Azure · matt-FFFFFF · Jun 18, 2025 · Jun 6, 2025 · Jun 6, 2025 · Jun 6, 2025
diff --git a/.github/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1 b/.github/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1
diff --git a/.github/scripts/Invoke-LibraryUpdatePolicyDefinitions.ps1 b/.github/scripts/Invoke-LibraryUpdatePolicyDefinitions.ps1
@@ -21,12 +21,12 @@
 
 [CmdletBinding(SupportsShouldProcess)]
 param (
-    [Parameter()][String]$AlzToolsPath = "$PWD/enterprise-scale/src/Alz.Tools",
-    [Parameter()][String]$TargetPath = "$PWD/terraform-azurerm-caf-enterprise-scale",
-    [Parameter()][String]$SourcePath = "$PWD/enterprise-scale",
-    [Parameter()][String]$LineEnding = "unix",
-    [Parameter()][Switch]$Reset,
-    [Parameter()][Switch]$UpdateProviderApiVersions
+  [Parameter()][String]$AlzToolsPath = "$PWD/enterprise-scale/src/Alz.Tools",
+  [Parameter()][String]$TargetPath = "$PWD/terraform-azurerm-caf-enterprise-scale",
+  [Parameter()][String]$SourcePath = "$PWD/enterprise-scale",
+  [Parameter()][String]$LineEnding = "unix",
+  [Parameter()][Switch]$Reset,
+  [Parameter()][Switch]$UpdateProviderApiVersions
 )
 
 $ErrorActionPreference = "Stop"
@@ -41,35 +41,46 @@ Import-Module $AlzToolsPath -ErrorAction Stop
 # stored state in the module if the UseCacheFromModule flag
 # is set and the ProviderApiVersions.zip file is present.
 if (!$UpdateProviderApiVersions -and (Test-Path "$AlzToolsPath/ProviderApiVersions.zip")) {
-    Write-Information "Pre-loading ProviderApiVersions from saved cache." -InformationAction Continue
-    Invoke-UseCacheFromModule($AlzToolsPath)
+  Write-Information "Pre-loading ProviderApiVersions from saved cache." -InformationAction Continue
+  Invoke-UseCacheFromModule($AlzToolsPath)
 }
 
 # The defaultConfig object provides a set of default values
 # to reduce verbosity within the exportConfig object.
 $defaultConfig = @{
-    inputFilter        = "*.json"
-    resourceTypeFilter = @()
-    outputPath         = $TargetPath + "/modules/archetypes/lib"
-    fileNamePrefix     = ""
-    fileNameSuffix     = ".json"
-    exportFormat       = "Terraform"
-    recurse            = $false
+  inputFilter        = "*.json"
+  resourceTypeFilter = @()
+  outputPath         = $TargetPath + "/modules/archetypes/lib"
+  fileNamePrefix     = ""
+  fileNameSuffix     = ".json"
+  exportFormat       = "Terraform"
+  recurse            = $false
 }
 
+$excludePolicyDefinitions = @(
+  "*.AzureChinaCloud.json",
+  "*.AzureUSGovernment.json"
+)
+
+$excludePolicySetDefinitions = @(
+  "*.AzureChineCloud.json",
+  "*.AzureUSGovernment.json",
+  "Enforce-Encryption-CMK.json"
+)
+
 # File locations from Enterprise-scale repository for
 # resources, organised by type
 $policyDefinitionFilePaths = (
-    Get-ChildItem -Path "$SourcePath/src/resources/Microsoft.Authorization/policyDefinitions/*" `
-        -File `
-        -Include "*.json" `
-        -Exclude "*.AzureChinaCloud.json", "*.AzureUSGovernment.json"
+  Get-ChildItem -Path "$SourcePath/src/resources/Microsoft.Authorization/policyDefinitions/*" `
+    -File `
+    -Include "*.json" `
+    -Exclude $excludePolicyDefinitions
 ).FullName
 $policySetDefinitionFilePaths = (
-    Get-ChildItem -Path "$SourcePath/src/resources/Microsoft.Authorization/policySetDefinitions/*" `
-        -File `
-        -Include "*.json" `
-        -Exclude "*.AzureChinaCloud.json", "*.AzureUSGovernment.json"
+  Get-ChildItem -Path "$SourcePath/src/resources/Microsoft.Authorization/policySetDefinitions/*" `
+    -File `
+    -Include "*.json" `
+    -Exclude $excludePolicySetDefinitions
 ).FullName
 
 # The exportConfig array controls the foreach loop used to run
@@ -81,46 +92,46 @@ $policySetDefinitionFilePaths = (
 $exportConfig = @()
 # Add Policy Definition source files to $exportConfig
 $exportConfig += $policyDefinitionFilePaths |
-ForEach-Object {
+  ForEach-Object {
     [PsCustomObject]@{
-        inputPath          = $_
-        resourceTypeFilter = "Microsoft.Authorization/policyDefinitions"
-        fileNamePrefix     = "policy_definitions/policy_definition_es_"
+      inputPath          = $_
+      resourceTypeFilter = "Microsoft.Authorization/policyDefinitions"
+      fileNamePrefix     = "policy_definitions/policy_definition_es_"
     }
-}
+  }
 # Add Policy Set Definition source files to $exportConfig
 $exportConfig += $policySetDefinitionFilePaths | ForEach-Object {
-    [PsCustomObject]@{
-        inputPath          = $_
-        resourceTypeFilter = "Microsoft.Authorization/policySetDefinitions"
-        fileNamePrefix     = "policy_set_definitions/policy_set_definition_es_"
-        fileNameSuffix     = ".tmpl.json"
-    }
+  [PsCustomObject]@{
+    inputPath          = $_
+    resourceTypeFilter = "Microsoft.Authorization/policySetDefinitions"
+    fileNamePrefix     = "policy_set_definitions/policy_set_definition_es_"
+    fileNameSuffix     = ".tmpl.json"
+  }
 }
 
 # If the -Reset parameter is set, delete all existing
 # artefacts (by resource type) from the library
 if ($Reset) {
-    Write-Information "Deleting existing Policy Definitions from library." -InformationAction Continue
-    Remove-Item -Path "$TargetPath/modules/archetypes/lib/policy_definitions/" -Recurse -Force
-    Write-Information "Deleting existing Policy Set Definitions from library." -InformationAction Continue
-    Remove-Item -Path "$TargetPath/modules/archetypes/lib/policy_set_definitions/" -Recurse -Force
+  Write-Information "Deleting existing Policy Definitions from library." -InformationAction Continue
+  Remove-Item -Path "$TargetPath/modules/archetypes/lib/policy_definitions/" -Recurse -Force
+  Write-Information "Deleting existing Policy Set Definitions from library." -InformationAction Continue
+  Remove-Item -Path "$TargetPath/modules/archetypes/lib/policy_set_definitions/" -Recurse -Force
 }
 
 # Process the files added to $exportConfig, to add content
 # to the library
 foreach ($config in $exportConfig) {
-    Export-LibraryArtifact `
-        -InputPath ($config.inputPath ?? $defaultConfig.inputPath) `
-        -InputFilter ($config.inputFilter ?? $defaultConfig.inputFilter) `
-        -ResourceTypeFilter ($config.resourceTypeFilter ?? $defaultConfig.resourceTypeFilter) `
-        -OutputPath ($config.outputPath ?? $defaultConfig.outputPath) `
-        -FileNamePrefix ($config.fileNamePrefix ?? $defaultConfig.fileNamePrefix) `
-        -FileNameSuffix ($config.fileNameSuffix ?? $defaultConfig.fileNameSuffix) `
-        -ExportFormat:($config.exportFormat ?? $defaultConfig.exportFormat) `
-        -Recurse:($config.recurse ?? $defaultConfig.recurse) `
-        -LineEnding $LineEnding `
-        -WhatIf:$WhatIfPreference
+  Export-LibraryArtifact `
+    -InputPath ($config.inputPath ?? $defaultConfig.inputPath) `
+    -InputFilter ($config.inputFilter ?? $defaultConfig.inputFilter) `
+    -ResourceTypeFilter ($config.resourceTypeFilter ?? $defaultConfig.resourceTypeFilter) `
+    -OutputPath ($config.outputPath ?? $defaultConfig.outputPath) `
+    -FileNamePrefix ($config.fileNamePrefix ?? $defaultConfig.fileNamePrefix) `
+    -FileNameSuffix ($config.fileNameSuffix ?? $defaultConfig.fileNameSuffix) `
+    -ExportFormat:($config.exportFormat ?? $defaultConfig.exportFormat) `
+    -Recurse:($config.recurse ?? $defaultConfig.recurse) `
+    -LineEnding $LineEnding `
+    -WhatIf:$WhatIfPreference
 }
 
 # Get a list of current Policy Definition names

diff --git a/.github/workflows/update-policy.yml b/.github/workflows/update-policy.yml
@@ -84,7 +84,6 @@ jobs:
 
             Write-Information "==> Running policy assignments and archetypes script..." -InformationAction Continue
             ${{ github.repository }}/.github/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1 `
-              -AlzToolsPath "${{ github.workspace }}/${{ env.remote_repository }}/src/Alz.Tools/" `
               -TargetPath "${{ github.workspace }}/${{ github.repository }}" `
               -SourcePath "${{ github.workspace }}/${{ env.remote_repository }}"
           azPSVersion: "latest"
@@ -113,6 +112,7 @@ jobs:
           echo "$PULL_REQUESTS" | jq -r '.[] | .number' | xargs -I {} gh pr close {} --delete-branch --comment "Out of date PR, closing and deleting branch"
         env:
           GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+        working-directory: ${{ github.repository }}
 
       - name: Create pull request
         if: steps.git_status.outputs.changes > 0

diff --git a/tests/pipelines/templates/tests-backend.yml b/tests/pipelines/templates/tests-backend.yml
@@ -8,4 +8,4 @@ steps:
       scriptLocation: scriptPath
       scriptPath: "tests/scripts/azp-backend.sh"
       scriptType: bash
-      failOnStandardError: true
+      failOnStandardError: false
diff --git a/tests/pipelines/templates/tests-common.yml b/tests/pipelines/templates/tests-common.yml
@@ -18,4 +18,4 @@ steps:
       scriptLocation: scriptPath
       scriptPath: "tests/scripts/tf-prepare.sh"
       scriptType: bash
-      failOnStandardError: true
+      failOnStandardError: false
diff --git a/tests/pipelines/templates/tests-loop.yml b/tests/pipelines/templates/tests-loop.yml
@@ -12,7 +12,7 @@ steps:
       scriptType: bash
       scriptLocation: scriptPath
       scriptPath: "tests/scripts/tf-init.sh"
-      failOnStandardError: true
+      failOnStandardError: false
       addSpnToEnvironment: true
       azureSubscription: ado-mscet-cae-estf
     env:
@@ -25,7 +25,7 @@ steps:
       scriptType: bash
       scriptLocation: scriptPath
       scriptPath: "tests/scripts/tf-plan.sh"
-      failOnStandardError: true
+      failOnStandardError: false
       addSpnToEnvironment: true
       azureSubscription: ado-mscet-cae-estf
     env:
@@ -37,7 +37,7 @@ steps:
     inputs:
       scriptType: bash
       scriptLocation: scriptPath
-      failOnStandardError: true
+      failOnStandardError: false
       addSpnToEnvironment: true
       scriptPath: "tests/scripts/tf-apply.sh"
       azureSubscription: ado-mscet-cae-estf
@@ -50,7 +50,7 @@ steps:
     inputs:
       scriptType: bash
       scriptLocation: scriptPath
-      failOnStandardError: true
+      failOnStandardError: false
       addSpnToEnvironment: true
       scriptPath: "tests/scripts/tf-destroy.sh"
       azureSubscription: ado-mscet-cae-estf

diff --git a/tests/pipelines/templates/tests-strategy.yml b/tests/pipelines/templates/tests-strategy.yml
@@ -7,7 +7,7 @@ steps:
       azureSubscription: ado-mscet-cae-estf
       scriptType: FilePath
       scriptPath: "tests/scripts/azp-strategy.ps1"
-      failOnStandardError: true
-      azurePowerShellVersion: 'LatestVersion'  # Adding version specification for clarity
+      failOnStandardError: false
+      azurePowerShellVersion: "LatestVersion" # Adding version specification for clarity
     env:
       BILLING_SCOPE: $(BILLING_SCOPE)