Update alzDefaultPolicyAssignments.bicep

[VeronicaSea]

Overview/Summary

Those changes are used to have ALZ modules should be deployed optionally based on the SLZ flag to control the policy enforcement. All the SLZ modules should use the SLZ flag for SLZ policy enforcement or make it ‘Default’. Besides, the SLZ policy assignment modules supports policy Effect param, which we previously supported.

This PR fixes/adds/changes/removes

Issue 1 : Currently, all the ALZ modules will be deployed when the policy assignment file is invoked. ALZ modules should be deployed optionally based on the flag.

Issue 2 : The SLZ policy assignment modules are using ALZ flag to control the policy enforcement. All the SLZ modules should use the SLZ flag for SLZ policy enforcement or make it ‘Default’.

Issue 3 : The SLZ policy assignment modules don’t have policy Effect param, which we previously supported.

Breaking Changes

N/A

Testing Evidence

Replace this with any testing evidence to show that your Pull Request works/fixes as described and planned (include screenshots, if appropriate).

As part of this Pull Request I have

• Read the Contribution Guide and ensured this PR is compliant with the guide
• Ensured the resource API versions in .bicep file/s I am adding/editing are using the latest API version possible
• Checked for duplicate Pull Requests
• Associated it with relevant GitHub Issues
• (ALZ Bicep Core Team Only) Associated it with relevant ADO Items
• Ensured my code/branch is up-to-date with the latest changes in the main branch
• Performed testing and provided evidence.
• Updated one or more of the following tests (if required)
  • Unit
  • Linting
  • E2E (End-To-End)
  • ValidateAzCloud (Base validation in Azure Cloud)
  • ValidateMcCloud (Base validation in Azure China Cloud)
• Updated relevant and associated documentation (e.g. Contribution Guide, Module READMEs, Wiki Docs etc.)
• If relevant, created or updated Code Tours here

[oZakari]

Hey @vericasea, once you incorporate the policy effect param into the UDT properties, can you also please add the new properties to the params within this parameters file?

[VeronicaSea]

Hey @vericasea, once you incorporate the policy effect param into the UDT properties, can you also please add the new properties to the params within this parameters file?

Thanks and added them in the PR.

[oZakari]

Hey @vericasea, once you incorporate the policy effect param into the UDT properties, can you also please add the new properties to the params within this parameters file?

Thanks and added them in the PR.

Thanks @VeronicaSea, I've moved the params into the UDT for each param and added them to the parameters file.

I think the param to disable the SLZ policies is probably easier to understand if left out. You can still disable the deployment of the policy entirely with parTopLevelSovereigntyGlobalPoliciesEnable for the global policies or parPolicyAssignmentSovereigntyConfidential for the confidential sovereign policies. Now there is also the capability to add the audit effect which is essentially the same thing. Just think it's a bit cleaner, but let me know if you want to discuss further.

[jtracey93]

This is to broad as a parameter name and will cause confusion also seems a duplicate of parTopLevelSovereignGlobalPoliciesEnable?

Please can we align and make this simplified and clear to customers what the parameter does

[VeronicaSea]

Yes, it explains in the description. It is already simplified and clear. We need it for different scope, like global, confidential.

[VeronicaSea]

@oZakari How do you think?