Question about policies/initiatives.json

[sshockley]

Hi, I'm running into some issues deploying initiatives from eslzArm/managementGroupTemplates/policyDefinitions/policies.json and eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json. Specifically, when I deploy the initiatives, I get messages like:
PolicyDefinitionNotFound
The policy set definition 'Enforce-Guardrails-BotService' request is invalid. The following policy definition could not be found: '/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e'.

The full list of failures is:
Set / Policy not found
Enforce-EncryptTransit / 0e80e269-43a4-4ae9-b5bc-178126b8a5cb
Enforce-EncryptTransit_20240509 / 0e80e269-43a4-4ae9-b5bc-178126b8a5cb
Enforce-Guardrails-Automation / 6d02d2f7-e38b-4bdc-96f3-adc0a8726abc
Enforce-Guardrails-BotService / ad5621d6-a877-4407-aa93-a950b428315e
Enforce-Guardrails-ContainerApps / 8b346db6-85af-419b-8557-92cee2c0f9bb
Enforce-Guardrails-KeyVault / 86810a98-8e91-4a44-8386-ec66d0de5d57
Enforce-Guardrails-KeyVault-Sup / 84d327c3-164a-4685-b453-900478614456
Enforce-Guardrails-MachineLearning / e413671a-dd10-4cc1-a943-45b598596cb7
Enforce-Guardrails-MySQL / 3a58212a-c829-4f13-9872-6371df2fd0b4
Enforce-Guardrails-Network / 6484db87-a62d-4327-9f07-80a2cbdf333a
Enforce-Guardrails-Storage / 361c2074-3595-4e5d-8cab-4f21dffc835c

I should note this is in usgovvirginia.

I figured maybe there was a change upstream that hadn't been applied to this repo, so I tried rebuilding them:

az bicep build \
    --file ./src/templates/policies.bicep \
    --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/policies.json
az bicep build \
    --file ./src/templates/initiatives.bicep \
    --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json
az bicep build \
    --file ./src/templates/roles.bicep \
    --outfile ./eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json

After that, the only failure is Enforce-Guardrails-MachineLearning / e413671a-dd10-4cc1-a943-45b598596cb7 (policy defninition not found), but it does still fail.

So, finally getting around to my actual question, should the templates in eslzArm/managementGroupTemplates/policyDefinitions match the output of az bicep build? I note that the ARM templates have dire warnings about being programmatically generated, but looking at the commit history that isn't always the case.

[Springstone]

@sshockley I'm not sure how you are going about this. You should be able to clone the repo and work from the main branch, as is and deploy the policies and initiatives (policies first of course) to a management group (do not recommend using the Tenant Root). You should not need to rebuild those files, that is a requirement prior to merging into this repo, so it should be current.

[Springstone]

Just one point to note, the initiatives.json file REQUIRES a parameter to be provided (topLevelManagementGroupPrefix), which would be the intermediate root management group id. If you provide that as default value or a parameter, the deployment will work.

[Springstone]

And I just noticed that you mentioned you're deploying to US Gov, which is currently not validated in this repo. We do have it on our backlog to remediate missing policies in the initiatives for US Gov / China.

[sshockley]

Thanks for the info.

In general, I've been able to deploy by passing "" as topLevelManagementGroupPrefix, but maybe I've just been lucky. I do realize that ideally I shouldn't shoehorn this into an existing structure, but I'm working with what I have.

I guess my main question is if for example the output of az bicep build policies.bicep should always functionally match policies.json?

[Springstone]

Yes, that is correct. The initiatives bicep build does require the topLevelManagementGroupPrefix as it is used in several initiatives.