New Feature: Workload Specific Compliance

[Springstone]

Overview/Summary

This pull request includes significant updates to the Azure Landing Zones (ALZ) policy and the ALZ Portal accelerator. The changes aim to provide additional compliance controls for specific workloads, which are often required by highly regulated industries.

Major changes include:

Updates to .github/workflows/update-portal.yml:

• Added a new job to build initiatives from the src/templates/initiatives.bicep file and output to ./eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json.

Additions to docs/wiki/ALZ-Policies-Extra.md:

• Added a new section "ALZ Policies - Extra" that provides information on additional policies not assigned by default or covered in the core ALZ Policies documentation. The section includes a list of policies and their descriptions.
• Introduced a new "Workload Specific Compliance" section that provides additional initiatives to enhance the security and compliance posture of the Azure Landing Zones. The section includes a list of initiative IDs, their names, descriptions, and the number of policies.

Updates to docs/wiki/Whats-new.md:

• Added a note about the missed Q3 timelines and the reasons for the delay. Also, provided information on the major update to the ALZ Policy and the addition of the "Workload Specific Compliance" section to the ALZ Portal accelerator.
• Included a list of new custom initiatives added to support key Azure workloads/services, enhancements to existing initiatives, and new custom policies added for various workloads.
• Updated the "Deploy-MDFC-Config" for Defender for APIs, which now requires a sub plan to be specified.

Updates to ALZ Portal accelerator:

• docs/wiki/Whats-new.md: Added a new "Workload Specific Compliance" section to the ALZ Portal accelerator. This new section allows users to apply compliance policies to specific workloads like SQL, Storage, etc. These additional compliance controls are often required by highly regulated industries like financial services and healthcare.

Updates to Defender for APIs:

• docs/wiki/Whats-new.md: Updated the Deploy-MDFC-Config for Defender for APIs, which now requires a sub-plan to be specified. The default sub-plan is "P1", and costs will only be incurred once an API has been onboarded to Defender for APIs. Users are advised to review Defender for API plans as they relate to their environment and adjust the sub-plan as needed.

Updates to documentation:

• .github/workflows/update-portal.yml: Added a new step to the workflow to update initiatives in the jobs: section.
• docs/wiki/ALZ-Policies-Extra.md: Added a new file to describe additional policies that are not assigned by default or covered in the core ALZ Policies documentation. This file provides guidance on how to handle certain situations and includes a detailed list of policies and initiatives.

Testing Evidence

Testing URLs

Azure Public

As part of this Pull Request I have

• [x] Checked for duplicate Pull Requests
• [x] Associated it with relevant issues, for tracking and closure.
• [x] Ensured my code/branch is up-to-date with the latest changes in the main branch
• [x] Performed testing and provided evidence.
• [x] Ensured contribution guidance is followed.
• [x] Updated relevant and associated documentation.
• [x] Updated the "What's New?" wiki page (located: /docs/wiki/whats-new.md)

[Springstone]

Great work here @Springstone, awesome, awesome work.

Other comments that arent applicable to files:

1. Have we added metadata.alzVariant for policy definitions to:

   • Pester Tests
   • Contribution Guides
2. Are we adding tests for all the Deny assignments, into the testing framework that you built?
3. In the new definitions added should the properties.mode be set to all instead of indexed as per https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure-basics#mode
4. Do we need to add the properties.version to all our policy definitions now?
5. Address "secure-by-default" definition concerns and update all policies based on outcome etc.

Addressed all the questions here, and created a user story to create additional Pester tests for the new Deny custom policies we're adding in this PR.