Describe the bug
https://github.com/Azure/Enterprise-Scale/main/azopsreference/3fc1081d-6105-4e19-b60c-1ec1252cf560/contoso/.AzState is broken.

Steps to reproduce

Screenshots

The Azure/Enterprise-Scale repository is currently configured as a Template repository which customers are advised to clone into their own GitHub account using the "Use this template" option (rather than to create a Fork).

As the repository contains artefacts not needed within the customer repository (docs / examples / etc.), this feature request is to create a dedicated repository (e.g. Enterprise-Scale-Template) containing ONLY the artefacts needed by a customer, such as:

• /.github/workflows/azops.yml (the engine behind the work)
• /azops/ (empty directory)
• /README.md (a "getting started" guide, not the full Enterprise-Scale documentation)
• LICENSE

Azure/Enterprise-Scale will then be updated to focus on providing the core documentation and examples only. This will allow us to revert Azure/Enterprise-Scale to a standard repository, and the azops.yaml file can be removed.

Paragraph 2 (quoted below) should refer to design "principles" rather than "principals".
All platform Azure resources in a Landing Zones following the Enterprise-Scale guidance are fully controlled and provisioned through Azure Policy. More information on the Policy Driven Approach can be found in the Enterprise-Scale design principals section of this document.

Steps to reproduce

Screenshots

Describe the bug
I was trying to deploy the enterprise scale in a box demo, using a Free Azure Account and azops github action failed.
I have changed the github pipline files:
main/.github/workflows/azops-pull.yml
main/.azure-pipelines/azops-pull.yml
to reflect the free Azure account type "MS-AZR-0044P" but it still fails. As a result, it doesn't clone my azure enviroment to github

Steps to reproduce

1. Please try to run the deployment steps with a Free Azure account

Screenshots

Describe the bug
When trying to assign the 'Deploy-Diag-LogAnalytics' policy initiative to the 'ES' management group scope, I get this following error:

Write-AzOpsLog: /action/entrypoint.ps1:57
Line |
57 | Write-AzOpsLog -Level Error -Topic "git" -Message $PSItem …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| [2020-06-21 13:23:54.4128] (git) 1:23:54 PM - The deployment
| 'Microsoft.Management-managementGroups_ES' failed with
| error(s). Showing 3 out of 83 error(s). Status Message:
| Invalid deployment location 'northeurope'. The deployment
| already exists in location 'westeurope'.
| (Code:InvalidDeploymentLocation) Status Message: Invalid
| deployment location 'northeurope'. The deployment already
| exists in location 'westeurope'.
| (Code:InvalidDeploymentLocation) Status Message: Invalid
| deployment location 'northeurope'. The deployment already
| exists in location 'westeurope'.
| (Code:InvalidDeploymentLocation) CorrelationId:
| 8da1757d-d176-415e-a651-1e832f27852d

As you see from the last screenshot, I do not currently have the policy initiative deployed at the scope I am trying to deploy it to, so not sure why the above error is occuring. It's worth noting I did have a policy initiative with the same display name deployed a few weeks ago, but I also deleted it a few weeks ago. It is possible there is something still lurking in arm preventing me from deploying a policy initiative with the same name as a previous deleted one?

On line 1381 (see screenshot) I have tried both 'northeurope' and 'westeurope' but I get the exact same error each time

Screenshots

To improve navigation through markdown pages, this feature request is to add clear page navigation on each page.

Describe the solution you'd like

Enterprise-Scale In a Box instructions (https://github.com/Azure/Enterprise-Scale/blob/main/docs/enterprise-scale-iab/deploy-tenant.md) are not aligned with the Contoso Reference Implementation. The screenshots in the instructions have different options than the template.

Describe the bug
SQLDB diagnostic logs policy cannot reach a compliant state, because log categories are missing. I will create a PR to fix this.

Steps to reproduce

1. Deploy Enterprise Scale
2. Enable Policy
3. Deploy Cosmos DB

Screenshots

Describe the bug
First of all, I think the work your doing here is awesome!

I do encounter an issue when trying to deploy the template to any of my Azure tenants using any off my accounts. I'm receiving the following error:

"The client '{my account}' with object id '{my object id}' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/providers/Microsoft.Resources/deployments/Microsoft.Template-20200624223131' or the scope is invalid. If access was recently granted, please refresh your credentials."

RAW ERROR

{ "deploymentStatusCode": -1, "stage": 6, "expected": true, "error": { "message": "The client '{my account}' with object id '{my object id}' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/providers/Microsoft.Resources/deployments/Microsoft.Template-20200624223131' or the scope is invalid. If access was recently granted, please refresh your credentials." }, "location": "westeurope", "deploymentName": "Microsoft.Template-20200624223131", "details": { "code": "AuthorizationFailed", "message": "The client '{my account}' with object id '{my object id}' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/providers/Microsoft.Resources/deployments/Microsoft.Template-20200624223131' or the scope is invalid. If access was recently granted, please refresh your credentials." } }

The accounts I've tested have Global Administrator permissions in AAD, they have Owner been assigned the owner role on the subscription(s), and they have been assigned elevated rights at the tenant root management group level.

Steps to reproduce

1. Trying to deploy using the Deploy to Azure link: https://ms.portal.azure.com/?feature.customportal=false#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzOps%2Fmain%2Ftemplate%2Fux-foundation.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzOps%2Fmain%2Ftemplate%2Fesux.json
2. Filling in the required information, tried most options, non of them work.
3. In the final blade I'm getting the validation error.

Screenshots

Recent updates to VWAN require this new API, currently we use 2019-09-01

Describe the bug
Referencing the deployment().templateLink.uri property only works if the template is being run from a repo URL (as happens when clicking Deploy to Azure). When the template repo is cloned and the deployment run locally, that property is missing so the deployment fails. I verified this problem exists with Wingtip, Contoso and AdventureWorks.

I have worked around this in my own templates by using a conditional variable like so:
"thisRepoUri": "[if(contains(deployment().properties, 'templateLink'), deployment().templateLink.uri, 'https://raw.githubusercontent.com/tescales/azure-letsencrypt/master')]"

Steps to reproduce

1. git clone
2. az deployment tenant create --template-file xxx.json

Screenshots

There is a small typo in the document where 'haven't' has been changed to 'haven not'
Also, minor updates to sentence structure may make intent clearer.

Raising issue to link to PR

Describe the bug
Append Key Vault Soft Delete policy does enable soft delete when you deploy a key vault with it disabled. However the policy still marks key vaults as not in compliance, despite the policy enabling soft delete.

Steps to reproduce

1. Assign Append Key Vault Soft Delete Policy
2. Deploy a key vault with soft delete explicitly disabled
3. Once Key Vault is deployed, check if soft delete is enabled (it should be)
4. Run 'Start-AzPolicyComplianceScan' to refresh policy compliance.

Screenshots

Hi!

Could you please update the enterprise scale examples docs and code so that it uses the newest best practice CAF naming conventions: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging

Thanks!

Describe the bug

Every single time I try to remove a policy assignment via push workflow, "system commit" restores everything back. I have tried to remove assignment from policyAssignments at Microsoft.Management-managementGroups as well as delete entire Microsoft.Authorization_policyAssignments... file but no luck.
I am only able to delete assignment at the portal and then make a pull to my repo. Is it the only way to remove policy assignments?

Screenshots

The initiative "Deploy-VM-Monitoring" which is assigned to the management group "ES" contains the deployment of the monitoring agents. Is there a reason why the deployment of the agents (Windows / Linux) for VMSS is not included?
Please add the deployment of the monitoring agents for VMSS as part of the initiative.

Thank you
@krnese

It would be good to be able to visually map requirements from workshops to policy definitions by using the category field to help narrow down policies that need to be enabled for policy assignment on the management groups, for example Deploy Security ASC - this could be tagged with 'Security' category to easily identify this

Describe the bug
I am not able to assign built in policy "Inherit a tag from the resource group", I got an error

The policy assignment 'inherit-tag-project' request is invalid. Policy assignments must include a 'managed identity' when assigning 'Modify' policy definitions

Am I doing something wrong or is it a bug?

Steps to reproduce

                        {
                            "Identity": {
                                "type": "SystemAssigned"
                            },
                            "Location": "westeurope",
                            "Name": "inherit-tag-project",
                            "Properties": {
                                "Description": null,
                                "DisplayName": "inherit tag: project",
                                "NotScopes": null,
                                "Parameters": {
                                    "tagName": {
                                        "value": "project"
                                    }
                                },
                                "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54",
                                "Scope": "/providers/Microsoft.Management/managementGroups/SDU"
                            }
                        }

Screenshots

when trying to push changes through push pipeline (or workflow, as the error is the same for both ADO and GitHub), the following error occurs:

any idea how to make it work?
thanks

Describe the solution you'd like

I was thinking about some --whatif to have a review of the proposed changes probably more for discovery and early days of the setup to bring assurance on what will happen.
.

Describe the bug

The links to the various policies that are in this doc are broken.
https://github.com/Azure/Enterprise-Scale/tree/main/docs/reference/contoso#security-governance-and-compliance

Here is an example of a broken link:
https://github.com/Azure/Enterprise-Scale/blob/tree/main/azopsreference/3fc1081d-6105-4e19-b60c-1ec1252cf560/contoso/.AzState/Microsoft.Authorization_policyAssignments-Deploy-ASC-Standard.parameters.json

This is the link that doc lives at now:
https://github.com/Azure/Enterprise-Scale/blob/main/azopsreference/3fc1081d-6105-4e19-b60c-1ec1252cf560/contoso/.AzState/Microsoft.Authorization_policyAssignments-Deploy-ASC-Monitoring.parameters.json

Steps to reproduce

Screenshots

Ensure that we properly use existanceConditions in all our DINE policies.

Describe the bug
Section heading "Customer design journy and scope" is missing an "e" from the word "journey"

Steps to reproduce

Screenshots

Describe the solution you'd like

My experience in design principles I try to push now in Enterprise Scale type deployment would be to consider Landing Zones a potential parallel to the "Product". I.e. not just one Application, which could be misunderstood for an app services, but more as the whole solution.
I would argue that in a DevOps culture and the autonomy requirements, the landing zone as a dedicated subscription and set of resources all required with just a Enterprise level push of policy driven governance, is the right way to have enablement of the flow for value creation.
As described in the ES design you then share the core resources from the hub/platform subscription, e.g. APIM as a pivotal resources to share APIs internally (between products) or externally.

Not sure if this request is for this repo or the docs page.

Cheers
Manu

Describe the bug
User has User Access Administrator role and has root-level scope. Verified using azure cli command

az role assignment list --role "User Access Administrator" --scope "/"

Verified the permission also in the portal (See Image 5 below)

But when we click Deploy to Azure button from this page validation fails with below error

The client '[email protected]' with object id '<GUID-xxxxx-xxxxx-xxxxx-xxxx>' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/providers/Microsoft.Resources/deployments/Microsoft.Template-20200716144824' or the scope is invalid. If access was recently granted, please refresh your credentials.

Steps to reproduce

1. Providing user with root level access
2. Verify in the portal and also via Azure CLI
3. Go to https://github.com/Azure/Enterprise-Scale/tree/main/docs/reference/wingtip and click Deploy to Azure
4. Select UK South (See Image 1 below)
5. Provide the prefix xyz and leave Enable management subscription empty. (See Image 2 below)
6. Leave selection to Foundation in the next screen (See Image 3 below)
7. Select Enable Resource Deployments to No in the next screen
8. Get the error (See Image 4 below)

Screenshots

• Image 1
  

• Image 2
  

• Image 3
  

• Image 4
  

• Image 5
  

This line means each deployment has the same name and does not work when there are multiple NSGs in the same region under the scope of this policy.

PR incoming...

The code examples for discovery have the default username still embedded and also involve unnecessary repetition.

PR incoming.

I noticed the ASC Continuous Export Policy is now omitted from the Hub and Spoke implementation. The policy was previously included with the VWAN implementation. Should this policy be included for Hub and Spoke as well?

The links to policies on this page are broken:

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/implementation-guidelines#security-governance-and-compliance

It looks like the the path:
azopsreference/3fc1081d-6105-4e19-b60c-1ec1252cf560/contoso/.AzState/

got changed to:
azopsreference/3fc1081d-6105-4e19-b60c-1ec1252cf560%20(3fc1081d-6105-4e19-b60c-1ec1252cf560)/contoso%20(contoso)/.AzState

Describe the bug
Validation failed.
...... does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/providers/Microsoft.Resources/deployments/NoMarketplace-20200827024317' or the scope is invalid. If access was recently granted, please refresh your credentials."

I am not sure if it's a bug, IAM issue, or subscription issue. I am attempting to use many different types of subscriptions to try to make it work but the error is consistently the same. Any help is appreciated.

Steps to reproduce

1. Deploy template
2. Reach Review + create section and it will not pass validation

Screenshots

Automate the 'azopsreference' artifacts creation

Describe the bug
SQLDB diagnostic logs policy cannot reach a compliant state, because log categories are missing. I will create a PR to fix this.

Steps to reproduce

1. Deploy Enterprise Scale
2. Enable Policy
3. Deploy SQL DB

Screenshots

Documentation:

https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/setup-azuredevops.md

Configure repository permissions
The build service account Build Service () must have the following permissions on the repository:

\Contributors

Build Service seems to need more permissions. The Docker image deployment is failing, without these permissions.

I also noticed for following warning on disabled subscriptions (attached)

I´m running into this error, when trying to deploy the Contoso Enterprise Scale via Release Pipeline:

Deployment template validation failed: 'The template resource 'policydeployment' at line '1' and column '4592' is not valid: The language expression property 'location' doesn't exist, available properties are 'name, properties'.. Please see https://aka.ms/arm-template-expressions for usage details.

This seems to be the "breakpoint" with the policy template:

Any hint what the issue could be?

Just got an error on a fresh deployment of Bootstrap Template - it's trying to create the definition for SQL Server Security Policy Set/Initiative before the child policies definitions are deployed it seems like:

Deployment Correlation ID: 3d0d6f03-9238-4f40-afd1-e5f5c928b496
Tracking ID: 45dbc7eb-7332-49d7-a7dd-b6fcdc4949e9

Status Message:

{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "BadRequest",
"message": "{\r\n "error": {\r\n "code": "PolicyDefinitionNotFound",\r\n "message": "The policy set definition 'Deploy-Sql-Security' request is invalid. The following policy definitions could not be found: '/providers/Microsoft.Management/managementGroups/liam/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde;/providers/Microsoft.Management/managementGroups/liam/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies;/providers/Microsoft.Management/managementGroups/liam/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings;/providers/Microsoft.Management/managementGroups/liam/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments'."\r\n }\r\n}"
}
]
}
]
}
}

Uncovered this typo.

In AzOps the env variable is singular, in Enterprise-Scale it is plural.

https://github.com/Azure/AzOps/blob/0425f8e36455cea1170937c5a6e054a3b0e6b90b/src/private/Invoke-AzOpsGitPullRefresh.ps1#L7

https://github.com/Azure/AzOps/blob/86563d865b717f6c93bdd4f3134363033c76711c/src/private/Invoke-AzOpsGitPushRefresh.ps1#L10

Pinging @hjscherer

Describe the bug
if I use the link "Deploy to Azure", I get an error at the end of the steps:
"message": "The client '[email protected]' with object id 'xxxxx' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/providers/Microsoft.Resources/deployments/NoMarketplace-20200821194109' or the scope is invalid. If access was recently granted, please refresh your credentials."

Steps to reproduce

1. Click Deploy to Azure into an Visual Studio Enterprise Subscription
2. Step through the process and at the end the error appears.

Screenshots

Describe the bug
In para 1 replace "discovery" with "discovered"

Steps to reproduce

Screenshots

"Configure your repo to update changes from upstream" section (https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/setup-github.md#5-configure-your-repo-to-update-changes-from-upstream) assumes the local repo already exists. However, if we follow the instructions from the top we don't have a local repo by this stage... While the instructions in the pre-requisites clone the repo (https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/getting-started.md) they also instruct us to delete the folder...

Also, Enterprise-Scale "In a box" instructions (https://github.com/Azure/Enterprise-Scale/blob/main/docs/enterprise-scale-iab/deploy-tenant.md) want us to "Configure your repo to update changes from upstream" BEFORE cloning of the repo, which is in (https://github.com/Azure/Enterprise-Scale/blob/main/docs/enterprise-scale-iab/deploy-tenant.md).

Describe the solution you'd like

Describe the bug

when cloning the repo under a Windows 10 machine I always get an error "Filename too long" in the azopsreference/3fc1081d-6105-4e19-b60c-1ec1252cf560 (3fc1081d-6105-4e19-b60c-1ec1252cf560)/contoso (contoso)/ Folder. Multiple files are mentioned e.g. azopsreference/3fc1081d-6105-4e19-b60c-1ec1252cf560 (3fc1081d-6105-4e19-b60c-1ec1252cf560)/contoso (contoso)/platform (platform)/identity (9e32661b-498f-4fd8-bffc-c9ecb4830430)/.AzState/Microsoft.Authorization_policyAssignments-Deploy-vNet-Identity.parameters.json

If I clone the repo in the wsl on the same machine in a different folder it works...
Steps to reproduce

1. Create a new repo out of the template
2. Open VS-Code in Windows
3. Try to clone the new repo
4. Get the error message even if I try to use c:\es

Screenshots

Describe the bug
Two links at the bottom of
https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/ES-schema.md

• Trigger-local-deployment.md
• Deploy-platform-infra.md

Steps to reproduce

broken link

Screenshots

Hi,

First of all: Awesome work! I think the templates and the documentation are really useful and answer a lot of questions organizations may have while starting to use Azure. 👍

During studying the Contoso Reference documentation I got a question regarding separation of stages or environments like Dev, PreProd, Prod, etc.. Especially for the Platform Subscriptions and Resources you may want to have a Prod and at least one other Non-Prod setup where you can test out changes first.
For example if you need to makes changes to resources in the connectivity subscription you may test the connectivity changes first in an non-prod setup. Are such things intended and if yes how?
Or is this maybe more a concept / way of thinking from on-perm which is not really applicable anymore in the cloud context?

Thank you!
Jonas

Describe the bug
Trying to apply Policies to an existing environment using this https://github.com/Azure/Enterprise-Scale/tree/main/azopsreference

It was working till last week but is throwing this error today:

Deployment template validation failed: 'The template resource 'EntScaleoob-sub-policyDef-bda258a0-0836-5684-96c5-be265be92522' at line '196' and column '9' is not valid: The language expression property 'location' doesn't exist, available properties are 'name, tags, properties'.. Please see https://aka.ms/arm-template-expressions for usage details.'. (Code: InvalidTemplate)

Steps to reproduce

1. Logged into Azure Portal in one tab
2. Opened this URL in another tab and clicked at ‘Deploy to Azure’ button https://github.com/Azure/Enterprise-Scale/tree/main/azopsreference

Screenshots

in the architecture diagram for the Connectivity subscription related to the Contoso reference implementation, add:

• a VNet and subnet
• an Azure VM with a DNS Forwarder installed

Source: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances