.*.name, 'Test: Hub & Spoke')  || contains(github.event.pull_request.labels.*.name, 'Test: VWAN') }}
+        run: echo "Test label has been set, test can proceed."
+
+      - name: Generate eslzArm configuration (Standard)
+        if: |
+          ${{ contains(github.event.pull_request.labels.*.name, 'Test: Standard') }}
         uses: azure/powershell@v2
         with:
           inlineScript: |
-            ./src/scripts/Invoke-ActionGenerateEslzArmConfig.ps1
+            ./src/scripts/Invoke-ActionGenerateEslzArmConfig.ps1 -TemplateParameterPath "./eslzArm/eslzArm.test.param.std.json"
+            Get-Content -Path $env:TEMP_DEPLOYMENT_OBJECT_PATH | jq
+          azPSVersion: "latest"
+        env:
+          DEPLOYMENT_LOCATION: ${{ secrets.DEPLOYMENT_LOCATION }}
+
+      - name: Generate eslzArm configuration (Hub & Spoke)
+        if: |
+          ${{ contains(github.event.pull_request.labels.*.name, 'Test: Hub & Spoke') }}
+        uses: azure/powershell@v2
+        with:
+          inlineScript: |
+            ./src/scripts/Invoke-ActionGenerateEslzArmConfig.ps1 -TemplateParameterPath "./eslzArm/eslzArm.test.param.hns.json"
+            Get-Content -Path $env:TEMP_DEPLOYMENT_OBJECT_PATH | jq
+          azPSVersion: "latest"
+        env:
+          DEPLOYMENT_LOCATION: ${{ secrets.DEPLOYMENT_LOCATION }}
+
+      - name: Generate eslzArm configuration (VWAN)
+        if: |
+          ${{ contains(github.event.pull_request.labels.*.name, 'Test: VWAN') }}
+        uses: azure/powershell@v2
+        with:
+          inlineScript: |
+            ./src/scripts/Invoke-ActionGenerateEslzArmConfig.ps1 -TemplateParameterPath "./eslzArm/eslzArm.test.param.vwan.json"
             Get-Content -Path $env:TEMP_DEPLOYMENT_OBJECT_PATH | jq
           azPSVersion: "latest"
         env:

docs/wiki/ALZ-Deprecated-Services.md

@@ -15,7 +15,7 @@ As policies and services are further developed by Microsoft, one or more Azure L
 
 ## Deprecated policies
 
-New Azure Policies are being developed and created by product groups that support their services and are typically of the `built-in` type. These new policies often replace legacy policies which get deprecated and usually provide guidance on which policy to use instead. Azure Landing Zones (ALZ) policies are not exempt from this, and over time some policies will be updated to leverage new `built-in` policies instead of ALZ `custom` policies. Through this process, `custom` ALZ policies will be deprecated when new `built-in` policies are available that provide the same capability, which ultimately reduces maintenance overhead for `custom` policies.  
+New Azure Policies are being developed and created by product groups that support their services and are typically of the `built-in` type. These new policies often replace legacy policies which get deprecated and usually provide guidance on which policy to use instead. Azure Landing Zones (ALZ) policies are not exempt from this, and over time some policies will be updated to leverage new `built-in` policies instead of ALZ `custom` policies. Through this process, `custom` ALZ policies will be deprecated when new `built-in` policies are available that provide the same capability, which ultimately reduces maintenance overhead for `custom` policies.
 
 Policies being deprecated:
 
@@ -42,6 +42,7 @@ Policies being deprecated:
 | Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW<br>ID: `Deploy-MDFC-Arc-Sql-DefenderSQL-DCR` | [`63d03cbd-47fd-4ee1-8a1c-9ddf07303de0`](https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html) | Custom policy replaced by built-in requires less administration overhead |
 | Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR<br>ID: `Deploy-MDFC-Arc-SQL-DCR-Association` | [`2227e1f1-23dd-4c3a-85a9-7024a401d8b2`](https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html) | Custom policy replaced by built-in requires less administration overhead |
 | Deploy User Assigned Managed Identity for VM Insights<br>ID: `Deploy-UserAssignedManagedIdentity-VMInsights` | Deprecating as it's no longer required | User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription. |
+| Deploy Azure Monitor Baseline Alerts for Landing Zone<br>ID: `Alerting-LandingZone` | [`Alerting-KeyManagement`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-KeyManagement)<br>[`Alerting-LoadBalancing`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-LoadBalancing)<br>[`Alerting-NetworkChanges`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-NetworkChanges)<br>[`Alerting-RecoveryServices`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-RecoveryServices)<br>[`Alerting-Storage`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-Storage)<br>[`Alerting-VM`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-VM)<br>[`Alerting-Web`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-Web) | To provide more flexibility for future growth we are transitioning from a single Landing Zone policy initiative and instead we are adopting a modular approach by splitting the Landing Zone initiative into distinct components (initiatives) |
 
 >IMPORTANT: note that we have deprecated ALL ALZ custom Diagnostic Setting features as part of Azure Landing Zones, which includes the initiatives and all 53 policies. These are being deprecated in favor of using (and assigning) the built-in initiative [Enable allLogs category group resource logging for supported resources to Log Analytics](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html)
 

docs/wiki/ALZ-Known-Issues.md

@@ -6,6 +6,25 @@ These have been discovered whilst running the reference implementation, and cust
 
 Some of these issues may be resolved in future release, while others require input from specific Azure product teams.
 
+## Deploying Automation Account with CMK controls enabled
+
+### Area
+
+Automation Account
+
+### Issue
+
+There is a very rare scenario, that if you have enabled the Customer Managed Key initiative and you run a redeployment of ALZ through the portal accelerator (including Log Analytics) you will get a policy compliance failure:
+
+```
+"Azure Automation accounts should use customer-managed keys to encrypt data at rest"
+```
+This is due to the additional requirements needed to enable CMK for Automation Accounts, and have it fully configured.
+
+### Status
+
+As a workaround to avoid this scenario, create an exemption on the intiative [Enforce-Encryption-CMK](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Encryption-CMK.html), and if you want to maximize granularity, only exempt the specific policy: [Azure Automation accounts should use customer-managed keys to encrypt data at rest](https://www.azadvertizer.net/azpolicyadvertizer/56a5ee18-2ae6-4810-86f7-18e39ce5629b.html) - Policy ID 56a5ee18-2ae6-4810-86f7-18e39ce5629b
+
 ## Deploying the reference implementation fails due to 'Policy <name> cannot be found (404)'
 
 ### Area

docs/wiki/ALZ-Policies-Extra.md

@@ -30,10 +30,12 @@ To support the additional control requirements of these industries, we're provid
 
 | Initiative ID | Name | Description | # of Policies |
 |------------|-------------|-------------|-------------|
+| [Enforce-Encryption-CMK](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Encryption-CMK.html) | Deny or Audit resources without Encryption with a customer-managed key (CMK) | This policy initiative is a group of policies that ensures Customer Managed Keys is compliant per regulated Landing Zones. | 30 |
 | [Enforce-Guardrails-APIM](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-APIM.html) | Enforce recommended guardrails for API Management | This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones. | 11 |
 | [Enforce-Guardrails-AppServices](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-AppServices.html) | Enforce recommended guardrails for App Service | This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones. | 19 |
 | [Enforce-Guardrails-Automation](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Automation.html) | Enforce recommended guardrails for Automation Account | This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones. | 6 |
-| [Enforce-Guardrails-CognitiveServices](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-CognitiveServices.html) | Enforce recommended guardrails for Cognitive Services | This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones. | 5 |
+| [Enforce-Guardrails-BotService](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-BotService.html) | Enforce recommended guardrails for Bot Service (service renamed to AI Bot Service) | This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones. | 4 |
+| [Enforce-Guardrails-CognitiveServices](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-CognitiveServices.html) | Enforce recommended guardrails for Cognitive Services (service renamed to AI Services) | This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones. | 9 |
 | [Enforce-Guardrails-Compute](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Compute.html) | Enforce recommended guardrails for Compute | This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones. | 2 |
 | [Enforce-Guardrails-ContainerApps](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-ContainerApps.html) | Enforce recommended guardrails for Container Apps | This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones. | 2 |
 | [Enforce-Guardrails-ContainerInstance](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-ContainerInstance.html) | Enforce recommended guardrails for Container Instance | This policy initiative is a group of policies that ensures Container Instance is compliant per regulated Landing Zones. | 1 |
@@ -45,10 +47,10 @@ To support the additional control requirements of these industries, we're provid
 | [Enforce-Guardrails-EventHub](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-EventHub.html) | Enforce recommended guardrails for Event Hub | This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones. | 4 |
 | [Enforce-Guardrails-KeyVault-Sup](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault-Sup.html) | Enforce additional recommended guardrails for Key Vault | This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones. This includes additional policies to supplement Enforce-Guardrails-KeyVault, which is assigned by default in ALZ. | 2 |
 | [Enforce-Guardrails-Kubernetes](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Kubernetes.html) | Enforce recommended guardrails for Kubernetes | This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones. | 16 |
-| [Enforce-Guardrails-MachineLearning](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-MachineLearning.html) | Enforce recommended guardrails for Machine Learning | This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones. | 5 |
+| [Enforce-Guardrails-MachineLearning](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-MachineLearning.html) | Enforce recommended guardrails for Machine Learning | This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones. | 14 |
 | [Enforce-Guardrails-MySQL](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-MySQL.html) | Enforce recommended guardrails for MySQL | This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones. | 2 |
 | [Enforce-Guardrails-Network](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Network.html) | Enforce recommended guardrails for Network and Networking services | This policy initiative is a group of policies that ensures Network and Networking services is compliant per regulated Landing Zones. | 22 |
-| [Enforce-Guardrails-OpenAI](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-OpenAI.html) | Enforce recommended guardrails for Open AI (Cognitive Service) | This policy initiative is a group of policies that ensures Open AI (Cognitive Services) is compliant per regulated Landing Zones. | 6 |
+| [Enforce-Guardrails-OpenAI](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-OpenAI.html) | Enforce recommended guardrails for Azure OpenAI (Cognitive Service) | This policy initiative is a group of policies that ensures Azure OpenAI (Cognitive Services) is compliant per regulated Landing Zones. | 11 |
 | [Enforce-Guardrails-PostgreSQL](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-PostgreSQL.html) | Enforce recommended guardrails for PostgreSQL | This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones. | 1 |
 | [Enforce-Guardrails-ServiceBus](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-ServiceBus.html) | Enforce recommended guardrails for Service Bus | This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones. | 4 |
 | [Enforce-Guardrails-SQL](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-SQL.html) | Enforce recommended guardrails for SQL and SQL Managed Instance | This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones. | 5 |

docs/wiki/ALZ-Policies-FAQ.md

@@ -12,6 +12,14 @@ We've had a number of issues and pull requests submitted specifically around the
 
 The reason for this is that the policies and initiatives in this repo are intended to be used as part of the ALZ deployment process, and are used to generate the ARM templates that are deployed to Azure. The leading `[` character is required to support the generation of the ARM templates.
 
+### Why does ALZ not promote the usage of User-Assigned Managed Identities for Policy Assignments?
+
+Whilst User-Assigned Managed Identities for Policy Assignments are now supported, there are a number of reasons why ALZ does not promote the usage of them. 
+
+The primary risk is that the User-Assigned Managed Identity created and used for one or more policy assignments is an over-permissioned identity; both in terms of RBAC roles it has assigned to it and also the scope/s that it has been assigned to. With the focus on least privilege and zero trust security principles, we believe in ALZ that the use of a User-Assigned Managed Identity for policy assignments is not the best practice and instead you should continue to use the system-assigned managed identity for your Azure policy assignments.
+
+Not only does using a system-assigned managed identity for policy assignments reduce the risk of over-permissioning, but it also reduces the complexity of managing the identity and its RBAC permissions and assignments as the lifecycle of the system-assigned managed identity is managed by Azure policy automatically with the lifecycle of the policy assignment it is associated with.
+
 ### Diagnostic Settings v2 (December 2023)
 
 There are several issues raised around Diagnostic Settings, and we acknowledge that this is a complex area that is causing a lot of pain.