Azure · AlexanderSehr · Oct 24, 2022 · Aug 30, 2022 · Sep 1, 2022 · Sep 1, 2022
@@ -109,8 +109,7 @@ jobs:
       - name: 'Using test file [${{ matrix.moduleTestFilePaths }}]'
         uses: ./.github/actions/templates/validateModuleDeployment
         with:
-          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
-          parameterFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}'
+          templateFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}'
           location: '${{ env.location }}'
           resourceGroupName: '${{ env.resourceGroupName }}'
           subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}'

@@ -0,0 +1,45 @@
+targetScope = 'managementGroup'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'apemgcom'
+
+// =========== //
+// Deployments //
+// =========== //
+
+// General resources
+// =================
+
+resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
+  name: 'dep-<<namePrefix>>-${serviceShort}-rgloc'
+  location: location
+  properties: {
+    displayName: '[Depedency] Audit resource location matches resource group location (management group scope)'
+    policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a'
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../managementGroup/deploy.bicep' = {
+  name: '${uniqueString(deployment().name)}-test-${serviceShort}'
+  params: {
+    name: '<<namePrefix>>${serviceShort}001'
+    policyAssignmentId: policyAssignment.id
+    displayName: '[Display Name] policy exempt (management group scope)'
+    exemptionCategory: 'Waiver'
+    expiresOn: '2025-10-02T03:57:00Z'
+    managementGroupId: last(split(managementGroup().id, '/'))
+    metadata: {
+      category: 'Security'
+    }
+  }
+}
@@ -0,0 +1,37 @@
+targetScope = 'managementGroup'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'apemgmin'
+
+// =========== //
+// Deployments //
+// =========== //
+
+// General resources
+// =================
+resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
+  name: 'dep-<<namePrefix>>-${serviceShort}-rgloc'
+  location: location
+  properties: {
+    displayName: '[Depedency] Audit resource location matches resource group location (management group scope)'
+    policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a'
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../managementGroup/deploy.bicep' = {
+  name: '${uniqueString(deployment().name)}-test-${serviceShort}'
+  params: {
+    name: '<<namePrefix>>${serviceShort}001'
+    policyAssignmentId: policyAssignment.id
+  }
+}
@@ -0,0 +1,55 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'ms.authorization.policyexemptions-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'apergcom'
+
+// =========== //
+// Deployments //
+// =========== //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: location
+}
+
+resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
+  name: 'dep-<<namePrefix>>-${serviceShort}-rgloc'
+  location: location
+  properties: {
+    displayName: '[Depedency] Audit resource location matches resource group location (management group scope)'
+    policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a'
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../resourceGroup/deploy.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name)}-test-${serviceShort}'
+  params: {
+    name: '<<namePrefix>>${serviceShort}001'
+    policyAssignmentId: policyAssignment.id
+    displayName: '[Display Name] policy exempt (resource group scope)'
+    exemptionCategory: 'Waiver'
+    expiresOn: '2025-10-02T03:57:00Z'
+    metadata: {
+      category: 'Security'
+    }
+    resourceGroupName: resourceGroup.name
+    subscriptionId: subscription().subscriptionId
+  }
+}
@@ -0,0 +1,49 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'ms.authorization.policyexemptions-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'apergmin'
+
+// =========== //
+// Deployments //
+// =========== //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: location
+}
+
+resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
+  name: 'dep-<<namePrefix>>-${serviceShort}-rgloc'
+  location: location
+  properties: {
+    displayName: '[Depedency] Audit resource location matches resource group location (management group scope)'
+    policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a'
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../resourceGroup/deploy.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name)}-test-${serviceShort}'
+  params: {
+    name: '<<namePrefix>>${serviceShort}001'
+    policyAssignmentId: policyAssignment.id
+    resourceGroupName: resourceGroup.name
+    subscriptionId: subscription().subscriptionId
+  }
+}
@@ -0,0 +1,44 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'apesubcom'
+
+// =========== //
+// Deployments //
+// =========== //
+
+// General resources
+// =================
+resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
+  name: 'dep-<<namePrefix>>-${serviceShort}-rgloc'
+  location: location
+  properties: {
+    displayName: '[Depedency] Audit resource location matches resource group location (management group scope)'
+    policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a'
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../subscription/deploy.bicep' = {
+  name: '${uniqueString(deployment().name)}-test-${serviceShort}'
+  params: {
+    name: '<<namePrefix>>${serviceShort}001'
+    policyAssignmentId: policyAssignment.id
+    displayName: '[Display Name] policy exempt (subscription scope)'
+    exemptionCategory: 'Waiver'
+    expiresOn: '2025-10-02T03:57:00Z'
+    metadata: {
+      category: 'Security'
+    }
+    subscriptionId: subscription().subscriptionId
+  }
+}
@@ -0,0 +1,38 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'apesubmin'
+
+// =========== //
+// Deployments //
+// =========== //
+
+// General resources
+// =================
+resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
+  name: 'dep-<<namePrefix>>-${serviceShort}-rgloc'
+  location: location
+  properties: {
+    displayName: '[Depedency] Audit resource location matches resource group location (management group scope)'
+    policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a'
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../subscription/deploy.bicep' = {
+  name: '${uniqueString(deployment().name)}-test-${serviceShort}'
+  params: {
+    name: '<<namePrefix>>${serviceShort}001'
+    policyAssignmentId: policyAssignment.id
+    subscriptionId: subscription().subscriptionId
+  }
+}