fix: updatescript again

.github/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1

@@ -81,6 +81,7 @@ foreach ($resource in $eslzArm) {
       else {
         $policyAssignments[$managementGroup].Add($policyAssignmentFileName)
       }
+      $enforcementMode = $resource.properties.parameters.enforcementMode.value
       $newMg = $managementGroupMapping[$managementGroup.Replace("defaults-", "")]
       Write-Verbose "Adding enforcement mode for $newMg - ${policyAssignmentFileName}: $enforcementMode"
       $enforcementModeLookup[[Tuple]::Create($newMg, $policyAssignmentFileName)] = $enforcementMode

.github/scripts/Invoke-LibraryUpdatePolicyDefinitions.ps1

@@ -63,7 +63,7 @@ $excludePolicyDefinitions = @(
 )
 
 $excludePolicySetDefinitions = @(
-  "*.AzureChineCloud.json",
+  "*.AzureChinaCloud.json",
   "*.AzureUSGovernment.json",
   "Enforce-Encryption-CMK.json"
 )
@@ -72,14 +72,13 @@ $excludePolicySetDefinitions = @(
 # resources, organised by type
 $policyDefinitionFilePaths = (
   Get-ChildItem -Path "$SourcePath/src/resources/Microsoft.Authorization/policyDefinitions/*" `
-    -File `
-    -Include "*.json" `
+    -Filter "*.json" `
     -Exclude $excludePolicyDefinitions
 ).FullName
 $policySetDefinitionFilePaths = (
   Get-ChildItem -Path "$SourcePath/src/resources/Microsoft.Authorization/policySetDefinitions/*" `
     -File `
-    -Include "*.json" `
+    -Filter "*.json" `
     -Exclude $excludePolicySetDefinitions
 ).FullName
 
@@ -91,14 +90,13 @@ $policySetDefinitionFilePaths = (
 # defaultConfig object.
 $exportConfig = @()
 # Add Policy Definition source files to $exportConfig
-$exportConfig += $policyDefinitionFilePaths |
-  ForEach-Object {
-    [PsCustomObject]@{
-      inputPath          = $_
-      resourceTypeFilter = "Microsoft.Authorization/policyDefinitions"
-      fileNamePrefix     = "policy_definitions/policy_definition_es_"
-    }
+$exportConfig += $policyDefinitionFilePaths | ForEach-Object {
+  [PsCustomObject]@{
+    inputPath          = $_
+    resourceTypeFilter = "Microsoft.Authorization/policyDefinitions"
+    fileNamePrefix     = "policy_definitions/policy_definition_es_"
   }
+}
 # Add Policy Set Definition source files to $exportConfig
 $exportConfig += $policySetDefinitionFilePaths | ForEach-Object {
   [PsCustomObject]@{

modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json

@@ -23,7 +23,34 @@
       "Enable-DDoS-VNET",
       "Enforce-AKS-HTTPS",
       "Enforce-ASR",
+      "Enforce-Encrypt-CMK0",
+      "Enforce-GR-APIM0",
+      "Enforce-GR-AppServices0",
+      "Enforce-GR-Automation0",
+      "Enforce-GR-BotService0",
+      "Enforce-GR-CogServ0",
+      "Enforce-GR-Compute0",
+      "Enforce-GR-ContApps0",
+      "Enforce-GR-ContInst0",
+      "Enforce-GR-ContReg0",
+      "Enforce-GR-CosmosDb0",
+      "Enforce-GR-DataExpl0",
+      "Enforce-GR-DataFactory0",
+      "Enforce-GR-EventGrid0",
+      "Enforce-GR-EventHub0",
       "Enforce-GR-KeyVault",
+      "Enforce-GR-KeyVaultSup0",
+      "Enforce-GR-Kubernetes0",
+      "Enforce-GR-MachLearn0",
+      "Enforce-GR-MySQL0",
+      "Enforce-GR-Network0",
+      "Enforce-GR-OpenAI0",
+      "Enforce-GR-PostgreSQL0",
+      "Enforce-GR-ServiceBus0",
+      "Enforce-GR-SQL0",
+      "Enforce-GR-Storage0",
+      "Enforce-GR-Synapse0",
+      "Enforce-GR-VirtualDesk0",
       "Enforce-Subnet-Private",
       "Enforce-TLS-SSL-Q225"
     ],

modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json

@@ -11,7 +11,34 @@
       "Deploy-VMSS-Monitoring",
       "Enable-AUM-CheckUpdates",
       "Enforce-ASR",
+      "Enforce-Encrypt-CMK0",
+      "Enforce-GR-APIM0",
+      "Enforce-GR-AppServices0",
+      "Enforce-GR-Automation0",
+      "Enforce-GR-BotService0",
+      "Enforce-GR-CogServ0",
+      "Enforce-GR-Compute0",
+      "Enforce-GR-ContApps0",
+      "Enforce-GR-ContInst0",
+      "Enforce-GR-ContReg0",
+      "Enforce-GR-CosmosDb0",
+      "Enforce-GR-DataExpl0",
+      "Enforce-GR-DataFactory0",
+      "Enforce-GR-EventGrid0",
+      "Enforce-GR-EventHub0",
       "Enforce-GR-KeyVault",
+      "Enforce-GR-KeyVaultSup0",
+      "Enforce-GR-Kubernetes0",
+      "Enforce-GR-MachLearn0",
+      "Enforce-GR-MySQL0",
+      "Enforce-GR-Network0",
+      "Enforce-GR-OpenAI0",
+      "Enforce-GR-PostgreSQL0",
+      "Enforce-GR-ServiceBus0",
+      "Enforce-GR-SQL0",
+      "Enforce-GR-Storage0",
+      "Enforce-GR-Synapse0",
+      "Enforce-GR-VirtualDesk0",
       "Enforce-Subnet-Private"
     ],
     "policy_definitions": [],

modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_encrypt_cmk0.tmpl.json

@@ -0,0 +1,24 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Enforce-Encrypt-CMK0",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "description": "This initiative assignment enables additional ALZ guardrails for Customer Managed Keys.",
+    "displayName": "Enforce recommended guardrails for Customer Managed Keys",
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK_20250218",
+    "enforcementMode": "DoNotEnforce",
+    "nonComplianceMessages": [
+      {
+        "message": "Recommended guardrails {enforcementMode} be enforced for Customer Managed Keys."
+      }
+    ],
+    "scope": "${current_scope_resource_id}",
+    "notScopes": [],
+    "parameters": {}
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_gr_apim0.tmpl.json

@@ -0,0 +1,24 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Enforce-GR-APIM0",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "description": "This initiative assignment enables additional ALZ guardrails for API Management.",
+    "displayName": "Enforce recommended guardrails for API Management",
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM",
+    "enforcementMode": "DoNotEnforce",
+    "nonComplianceMessages": [
+      {
+        "message": "Recommended guardrails {enforcementMode} be enforced for API Management."
+      }
+    ],
+    "scope": "${current_scope_resource_id}",
+    "notScopes": [],
+    "parameters": {}
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_gr_appservices0.tmpl.json

@@ -0,0 +1,24 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Enforce-GR-AppServices0",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "description": "This initiative assignment enables additional ALZ guardrails for App Services.",
+    "displayName": "Enforce recommended guardrails for App Services",
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices",
+    "enforcementMode": "DoNotEnforce",
+    "nonComplianceMessages": [
+      {
+        "message": "Recommended guardrails {enforcementMode} be enforced for App Services."
+      }
+    ],
+    "scope": "${current_scope_resource_id}",
+    "notScopes": [],
+    "parameters": {}
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_gr_automation0.tmpl.json

@@ -0,0 +1,24 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Enforce-GR-Automation0",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "description": "This initiative assignment enables additional ALZ guardrails for Automation Accounts.",
+    "displayName": "Enforce recommended guardrails for Automation Accounts",
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation",
+    "enforcementMode": "DoNotEnforce",
+    "nonComplianceMessages": [
+      {
+        "message": "Recommended guardrails {enforcementMode} be enforced for Automation Accounts."
+      }
+    ],
+    "scope": "${current_scope_resource_id}",
+    "notScopes": [],
+    "parameters": {}
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_gr_botservice0.tmpl.json

@@ -0,0 +1,24 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Enforce-GR-BotService0",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "description": "This initiative assignment enables additional ALZ guardrails for Bot Service.",
+    "displayName": "Enforce recommended guardrails for Bot Service",
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService",
+    "enforcementMode": "DoNotEnforce",
+    "nonComplianceMessages": [
+      {
+        "message": "Recommended guardrails {enforcementMode} be enforced for Bot Service."
+      }
+    ],
+    "scope": "${current_scope_resource_id}",
+    "notScopes": [],
+    "parameters": {}
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_gr_cogserv0.tmpl.json

@@ -0,0 +1,24 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Enforce-GR-CogServ0",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "description": "This initiative assignment enables additional ALZ guardrails for Cognitive Services.",
+    "displayName": "Enforce recommended guardrails for Cognitive Services",
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices",
+    "enforcementMode": "DoNotEnforce",
+    "nonComplianceMessages": [
+      {
+        "message": "Recommended guardrails {enforcementMode} be enforced for Cognitive Services."
+      }
+    ],
+    "scope": "${current_scope_resource_id}",
+    "notScopes": [],
+    "parameters": {}
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_gr_compute0.tmpl.json

@@ -0,0 +1,24 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Enforce-GR-Compute0",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "description": "This initiative assignment enables additional ALZ guardrails for Compute.",
+    "displayName": "Enforce recommended guardrails for Compute",
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute",
+    "enforcementMode": "DoNotEnforce",
+    "nonComplianceMessages": [
+      {
+        "message": "Recommended guardrails {enforcementMode} be enforced for Compute."
+      }
+    ],
+    "scope": "${current_scope_resource_id}",
+    "notScopes": [],
+    "parameters": {}
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_gr_contapps0.tmpl.json

@@ -0,0 +1,24 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Enforce-GR-ContApps0",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "description": "This initiative assignment enables additional ALZ guardrails for Container Apps.",
+    "displayName": "Enforce recommended guardrails for Container Apps",
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps",
+    "enforcementMode": "DoNotEnforce",
+    "nonComplianceMessages": [
+      {
+        "message": "Recommended guardrails {enforcementMode} be enforced for Container Apps."
+      }
+    ],
+    "scope": "${current_scope_resource_id}",
+    "notScopes": [],
+    "parameters": {}
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_gr_continst0.tmpl.json

@@ -0,0 +1,24 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Enforce-GR-ContInst0",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "description": "This initiative assignment enables additional ALZ guardrails for Container Instance.",
+    "displayName": "Enforce recommended guardrails for Container Instance",
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance",
+    "enforcementMode": "DoNotEnforce",
+    "nonComplianceMessages": [
+      {
+        "message": "Recommended guardrails {enforcementMode} be enforced for Container Instance."
+      }
+    ],
+    "scope": "${current_scope_resource_id}",
+    "notScopes": [],
+    "parameters": {}
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_gr_contreg0.tmpl.json

@@ -0,0 +1,24 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Enforce-GR-ContReg0",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "description": "This initiative assignment enables additional ALZ guardrails for Container Registry.",
+    "displayName": "Enforce recommended guardrails for Container Registry",
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry",
+    "enforcementMode": "DoNotEnforce",
+    "nonComplianceMessages": [
+      {
+        "message": "Recommended guardrails {enforcementMode} be enforced for Container Registry."
+      }
+    ],
+    "scope": "${current_scope_resource_id}",
+    "notScopes": [],
+    "parameters": {}
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_gr_cosmosdb0.tmpl.json

@@ -0,0 +1,24 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Enforce-GR-CosmosDb0",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "description": "This initiative assignment enables additional ALZ guardrails for Cosmos DB.",
+    "displayName": "Enforce recommended guardrails for Cosmos DB",
+    "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb",
+    "enforcementMode": "DoNotEnforce",
+    "nonComplianceMessages": [
+      {
+        "message": "Recommended guardrails {enforcementMode} be enforced for Cosmos DB."
+      }
+    ],
+    "scope": "${current_scope_resource_id}",
+    "notScopes": [],
+    "parameters": {}
+  }
+}