AI Ready - Policies

.github/workflows/test-portal.yml

@@ -104,12 +104,42 @@ jobs:
           inlineScript: ./src/scripts/Invoke-ActionRemoveOrphanedRBAC.ps1
           azPSVersion: "latest"
 
-      - name: Generate eslzArm configuration
-        id: config
+      - name: Check test label set
+        if: |
+          ${{ contains(github.event.pull_request.labels.*.name, 'Test: Standard') || contains(github.event.pull_request.labels.*.name, 'Test: Hub & Spoke')  || contains(github.event.pull_request.labels.*.name, 'Test: VWAN') }}
+        run: echo "Test label has been set, test can proceed."
+
+      - name: Generate eslzArm configuration (Standard)
+        if: |
+          ${{ contains(github.event.pull_request.labels.*.name, 'Test: Standard') }}
         uses: azure/powershell@v2
         with:
           inlineScript: |
-            ./src/scripts/Invoke-ActionGenerateEslzArmConfig.ps1
+            ./src/scripts/Invoke-ActionGenerateEslzArmConfig.ps1 -TemplateParameterPath "./eslzArm/eslzArm.test.param.std.json"
+            Get-Content -Path $env:TEMP_DEPLOYMENT_OBJECT_PATH | jq
+          azPSVersion: "latest"
+        env:
+          DEPLOYMENT_LOCATION: ${{ secrets.DEPLOYMENT_LOCATION }}
+
+      - name: Generate eslzArm configuration (Hub & Spoke)
+        if: |
+          ${{ contains(github.event.pull_request.labels.*.name, 'Test: Hub & Spoke') }}
+        uses: azure/powershell@v2
+        with:
+          inlineScript: |
+            ./src/scripts/Invoke-ActionGenerateEslzArmConfig.ps1 -TemplateParameterPath "./eslzArm/eslzArm.test.param.hns.json"
+            Get-Content -Path $env:TEMP_DEPLOYMENT_OBJECT_PATH | jq
+          azPSVersion: "latest"
+        env:
+          DEPLOYMENT_LOCATION: ${{ secrets.DEPLOYMENT_LOCATION }}
+
+      - name: Generate eslzArm configuration (VWAN)
+        if: |
+          ${{ contains(github.event.pull_request.labels.*.name, 'Test: VWAN') }}
+        uses: azure/powershell@v2
+        with:
+          inlineScript: |
+            ./src/scripts/Invoke-ActionGenerateEslzArmConfig.ps1 -TemplateParameterPath "./eslzArm/eslzArm.test.param.vwan.json"
             Get-Content -Path $env:TEMP_DEPLOYMENT_OBJECT_PATH | jq
           azPSVersion: "latest"
         env:

docs/wiki/ALZ-Policies-Extra.md

@@ -30,10 +30,12 @@ To support the additional control requirements of these industries, we're provid
 
 | Initiative ID | Name | Description | # of Policies |
 |------------|-------------|-------------|-------------|
+| [Enforce-Encryption-CMK](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Encryption-CMK.html) | Deny or Audit resources without Encryption with a customer-managed key (CMK) | This policy initiative is a group of policies that ensures Customer Managed Keys is compliant per regulated Landing Zones. | 30 |
 | [Enforce-Guardrails-APIM](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-APIM.html) | Enforce recommended guardrails for API Management | This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones. | 11 |
 | [Enforce-Guardrails-AppServices](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-AppServices.html) | Enforce recommended guardrails for App Service | This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones. | 19 |
 | [Enforce-Guardrails-Automation](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Automation.html) | Enforce recommended guardrails for Automation Account | This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones. | 6 |
-| [Enforce-Guardrails-CognitiveServices](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-CognitiveServices.html) | Enforce recommended guardrails for Cognitive Services | This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones. | 5 |
+| [Enforce-Guardrails-BotService](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-BotService.html) | Enforce recommended guardrails for Bot Service (service renamed to AI Bot Service) | This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones. | 4 |
+| [Enforce-Guardrails-CognitiveServices](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-CognitiveServices.html) | Enforce recommended guardrails for Cognitive Services (service renamed to AI Services) | This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones. | 9 |
 | [Enforce-Guardrails-Compute](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Compute.html) | Enforce recommended guardrails for Compute | This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones. | 2 |
 | [Enforce-Guardrails-ContainerApps](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-ContainerApps.html) | Enforce recommended guardrails for Container Apps | This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones. | 2 |
 | [Enforce-Guardrails-ContainerInstance](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-ContainerInstance.html) | Enforce recommended guardrails for Container Instance | This policy initiative is a group of policies that ensures Container Instance is compliant per regulated Landing Zones. | 1 |
@@ -45,10 +47,10 @@ To support the additional control requirements of these industries, we're provid
 | [Enforce-Guardrails-EventHub](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-EventHub.html) | Enforce recommended guardrails for Event Hub | This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones. | 4 |
 | [Enforce-Guardrails-KeyVault-Sup](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault-Sup.html) | Enforce additional recommended guardrails for Key Vault | This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones. This includes additional policies to supplement Enforce-Guardrails-KeyVault, which is assigned by default in ALZ. | 2 |
 | [Enforce-Guardrails-Kubernetes](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Kubernetes.html) | Enforce recommended guardrails for Kubernetes | This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones. | 16 |
-| [Enforce-Guardrails-MachineLearning](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-MachineLearning.html) | Enforce recommended guardrails for Machine Learning | This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones. | 5 |
+| [Enforce-Guardrails-MachineLearning](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-MachineLearning.html) | Enforce recommended guardrails for Machine Learning | This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones. | 14 |
 | [Enforce-Guardrails-MySQL](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-MySQL.html) | Enforce recommended guardrails for MySQL | This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones. | 2 |
 | [Enforce-Guardrails-Network](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Network.html) | Enforce recommended guardrails for Network and Networking services | This policy initiative is a group of policies that ensures Network and Networking services is compliant per regulated Landing Zones. | 22 |
-| [Enforce-Guardrails-OpenAI](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-OpenAI.html) | Enforce recommended guardrails for Open AI (Cognitive Service) | This policy initiative is a group of policies that ensures Open AI (Cognitive Services) is compliant per regulated Landing Zones. | 6 |
+| [Enforce-Guardrails-OpenAI](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-OpenAI.html) | Enforce recommended guardrails for Azure OpenAI (Cognitive Service) | This policy initiative is a group of policies that ensures Azure OpenAI (Cognitive Services) is compliant per regulated Landing Zones. | 11 |
 | [Enforce-Guardrails-PostgreSQL](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-PostgreSQL.html) | Enforce recommended guardrails for PostgreSQL | This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones. | 1 |
 | [Enforce-Guardrails-ServiceBus](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-ServiceBus.html) | Enforce recommended guardrails for Service Bus | This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones. | 4 |
 | [Enforce-Guardrails-SQL](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-SQL.html) | Enforce recommended guardrails for SQL and SQL Managed Instance | This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones. | 5 |

docs/wiki/Community-Calls.md

@@ -1,6 +1,7 @@
 ## In this Section
 
 - [In this Section](#in-this-section)
+- [September 2024](#25th-september-2024-25092024)
 - [June 2024](#12th-june-2024-12062024)
 - [March 2024](#11th-march-2024-11032024)
 - [December 2023](#6th-december-2023-06122023)
@@ -13,10 +14,20 @@
 
 ---
 
-On this page you will find the meeting recordings and PowerPoint slides from previous Azure Landing Zone External Community Calls. To sign-up to the next Azure Landing Zone External Community Call, head to: [https://aka.ms/alz/communitycallregister](https://aka.ms/alz/communitycallregister)
+On this page you will find the meeting recordings and PowerPoint slides from previous Azure Landing Zone External Community Calls. To sign-up to the next Azure Landing Zone External Community Call, head to: [aka.ms/alz/communitycall](https://aka.ms/alz/communitycall)
 
 > Short link to this page is [aka.ms/alz/community](https://aka.ms/alz/community)
 
+## 25th September 2024 (25/09/2024)
+
+### Recording
+
+[![Screenshot of Azure Landing Zones Community Call from September 2024 recording on YouTube](./media/community-calls/sept-2024/youtube-thumbnail.png)](https://youtu.be/eta4v9ETDl4?si=DJl93_95uEVWK8NC)
+
+### Slides
+
+A PDF of the PowerPoint slides are available [here.](./media/community-calls/sept-2024/ALZ-Community-Call-25092024.pdf)
+
 ## 12th June 2024 (12/06/2024)
 
 ### Recording

docs/wiki/Whats-new.md

@@ -56,6 +56,11 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 - Updated the Deny-vNet-Peer-Cross-Sub.json definition policy to include a parameter for allowed virtual networks (vNets) in other subscriptions. For vNets to be permitted to peer, both vNet IDs must be added to the allowed list.
 - Added new built-in policy assignment and portal option for [Subnets should be private](https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html) assigned at Platform and Landing Zones management groups. This policy's assignment effect is defaulted to "Audit" in this release, giving the community time to adopt the good practice and address subnet compliance. We will default to the "Deny" effect as part of the next Policy Refresh.
 - Added option to select Diagnostic Settings category for logging to Log Analytics in the portal experience. You can now select between the recommended "All Logs" which covers almost all Azure resources, or "Audit Only" which is limited to resources that support this category.
+- Added additional built-in policies to initiatives for the following Azure AI Services:
+  - Azure OpenAI
+  - Cognitive Services/Search -> AI Services
+  - Machine Learning
+  - Bot Service (new) -> AI Bot Services
 - Updated the initiative [Deploy-MDFC-Config_20240319](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) to include an additional parameter that allows you to specify if the Defender for Cloud export to Log Analytics should create a new resource group. This is useful when you want to specify the resource group name or requires tags on resource groups. Will be used by other RIs - Terraform and Bicep (portal accelerator will use default values).
 
 ### September 2024
@@ -73,6 +78,9 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 - [Guidance](https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/UpdateToNewReleases/Update_from_release_2024-06-05/) for updating and implementing these changes in existing environments is available on the AMBA website.
 - Updated the Azure Monitoring Baseline Alerts (AMBA) integration section in the portal accelerator to include new features exposed by the AMBA solution. To read more on the changes https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/Whats-New/
 
+#### Other
+
+- The September community call recording and slides have been uploaded to YouTube and wiki, all available from [aka.ms/alz/community](https://aka.ms/alz/community)
 
 ### August 2024