feat(platform/alz): update platform/alz library (automated) (#127)

This is an automated pull_request containing updates to the library
templates stored in .
Please review the files changed tab to review changes.

---------

Co-authored-by: Matt White <16320656+matt-FFFFFF@users.noreply.github.com>
Co-authored-by: github-actions <action@github.com>

Author: 3 people

.github/workflows/update-alz.yml

@@ -12,7 +12,6 @@ permissions:
 
 env:
   remote_repository: "Azure/Enterprise-Scale"
-  alzlib_repository: "Azure/alzlib"
   library_dir: "platform/alz"
   pr_title: "feat: update platform/alz library (automated)"
   pr_body: |-
@@ -25,47 +24,47 @@ jobs:
     runs-on: ubuntu-latest
     environment: libupdate
     steps:
-      - name: Install alzlibtool
-        run: |
-          curl -L https://github.com/Azure/alzlib/releases/download/${{ vars.ALZLIBTOOL_VERSION }}/alzlibtool_linux_amd64.tar.gz | tar -xvz
-          sudo cp alzlibtool /usr/local/bin
 
-      - name: Local repository checkout
+      - name: local repository checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           path: ${{ github.repository }}
           fetch-depth: 0
 
-      - name: Remote repository checkout
+      - name: install tools
+        run: make tools
+        working-directory: ${{ github.workspace }}/${{ github.repository }}
+
+      - name: remote repository checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: ${{ env.remote_repository }}
           path: ${{ env.remote_repository }}
           ref: main
 
-      - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+      - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
         id: generate-token
         with:
-          app_id: ${{ secrets.TOKEN_APP_ID }}
-          private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.TOKEN_APP_ID }}
+          private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
 
-      - name: Configure local git
+      - name: configure local git
         run: |
           git config user.name github-actions
           git config user.email action@github.com
         working-directory: ${{ github.repository }}
 
-      - name: Create and checkout branch
+      - name: create and checkout branch
         id: branch
         run: |
-          BRANCH="platform-alz-${{ github.run_number }}"
+          BRANCH="feat/${{ env.library_dir }}-${{ github.run_number }}"
           echo "name=$BRANCH" >> "$GITHUB_OUTPUT"
           git checkout -b "$BRANCH"
         working-directory: ${{ github.repository }}
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
 
-      - name: Update library policy definitions
+      - name: update library policy definitions
         run: |
           alzlibtool convert policydefinition -o \
             "${{ github.workspace }}/${{ env.remote_repository }}/src/resources/Microsoft.Authorization/policyDefinitions" \
@@ -77,7 +76,7 @@ jobs:
             "${{ github.workspace }}/${{ env.remote_repository }}/src/resources/Microsoft.Authorization/policySetDefinitions" \
             "${{ github.workspace }}/${{ github.repository }}/${{ env.library_dir }}/policy_set_definitions"
 
-      - name: Update library policy definitions in archetype definitions
+      - name: update library policy definitions in archetype definitions
         uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0
         with:
           inlineScript: |
@@ -87,7 +86,7 @@ jobs:
               -SourcePath "${{ github.workspace }}/${{ env.remote_repository }}"
           azPSVersion: "latest"
 
-      - name: Update library policy assignments and archetypes
+      - name: update library policy assignments and archetypes
         uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0
         with:
           inlineScript: |
@@ -97,21 +96,21 @@ jobs:
               -SourcePath "${{ github.workspace }}/${{ env.remote_repository }}"
           azPSVersion: "latest"
 
-      - name: Check for changes
+      - name: check for changes
         id: git_status
         run: |
           mapfile -t "CHECK_GIT_STATUS" < <(git status -s ${{ env.library_dir }})
           printf "%s\n" "${CHECK_GIT_STATUS[@]}"
           echo "changes=${#CHECK_GIT_STATUS[@]}" >> "$GITHUB_OUTPUT"
         working-directory: ${{ github.workspace }}/${{ github.repository }}
 
-      - name: Regerate README.md
+      - name: generate README.md
         if: steps.git_status.outputs.changes > 0
         run: |
-          alzlibtool document library . >README.md
-        working-directory: ${{ github.repository }}
+          make docs LIB="${{ env.library_dir }}"
+        working-directory: ${{ github.workspace }}/${{ github.repository }}
 
-      - name: Add files, commit and push
+      - name: add files, commit and push
         if: steps.git_status.outputs.changes > 0
         run: |
           echo "Pushing changes to origin..."
@@ -120,7 +119,7 @@ jobs:
           git push origin ${{ steps.branch.outputs.name }}
         working-directory: ${{ github.repository }}
 
-      - name: Create pull request
+      - name: create pull request
         if: steps.git_status.outputs.changes > 0
         id: pr
         run: |
@@ -139,7 +138,7 @@ jobs:
       - name: close and comment out of date prs
         if: steps.git_status.outputs.changes > 0
         run: |
-          PULL_REQUESTS=$(gh pr list --search 'feat: update platform/alz library (automated)' --json number,headRefName)
+          PULL_REQUESTS=$(gh pr list --search '${{ env.pr_title }}' --json number,headRefName)
           echo "$PULL_REQUESTS" | jq -r '.[] | select(.number != ${{ steps.pr.outputs.number }}) | .number' | xargs -I {} gh pr close {} --delete-branch --comment "Supersceeded by #${{ steps.pr.outputs.pull-request-number }}"
         working-directory: ${{ github.repository }}
         env:

platform/alz/README.md

@@ -133,7 +133,7 @@ flowchart TD
 - Enforce-ASR
 - Enforce-GR-KeyVault
 - Enforce-Subnet-Private
-- Enforce-TLS-SSL-H224
+- Enforce-TLS-SSL-Q225
 </details>
 
 ### archetype `platform`
@@ -160,7 +160,7 @@ flowchart TD
 
 #### root policy definitions
 
-<details><summary>158 policy definitions</summary>
+<details><summary>160 policy definitions</summary>
 
 - Append-AppService-httpsonly
 - Append-AppService-latestTLS
@@ -173,6 +173,8 @@ flowchart TD
 - Audit-PrivateLinkDnsZones
 - Audit-PublicIpAddresses-UnusedResourcesCostOptimization
 - Audit-ServerFarms-UnusedResourcesCostOptimization
+- Audit-Tags-Mandatory
+- Audit-Tags-Mandatory-Rg
 - Deny-AA-child-resources
 - Deny-APIM-TLS
 - Deny-AppGW-Without-WAF
@@ -324,7 +326,7 @@ flowchart TD
 
 #### root policy set definitions
 
-<details><summary>46 policy set definitions</summary>
+<details><summary>47 policy set definitions</summary>
 
 - Audit-TrustedLaunch
 - Audit-UnusedResourcesCostOptimization
@@ -344,6 +346,7 @@ flowchart TD
 - Enforce-Backup
 - Enforce-EncryptTransit
 - Enforce-EncryptTransit_20240509
+- Enforce-EncryptTransit_20241211
 - Enforce-Encryption-CMK
 - Enforce-Guardrails-APIM
 - Enforce-Guardrails-AppServices
@@ -526,7 +529,7 @@ The subscription id that hosts the private link DNS zones.
 
 ### all policy definitions
 
-<details><summary>158 policy definitions</summary>
+<details><summary>160 policy definitions</summary>
 
 - Append-AppService-httpsonly
 - Append-AppService-latestTLS
@@ -539,6 +542,8 @@ The subscription id that hosts the private link DNS zones.
 - Audit-PrivateLinkDnsZones
 - Audit-PublicIpAddresses-UnusedResourcesCostOptimization
 - Audit-ServerFarms-UnusedResourcesCostOptimization
+- Audit-Tags-Mandatory
+- Audit-Tags-Mandatory-Rg
 - Deny-AA-child-resources
 - Deny-APIM-TLS
 - Deny-AppGW-Without-WAF
@@ -690,7 +695,7 @@ The subscription id that hosts the private link DNS zones.
 
 ### all policy set definitions
 
-<details><summary>46 policy set definitions</summary>
+<details><summary>47 policy set definitions</summary>
 
 - Audit-TrustedLaunch
 - Audit-UnusedResourcesCostOptimization
@@ -710,6 +715,7 @@ The subscription id that hosts the private link DNS zones.
 - Enforce-Backup
 - Enforce-EncryptTransit
 - Enforce-EncryptTransit_20240509
+- Enforce-EncryptTransit_20241211
 - Enforce-Encryption-CMK
 - Enforce-Guardrails-APIM
 - Enforce-Guardrails-AppServices
@@ -742,7 +748,7 @@ The subscription id that hosts the private link DNS zones.
 
 ### all policy assignments
 
-<details><summary>49 policy assignments</summary>
+<details><summary>50 policy assignments</summary>
 
 - Audit-AppGW-WAF
 - Audit-PeDnsZones
@@ -793,6 +799,7 @@ The subscription id that hosts the private link DNS zones.
 - Enforce-GR-KeyVault
 - Enforce-Subnet-Private
 - Enforce-TLS-SSL-H224
+- Enforce-TLS-SSL-Q225
 </details>
 
 ### all role definitions

platform/alz/archetype_definitions/landing_zones.alz_archetype_definition.json

@@ -26,7 +26,7 @@
     "Enforce-ASR",
     "Enforce-GR-KeyVault",
     "Enforce-Subnet-Private",
-    "Enforce-TLS-SSL-H224"
+    "Enforce-TLS-SSL-Q225"
   ],
   "policy_definitions": [],
   "policy_set_definitions": [],

platform/alz/archetype_definitions/root.alz_archetype_definition.json

@@ -30,6 +30,8 @@
     "Audit-PrivateLinkDnsZones",
     "Audit-PublicIpAddresses-UnusedResourcesCostOptimization",
     "Audit-ServerFarms-UnusedResourcesCostOptimization",
+    "Audit-Tags-Mandatory-Rg",
+    "Audit-Tags-Mandatory",
     "Deny-AA-child-resources",
     "Deny-APIM-TLS",
     "Deny-AppGw-Without-Tls",
@@ -197,6 +199,7 @@
     "Enforce-Backup",
     "Enforce-Encryption-CMK",
     "Enforce-EncryptTransit_20240509",
+    "Enforce-EncryptTransit_20241211",
     "Enforce-EncryptTransit",
     "Enforce-Guardrails-APIM",
     "Enforce-Guardrails-AppServices",

platform/alz/policy_assignments/Audit-AppGW-WAF.alz_policy_assignment.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Audit-AppGW-WAF",
   "dependsOn": [],
   "properties": {
     "description": "Assign the WAF should be enabled for Application Gateway audit policy.",
     "displayName": "Web Application Firewall (WAF) should be enabled for Application Gateway",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
+    "definitionVersion": "2.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

platform/alz/policy_assignments/Audit-ResourceRGLocation.alz_policy_assignment.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Audit-ResourceRGLocation",
   "dependsOn": [],
   "properties": {
     "description": "Resource Group and Resource locations should match.",
     "displayName": "Resource Group and Resource locations should match",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a",
+    "definitionVersion": "2.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

platform/alz/policy_assignments/Audit-TrustedLaunch.alz_policy_assignment.json

@@ -11,7 +11,7 @@
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {
-        "message": "Trust Launch {enforcementMode} be used on supported virtual machines for enhanced security."
+        "message": "Trusted Launch {enforcementMode} be used on supported virtual machines for enhanced security."
       }
     ],
     "parameters": {

platform/alz/policy_assignments/Audit-ZoneResiliency.alz_policy_assignment.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Audit-ZoneResiliency",
   "dependsOn": [],
   "properties": {
     "description": "Resources should be Zone Resilient.",
     "displayName": "Resources should be Zone Resilient",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5",
+    "definitionVersion": "1.*.*-preview",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

platform/alz/policy_assignments/Deny-Classic-Resources.alz_policy_assignment.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deny-Classic-Resources",
   "dependsOn": [],
   "properties": {
     "description": "Denies deployment of classic resource types under the assigned scope.",
     "displayName": "Deny the deployment of classic resources",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
+    "definitionVersion": "2.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

platform/alz/policy_assignments/Deny-HybridNetworking.alz_policy_assignment.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Deny-HybridNetworking",
   "dependsOn": [],
   "properties": {
     "description": "Denies deployment of vWAN/ER/VPN gateway resources in the Corp landing zone.",
     "displayName": "Deny the deployment of vWAN/ER/VPN gateway resources",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
+    "definitionVersion": "2.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {