Question about policies/initiatives.json

[sshockley]

Hi, I'm running into some issues deploying initiatives from eslzArm/managementGroupTemplates/policyDefinitions/policies.json and eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json. Specifically, when I deploy the initiatives, I get messages like: PolicyDefinitionNotFound The policy set definition 'Enforce-Guardrails-BotService' request is invalid. The following policy definition could not be found: '/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e'.

The full list of failures is: Set / Policy not found Enforce-EncryptTransit / 0e80e269-43a4-4ae9-b5bc-178126b8a5cb Enforce-EncryptTransit_20240509 / 0e80e269-43a4-4ae9-b5bc-178126b8a5cb Enforce-Guardrails-Automation / 6d02d2f7-e38b-4bdc-96f3-adc0a8726abc Enforce-Guardrails-BotService / ad5621d6-a877-4407-aa93-a950b428315e Enforce-Guardrails-ContainerApps / 8b346db6-85af-419b-8557-92cee2c0f9bb Enforce-Guardrails-KeyVault / 86810a98-8e91-4a44-8386-ec66d0de5d57 Enforce-Guardrails-KeyVault-Sup / 84d327c3-164a-4685-b453-900478614456 Enforce-Guardrails-MachineLearning / e413671a-dd10-4cc1-a943-45b598596cb7 Enforce-Guardrails-MySQL / 3a58212a-c829-4f13-9872-6371df2fd0b4 Enforce-Guardrails-Network / 6484db87-a62d-4327-9f07-80a2cbdf333a Enforce-Guardrails-Storage / 361c2074-3595-4e5d-8cab-4f21dffc835c

I should note this is in usgovvirginia.

I figured maybe there was a change upstream that hadn't been applied to this repo, so I tried rebuilding them:

az bicep build \
    --file ./src/templates/policies.bicep \
    --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/policies.json
az bicep build \
    --file ./src/templates/initiatives.bicep \
    --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json
az bicep build \
    --file ./src/templates/roles.bicep \
    --outfile ./eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json

After that, the only failure is Enforce-Guardrails-MachineLearning / e413671a-dd10-4cc1-a943-45b598596cb7 (policy defninition not found), but it does still fail.

So, finally getting around to my actual question, should the templates in eslzArm/managementGroupTemplates/policyDefinitions match the output of az bicep build? I note that the ARM templates have dire warnings about being programmatically generated, but looking at the commit history that isn't always the case.