Merge pull request #982 from Azure/feature/apy/6_18_25_docUpdates

Updated documentation

Author: apybar

Docs/integrating-with-alz-library.md

@@ -89,7 +89,7 @@ Carefully review the generated policy assigments and ensure all parameter and sc
 
 2. When complete run `Build-DeploymentPlans` to ensure the correct changes are made. During the first sync for either a new or existing environment there will be many changes due to updating of the existing policies.
 
-## Example
+## Examples
 
 ### ALZ
 
@@ -105,11 +105,14 @@ Sync-ALZPolicyFromLibrary -DefinitionsRootFolder .\Definitions -Type ALZ -PacEnv
 
 For users interested in deploying the [Azure Monitor Baseline Alerts](https://azure.github.io/azure-monitor-baseline-alerts/welcome/) project with EPAC - these policies have been extracted and converted to the EPAC format and are available at the [amba-export](https://github.com/anwather/amba-export) repository.
 
+> [!Note]
+> Review breaking changes on the [AMBA Releases](https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/HowTo/UpdateToNewReleases/) page to ensure policy deployments. In most cases, it's an update of a parameter type (i.e. String -> Array).
+
 ```ps1
-# Create a Pac Environment default file for ALZ policies using the latest version of the ALZ Library 
+# Create a Pac Environment default file for AMBA policies using the latest version of the ALZ Library 
 New-ALZPolicyDefaultStructure -DefinitionsRootFolder .\Definitions -Type AMBA -PacEnvironmentSelector "epac-dev"
 
-# Sync the ALZ policies and assign to the "epac-dev" PAC environment.
+# Sync the AMBA policies and assign to the "epac-dev" PAC environment.
 Sync-ALZPolicyFromLibrary -DefinitionsRootFolder .\Definitions -Type AMBA -PacEnvironmentSelector "epac-dev"
 ```
 
@@ -118,11 +121,11 @@ Sync-ALZPolicyFromLibrary -DefinitionsRootFolder .\Definitions -Type AMBA -PacEn
 For users interested in deploying the [Sovereignty Policy Baseline](https://github.com/Azure/sovereign-landing-zone/blob/main/docs/scenarios/Sovereignty-Baseline-Policy-Initiatives.md) project with EPAC - these policies have been extracted and converted to the EPAC format and are available at the [spb-export](https://github.com/anwather/spb-export) repository.
 
 ```ps1
-# Create a Pac Environment default file for ALZ policies using the latest version of the ALZ Library 
-New-ALZPolicyDefaultStructure -DefinitionsRootFolder .\Definitions -Type AMBA -PacEnvironmentSelector "epac-dev"
+# Create a Pac Environment default file for SLZ policies using the latest version of the ALZ Library 
+New-ALZPolicyDefaultStructure -DefinitionsRootFolder .\Definitions -Type SLZ -PacEnvironmentSelector "epac-dev"
 
-# Sync the ALZ policies and assign to the "epac-dev" PAC environment.
-Sync-ALZPolicyFromLibrary -DefinitionsRootFolder .\Definitions -Type AMBA -PacEnvironmentSelector "epac-dev"
+# Sync the SLZ policies and assign to the "epac-dev" PAC environment.
+Sync-ALZPolicyFromLibrary -DefinitionsRootFolder .\Definitions -Type SLZ -PacEnvironmentSelector "epac-dev"
 ```
 
 ## Advanced Scenarios
@@ -132,7 +135,7 @@ Using the format of the Azure Landing Zones repository it is possible to extend
 - Modifying the management group structure (add new groups and archetypes)
 - Add/Remove policies from an archetype
 
-### Maintaining multiple ALZ/AMBA environment with different parameter / management group values
+### Maintaining multiple ALZ/AMBA environments
 
 If you need to have separate parameter values or different management group names for different PAC environments you can follow steps below.
 
@@ -148,3 +151,21 @@ alz.policy_default_structure.<PAC SELECTOR>.jsonc
 
 2. When syncing policies run the `Sync-ALZPolicyFromLibrary` once for each PAC Environment. A folder specific for that Pac Selector will now be placed within the ALZ Type.
 
+### Disabling / Changes specific parameters
+
+If you need to disable a single policy parameter, such as the 'effect' for a specific Defender for Cloud, add that specific parameter to your default file structure to ensure it does not get overwritten when running the **Sync-ALZPolicyFromLibrary** command.
+
+An example of disabling the **"Configure Microsoft Defender for Key Vault plan"** in the **"Deploy-MDFC-Config-H224"** Policy Assignment.
+
+```json
+"enableAscForKeyVault_effect": {
+      "policy_assignment_name": [
+        "Deploy-MDFC-Config-H224"
+      ],
+      "description": "Enable or disable the execution of the Key Vault DFC policy.",
+      "parameters": {
+        "parameter_name": "enableAscForKeyVault",
+        "value": "Disabled" // Update the value here as required by the description
+      }
+    }
+```

Docs/policy-assignments-csv-parameters.md

@@ -25,7 +25,7 @@ In the example header below the infrastructure environments prod, test, dev, and
 The CSV file generated contains the following headers/columns:
 
 * `name` is the name of the policyDefinition referenced by the Policy Sets being assigned.
-* `referencePath` is only used if the Policy is used more than once in at least one of the Policy Sets to disambiguate them. The format is `<policySetName>\\<policyDefinitionReferenceId>`.
+* `referencePath` is only used if the Policy is used more than once in at least one of the Policy Sets to disambiguate them. The format is `<policySetName>//<policyDefinitionReferenceId>`.
 * `policyType`,`category`,`displayName`,`description`,`groupNames`,`policySets`,`allowedEffects` are optional and not used for deployment planning. They assist you in filling out the `<env>Effect` columns. The CSV file is sorted alphabetically by `category` and `displayName`.
 * `<env>Effect` columns must contain one of the allowedValues or allowedOverrides values. You define which scopes define each type of environment and what short name you give the environment type to use as a column prefix.
 * `<env>Parameters` can contain additional parameters. You can also specify such parameters in JSON. EPAC will use the union of all parameters.

Docs/policy-assignments.md

@@ -3,6 +3,70 @@
 
 This chapter describes how **Policy Assignments** are handled by EPAC. Policy Assignments are the actual assignments of Policies and Policy Sets to scopes in Azure.
 
+## Templates
+
+### Single Scope
+
+Recommended for simple deployments to a single scope.
+
+```json
+{
+    "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json",
+    "nodeName": "/Security/",
+    "definitionEntry": {
+        "displayName": "",
+        "policySetName": ""
+    },
+    "assignment": {
+        "name": "", //24 Character limit
+        "displayName": "",
+        "description": ""
+    },
+    "metadata": {},
+    "enforcementMode": "Default",
+    "parameters": {
+        "effect": "Audit"
+    },
+    "scope": {
+        "epac-dev": [
+            "/providers/Microsoft.Management/managementGroups/epac-dev"
+        ]
+    }
+}
+```
+### Multiple Scopes
+
+Recommended for deployments to a multiple scope. Typically used for setting unique parameters per scope.
+
+```json
+{
+    "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json",
+    "nodeName": "/Security/",
+    "definitionEntry": {
+        "policySetName": ""
+    },
+    "children": [
+        {
+            "nodeName": "epac-dev/",
+            "assignment": {
+                "name": "", //24 Character limit
+                "displayName": "",
+                "description": ""
+            },
+            "enforcementMode": "Default",
+            "parameters": {
+                "effect": "Audit"
+            },
+            "scope": {
+                "epac-dev": [
+                    "/providers/Microsoft.Management/managementGroups/epac-dev"
+                ]
+            }
+        }
+    ]
+}
+```
+
 ## Assignment JSON structure
 
 Assignment JSON is hierarchical for efficient definitions, avoiding duplication (copy/paste) of JSON. Each branch of the tree is cumulative. Each tree node must include a `nodeName` - an arbitrary string exclusively used by EPAC to display an error location. EPAC concatenates a leading `/` and the nodeName entries encountered in the tree to create a "breadcrumbs" trail; therefore, we recommend that you use `/` to help separate the concatenated `nodeName`. The following partial and invalid assignment tree would create this error message.

Docs/policy-definitions.md

@@ -6,49 +6,11 @@ Policy definition files are managed within the folder `policyDefinitions` under
 
 The names of the definition JSON files don't matter, the Policy and Policy Set definitions are registered based on the `name` attribute. The solution also allows the use of JSON with comments by using `.jsonc` instead of `.json` for the file extension.
 
-### Custom Definitions
-
-Custom definitions are uploaded to Azure at the time of initial deployment to a pacSelector. For each pacSelector, the definition is uploaded to the pacSelector's defined root. This makes it available to the entirity of that pacSelector, while facilitating code promotion by allowing each pacSelector to recieve the updated definition as part of the release/deployment process.
-
-### Definition Delivery
-
-[policy(Set)Definitions](https://learn.microsoft.com/en-us/azure/governance/policy/concepts/scope#definition-location) are deployed at the pacSelector root. This enables versioning on custom definitions to be put through the CI/CD based change process.
-
-## JSON Schema
-
-The GitHub repo contains a JSON schema which can be used in tools such as [VS Code](https://code.visualstudio.com/Docs/languages/json#_json-schemas-and-settings) to provide code completion.
-
-To utilize the schema add a ```$schema``` tag to the JSON file.
-
-```json
-{
-  "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-definition-schema.json"
-}
-```
-
-This schema is new in v7.4.x and may not be complete. Please let us know if we missed anything.
-
-## Recommendations
-
-* `"name"` is required and should be unique. It can be a GUID or a unique short name.
-* `"category"` should be one of the standard ones defined in built-in Policies.
-* Do not specify an `id`. The solution will ignore it.
-* Make the `effect` parameterized. Always use the parameter name `effect`.
-* Whenever feasible, provide a `defaultValue` for parameters, especially for the `effect` parameter.
-* Policy aliases are used by Azure Policy to refer to resource type properties in the `if` condition and in `existenceCondition`: <https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#aliases>.
-
-## Metadata
-
-It is customary to include a `category` and a `version` in the `metadata` section. The `category` should be one of the standard ones defined in built-in Policies. The `version` should be a semantic version number.
-
-EPAC injects `deployedBy` into the `metadata` section. This is a string that identifies the deployment source. It defaults to `epac/$pacOwnerId/$pacSelector`. You can override this value in `global-settings.jsonc`
-
-**Not recommended:** Adding `deployedBy` to the `metadata` section in the Policy definition file will override the value for this definition only from `global-settings.jsonc` or default value.
-
-## Example
+## Template
 
 ```json
 {
+    "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-definition-schema.json",
     "name": "Newly created GUID",
     "properties": {
         "displayName": "Policy Display Name",
@@ -72,13 +34,6 @@ EPAC injects `deployedBy` into the `metadata` section. This is a string that ide
                     "Disabled"
                 ],
                 "defaultValue": "Audit"
-            },
-            "YourParameter": {
-                "type": "String",
-                "metadata": {
-                    "displayName": "YourParameter",
-                    "description": "Your Parameter Description"
-                }
             }
         },
         "policyRule": {
@@ -92,3 +47,42 @@ EPAC injects `deployedBy` into the `metadata` section. This is a string that ide
     }
 }
 ```
+
+### Custom Definitions
+
+Custom definitions are uploaded to Azure at the time of initial deployment to a pacSelector. For each pacSelector, the definition is uploaded to the pacSelector's defined root. This makes it available to the entirity of that pacSelector, while facilitating code promotion by allowing each pacSelector to recieve the updated definition as part of the release/deployment process.
+
+### Definition Delivery
+
+[policy(Set)Definitions](https://learn.microsoft.com/en-us/azure/governance/policy/concepts/scope#definition-location) are deployed at the pacSelector root. This enables versioning on custom definitions to be put through the CI/CD based change process.
+
+## JSON Schema
+
+The GitHub repo contains a JSON schema which can be used in tools such as [VS Code](https://code.visualstudio.com/Docs/languages/json#_json-schemas-and-settings) to provide code completion.
+
+To utilize the schema add a ```$schema``` tag to the JSON file.
+
+```json
+{
+  "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-definition-schema.json"
+}
+```
+
+This schema is new in v7.4.x and may not be complete. Please let us know if we missed anything.
+
+## Recommendations
+
+* `"name"` is required and should be unique. It can be a GUID or a unique short name.
+* `"category"` should be one of the standard ones defined in built-in Policies.
+* Do not specify an `id`. The solution will ignore it.
+* Make the `effect` parameterized. Always use the parameter name `effect`.
+* Whenever feasible, provide a `defaultValue` for parameters, especially for the `effect` parameter.
+* Policy aliases are used by Azure Policy to refer to resource type properties in the `if` condition and in `existenceCondition`: <https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#aliases>.
+
+## Metadata
+
+It is customary to include a `category` and a `version` in the `metadata` section. The `category` should be one of the standard ones defined in built-in Policies. The `version` should be a semantic version number.
+
+EPAC injects `deployedBy` into the `metadata` section. This is a string that identifies the deployment source. It defaults to `epac/$pacOwnerId/$pacSelector`. You can override this value in `global-settings.jsonc`
+
+**Not recommended:** Adding `deployedBy` to the `metadata` section in the Policy definition file will override the value for this definition only from `global-settings.jsonc` or default value.

Docs/policy-exemptions.md

@@ -3,6 +3,35 @@
 > [!TIP]
 > The changes implementing [Option **A** below](#option-a-policy-definition-ids-or-names) makes JSON files easier to read than CSV files. We recommend using **Policy definition Ids or Names** for new exemptions and **JSON** files  instead of CSV files. Of course, CSV files are still supported. You may even mix and match the two formats in the same folder.
 
+## Templates
+
+### JSON
+
+```json
+{
+      "exemptions": [
+          {
+              "name": "short-name",
+              "displayName": "Descriptive name displayed on portal",
+              "description": "More details",
+              "exemptionCategory": "Waiver",
+              "expiresOn": "",
+              "scopes": [
+                  "/subscriptions/11111111-2222-3333-4444-555555555555",
+              ],
+              "policyAssignmentId": "",
+          }
+      ]
+  }
+```
+
+### CSV
+
+```json
+name,displayName,description,exemptionCategory,expiresOn,scope,policyAssignmentId,policyDefinitionReferenceIds,metadata,assignmentScopeValidation
+Exemption_00000000000001,My display Name,Mitigated,,,,,,
+```
+
 ## Exemption Folder Structure
 
 Exemptions can be defined as JSON or CSV files (we recommend that you use JSON files). The names of the definition files don't matter. If multiple files exists in a folder, the lists from all the files are added together.