Missing AzureUSGovernment Built-in Policies

[glsutter]

Not sure if this is a bug or feature request or if it unrelated to Enterprise-Scale.

Some of the built-in policies referenced in eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json with metadata indicating they apply to AzureUSGovernment are not available in my government account.

Specifically, these built-in policies referenced by the Enforce-Guardrails-KeyVault and Enforce-Guardrails-KeyVault-Sup initiatives are not defined:

Policy name '84d327c3-164a-4685-b453-900478614456' not found in | custom or built-in Policies.

Policy name '86810a98-8e91-4a44-8386-ec66d0de5d57' not found in | custom or built-in Policies.

Policy name 'c39ba22d-4428-4149-b981-70acb31fc383' not found in | custom or built-in Policies.

And this built-in policy referred by the Enforce-EncryptTransit initiative is not defined.

Policy name '0e80e269-43a4-4ae9-b5bc-178126b8a5cb' not found in | custom or built-in Policies

Is there a delay in making some of these built-in policies available? Is it an issue only with my Government account? How do I determine if it's an issue with my account or an issue with the AzureUSGovernment metadata in Enterprise-Scale?

Thanks for any assistance.

[glsutter]

FYI - I extracted the built-in policy ids from the ALZ initiatives for AzureUSGovernment. Then ran a PowerShell script that did a Get-AzPolicyDefinition for each id. I found 15 build-in policies used in the ALZ initiatives that are not in our AzureUSGovernment account. A subcontractor working with my company also checked their AzureUSGovernment account and did not find some of these policies. I would like to know how to best resolve this issue.

Here are the missing policy ids: | PolicyDefinitionNotFound : The policy definition '30d1d58e-8f96-47a5-8564-499a3f3cca81' could not be found. | PolicyDefinitionNotFound : The policy definition '31b8092a-36b8-434b-9af7-5ec844364148' could not be found. | PolicyDefinitionNotFound : The policy definition '361c2074-3595-4e5d-8cab-4f21dffc835c' could not be found. | PolicyDefinitionNotFound : The policy definition '3a58212a-c829-4f13-9872-6371df2fd0b4' could not be found. | PolicyDefinitionNotFound : The policy definition '48c5f1cb-14ad-4797-8e3b-f78ab3f8d700' could not be found. | PolicyDefinitionNotFound : The policy definition '610b6183-5f00-4d68-86d2-4ab4cb3a67a5' could not be found. | PolicyDefinitionNotFound : The policy definition '632d3993-e2c0-44ea-a7db-2eca131f356d' could not be found. | PolicyDefinitionNotFound : The policy definition '6484db87-a62d-4327-9f07-80a2cbdf333a' could not be found. | PolicyDefinitionNotFound : The policy definition '6d02d2f7-e38b-4bdc-96f3-adc0a8726abc' could not be found. | PolicyDefinitionNotFound : The policy definition '711c24bb-7f18-4578-b192-81a6161e1f17' could not be found. | PolicyDefinitionNotFound : The policy definition '9798d31d-6028-4dee-8643-46102185c016' could not be found. | PolicyDefinitionNotFound : The policy definition 'a58ac66d-92cb-409c-94b8-8e48d7a96596' could not be found. | PolicyDefinitionNotFound : The policy definition 'c58e083e-7982-4e24-afdc-be14d312389e' could not be found. | PolicyDefinitionNotFound : The policy definition 'c7031eab-0fc0-4cd9-acd0-4497bd66d91a' could not be found. | PolicyDefinitionNotFound : The policy definition 'f516dc7a-4543-4d40-aad6-98f76a706b50' could not be found.

[glsutter]

Related to #1687. Request that AzureUSGovernment policy availability be confirmed before adding the environment to alzCloudEnvironments. Unavailable policies should not be included. This causes a lot of problems when trying to deploy ALZ initiatives.

[glsutter]

Working though the missing policies. Finding out it's a LOT of effort. You not only have to remove the missing policies from the initiatives. But you also have to remove the initiative parameters associated with the policy. Otherwise, an initiative assignment will fail.

Really need a way to handle this problem - We should not have to manually delete policies and parameters from the ALZ initiatives to use them in the sovereign environments.

[Springstone]

@glsutter we're busy updating ALZ for both sovereign clouds, and as you've already identified, it's a huge effort. We've largely done the work to resolve issues in Azure China, US Gov is next on the list. We were hoping to get these updates out as part of the next Policy Refresh, but we may not make it as we have a number of other things that also need to go in.

The main issue in the past two years is that our team did not have any access to the two sovereign clouds, so we couldn't validate or test any changes. That has recently changed (last month), so we will work on resolving this. Ask for a little patience, we're a small team with a huge backlog.