feat: replace alz-prerequisites deployment script sleep with ARM retryOn for policy assignments

eslzArm/eslz-portal.json

@@ -1064,42 +1064,6 @@
                                 ]
                             },
                             "visible": "[equals(steps('management').enableAsc,'Yes')]"
-                        },
-                        {
-                            "name": "alzPreReqRgCustomName",
-                            "type": "Microsoft.Common.TextBox",
-                            "label": "ALZ prerequisite resource group name",
-                            "toolTip": "Name for the Azure Landing Zone prerequisite resource group",
-                            "defaultValue": "rg-alz-prereq-prod",
-                            "visible": "[equals(steps('core').namingConvention, 'custom')]",
-                            "constraints": {
-                                "regex": "^[a-zA-Z0-9][a-zA-Z0-9-_.()]{0,89}[a-zA-Z0-9_]$",
-                                "validationMessage": "Resource group name must be 1-90 characters long and can contain alphanumeric characters, hyphens, underscores, periods, and parentheses. Cannot start or end with period."
-                            }
-                        },
-                        {
-                            "name": "alzPreReqUAMICustomName",
-                            "type": "Microsoft.Common.TextBox",
-                            "label": "ALZ prerequisite User Assigned Identity name",
-                            "toolTip": "Name for the Azure Landing Zone prerequisite User Assigned Managed Identity",
-                            "defaultValue": "id-alz-prereq-prod",
-                            "visible": "[equals(steps('core').namingConvention, 'custom')]",
-                            "constraints": {
-                                "regex": "^[a-zA-Z0-9][a-zA-Z0-9-_.]{0,126}[a-zA-Z0-9_]$",
-                                "validationMessage": "User Assigned Identity name must be 3-128 characters long and can contain alphanumeric characters, hyphens, underscores, and periods."
-                            }
-                        },
-                        {
-                            "name": "alzPreReqScriptCustomName",
-                            "type": "Microsoft.Common.TextBox",
-                            "label": "ALZ prerequisite script name",
-                            "toolTip": "Name for the Azure Landing Zone prerequisite deployment script",
-                            "defaultValue": "script-alz-prereq-prod",
-                            "visible": "[equals(steps('core').namingConvention, 'custom')]",
-                            "constraints": {
-                                "regex": "^[a-zA-Z0-9][a-zA-Z0-9-_.]{0,88}[a-zA-Z0-9_]$",
-                                "validationMessage": "Deployment script name must be 2-90 characters long and can contain alphanumeric characters, hyphens, underscores, and periods."
-                            }
                         }
                     ]
                 },
@@ -11129,9 +11093,6 @@
                     "azFwPolicyNameSecondary": "[steps('connectivity').esNetworkSecondarySubSection.azFwPolicySecondaryCustomName]",
                     "routeTableName": "[steps('connectivity').routeTableCustomName]",
                     "routeTableNameSecondary": "[steps('connectivity').esNetworkSecondarySubSection.routeTableSecondaryCustomName]",
-                    "alzPreReqRg": "[steps('management').alzPreReqRgCustomName]",
-                    "alzPreReqUAMIName": "[steps('management').alzPreReqUAMICustomName]",
-                    "alzPreReqScriptName": "[steps('management').alzPreReqScriptCustomName]",
                     "avnmName": "[steps('connectivity').avnmCustomName]",
                     "avnmRgName": "[steps('connectivity').avnmRgCustomName]",
                     "avnmUserAssignedIdentityName": "[steps('connectivity').avnmUserAssignedIdentityCustomName]",

eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json

@@ -1,5 +1,6 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "languageVersion": "2.0",
     "contentVersion": "1.0.0.0",
     "parameters": {
         "policyEffect": {
@@ -40,8 +41,8 @@
             "DoNotEnforce": "should"
         }
     },
-    "resources": [
-        {
+    "resources": {
+        "policyAssignment": {
             "type": "Microsoft.Authorization/policyAssignments",
             "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').auditWAF]",
@@ -61,8 +62,12 @@
                         "value": "[parameters('policyEffect')]"
                     }
                 }
+            },
+            "retryOn": {
+                "count": 6,
+                "interval": "PT5M"
             }
         }
-    ],
+    },
     "outputs": {}
-}
+}

eslzArm/managementGroupTemplates/policyAssignments/AUDIT-PeDnsZonesPolicyAssignment.json

@@ -1,5 +1,6 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "languageVersion": "2.0",
     "contentVersion": "1.0.0.0",
     "parameters": {
         "topLevelManagementGroupPrefix": {
@@ -118,8 +119,8 @@
             "DoNotEnforce": "should"
         }
     },
-    "resources": [
-        {
+    "resources": {
+        "policyAssignment": {
             "type": "Microsoft.Authorization/policyAssignments",
             "apiVersion": "2022-06-01",
             "name": "[variables('policyAssignmentNames').auditPeDnsZones]",
@@ -141,8 +142,12 @@
                         "value": "[parameters('policyEffect')]"
                     }
                 }
+            },
+            "retryOn": {
+                "count": 6,
+                "interval": "PT5M"
             }
         }
-    ],
+    },
     "outputs": {}
 }

eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json

@@ -1,5 +1,6 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "languageVersion": "2.0",
     "contentVersion": "1.0.0.0",
     "parameters": {
         "enforcementMode": {
@@ -31,8 +32,8 @@
             "DoNotEnforce": "should"
         }
     },
-    "resources": [
-        {
+    "resources": {
+        "policyAssignment": {
             "type": "Microsoft.Authorization/policyAssignments",
             "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').auditRGL]",
@@ -47,10 +48,13 @@
                         "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
                     }
                 ],
-                "parameters": {
-                }
+                "parameters": {}
+            },
+            "retryOn": {
+                "count": 6,
+                "interval": "PT5M"
             }
         }
-    ],
+    },
     "outputs": {}
-}
+}

eslzArm/managementGroupTemplates/policyAssignments/AUDIT-TrustedLaunchPolicyAssignment.json

@@ -1,5 +1,6 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "languageVersion": "2.0",
     "contentVersion": "1.0.0.0",
     "parameters": {
         "topLevelManagementGroupPrefix": {
@@ -26,7 +27,7 @@
                 "Disabled",
                 "Audit"
             ],
-            "defaultValue": "Audit"            
+            "defaultValue": "Audit"
         }
     },
     "variables": {
@@ -44,8 +45,8 @@
             "DoNotEnforce": "should"
         }
     },
-    "resources": [
-        {
+    "resources": {
+        "policyAssignment": {
             "type": "Microsoft.Authorization/policyAssignments",
             "apiVersion": "2022-06-01",
             "name": "[variables('policyAssignmentNames').trustedLaunch]",
@@ -65,8 +66,12 @@
                         "value": "[parameters('effect')]"
                     }
                 }
+            },
+            "retryOn": {
+                "count": 6,
+                "interval": "PT5M"
             }
         }
-    ],
+    },
     "outputs": {}
 }

eslzArm/managementGroupTemplates/policyAssignments/AUDIT-UnusedResourcesPolicyAssignment.json

@@ -1,5 +1,6 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "languageVersion": "2.0",
     "contentVersion": "1.0.0.0",
     "parameters": {
         "topLevelManagementGroupPrefix": {
@@ -26,23 +27,23 @@
                 "Disabled",
                 "Audit"
             ],
-            "defaultValue": "Audit"            
+            "defaultValue": "Audit"
         },
         "effectPublicIpAddresses": {
             "type": "string",
             "allowedValues": [
                 "Disabled",
                 "Audit"
             ],
-            "defaultValue": "Audit"            
+            "defaultValue": "Audit"
         },
         "effectServerFarms": {
             "type": "string",
             "allowedValues": [
                 "Disabled",
                 "Audit"
             ],
-            "defaultValue": "Audit"            
+            "defaultValue": "Audit"
         }
     },
     "variables": {
@@ -60,8 +61,8 @@
             "DoNotEnforce": "should"
         }
     },
-    "resources": [
-        {
+    "resources": {
+        "policyAssignment": {
             "type": "Microsoft.Authorization/policyAssignments",
             "apiVersion": "2022-06-01",
             "name": "[variables('policyAssignmentNames').costOptimization]",
@@ -87,8 +88,12 @@
                         "value": "[parameters('effectServerFarms')]"
                     }
                 }
+            },
+            "retryOn": {
+                "count": 6,
+                "interval": "PT5M"
             }
         }
-    ],
+    },
     "outputs": {}
 }

eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json

@@ -1,5 +1,6 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "languageVersion": "2.0",
     "contentVersion": "1.0.0.0",
     "parameters": {
         "effect": {
@@ -49,8 +50,8 @@
             "DoNotEnforce": "should"
         }
     },
-    "resources": [
-        {
+    "resources": {
+        "policyAssignment": {
             "type": "Microsoft.Authorization/policyAssignments",
             "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').auditZR]",
@@ -73,8 +74,12 @@
                         "value": "[parameters('allow')]"
                     }
                 }
+            },
+            "retryOn": {
+                "count": 6,
+                "interval": "PT5M"
             }
         }
-    ],
+    },
     "outputs": {}
-}
+}

eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json

@@ -1,5 +1,6 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "languageVersion": "2.0",
     "contentVersion": "1.0.0.0",
     "parameters": {
         "enforcementMode": {
@@ -22,8 +23,8 @@
             "displayName": "Kubernetes clusters should not allow container privilege escalation"
         }
     },
-    "resources": [
-        {
+    "resources": {
+        "policyAssignment": {
             "type": "Microsoft.Authorization/policyAssignments",
             "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').denyAksNoPrivEsc]",
@@ -38,8 +39,12 @@
                         "value": "Deny"
                     }
                 }
+            },
+            "retryOn": {
+                "count": 6,
+                "interval": "PT5M"
             }
         }
-    ],
+    },
     "outputs": {}
-}
+}

eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json

@@ -1,5 +1,6 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
+    "languageVersion": "2.0",
     "contentVersion": "1.0.0.0",
     "parameters": {
         "enforcementMode": {
@@ -22,8 +23,8 @@
             "displayName": "Kubernetes cluster should not allow privileged containers"
         }
     },
-    "resources": [
-        {
+    "resources": {
+        "policyAssignment": {
             "type": "Microsoft.Authorization/policyAssignments",
             "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').denyAksPriv]",
@@ -38,8 +39,12 @@
                         "value": "Deny"
                     }
                 }
+            },
+            "retryOn": {
+                "count": 6,
+                "interval": "PT5M"
             }
         }
-    ],
+    },
     "outputs": {}
 }

eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json

@@ -1,5 +1,6 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "languageVersion": "2.0",
     "contentVersion": "1.0.0.0",
     "parameters": {
         "enforcementMode": {
@@ -22,8 +23,8 @@
             "displayName": "Kubernetes clusters should be accessible only over HTTPS"
         }
     },
-    "resources": [
-        {
+    "resources": {
+        "policyAssignment": {
             "type": "Microsoft.Authorization/policyAssignments",
             "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').denyHttpIngressAks]",
@@ -38,8 +39,12 @@
                         "value": "Deny"
                     }
                 }
+            },
+            "retryOn": {
+                "count": 6,
+                "interval": "PT5M"
             }
         }
-    ],
+    },
     "outputs": {}
-}
+}