From de396dd081925fe7fa1b6cca7130bb89f5db6e58 Mon Sep 17 00:00:00 2001
From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com>
Date: Tue, 15 Oct 2024 06:30:58 -0700
Subject: [PATCH 1/5] feat: Add slz library files. (#73)

feat: Add slz library files.
---
 platform/slz/README.md                        | 126 ++++++++
 platform/slz/alz_library_metadata.json        |  13 +
 platform/slz/alz_policy_default_values.json   |  76 +++++
 ...confidential.alz_archetype_definition.json |   9 +
 .../global.alz_archetype_definition.json      |   9 +
 .../slz.alz_architecture_definition.json      |  89 ++++++
 ..._sovereign_conf.alz_policy_assignment.json | 277 ++++++++++++++++++
 ...overeign_global.alz_policy_assignment.json |  25 ++
 platform/slz/policy_definitions/.gitkeep      |   6 +
 platform/slz/policy_set_definitions/.gitkeep  |   6 +
 platform/slz/role_definitions/.gitkeep        |   6 +
 11 files changed, 642 insertions(+)
 create mode 100644 platform/slz/README.md
 create mode 100644 platform/slz/alz_library_metadata.json
 create mode 100644 platform/slz/alz_policy_default_values.json
 create mode 100644 platform/slz/archetype_definitions/confidential.alz_archetype_definition.json
 create mode 100644 platform/slz/archetype_definitions/global.alz_archetype_definition.json
 create mode 100644 platform/slz/architecture_definitions/slz.alz_architecture_definition.json
 create mode 100644 platform/slz/policy_assignments/enforce_sovereign_conf.alz_policy_assignment.json
 create mode 100644 platform/slz/policy_assignments/enforce_sovereign_global.alz_policy_assignment.json
 create mode 100644 platform/slz/policy_definitions/.gitkeep
 create mode 100644 platform/slz/policy_set_definitions/.gitkeep
 create mode 100644 platform/slz/role_definitions/.gitkeep

diff --git a/platform/slz/README.md b/platform/slz/README.md
new file mode 100644
index 0000000..0dcaa3a
--- /dev/null
+++ b/platform/slz/README.md
@@ -0,0 +1,126 @@
+# SLZ (Azure Landing Zones)
+  
+This library provides the reference set of Sovereign Landing Zones (SLZ) policies, archetypes, and management group architecture.
+  
+## Usage
+  
+```terraform
+provider "slz" {
+  library_references = [
+    {
+      path = "platform/slz"
+      tag  = "0000.00.0" # Replace with the desired version
+    }
+  ]
+}
+```
+  
+## Architectures
+  
+The following architectures are available in this library, please note that the diagrams denote the management group display name and, in brackets, the associated archetypes:
+  
+### architecture `slz`
+  
+> [!NOTE]  
+> This hierarchy will be deployed as a child of the user-supplied root management group.
+  
+```mermaid
+flowchart TD
+  slzroot["SLZ root
+(root)"]
+  slzroot --> decommissioned
+  decommissioned["Decommissioned
+(decommissioned)"]
+  slzroot --> landingzones
+  landingzones["Landing zones
+(landing_zones)"]
+  landingzones --> confidential-corp
+  confidential-corp["Confidential Corp
+(confidential-corp)"]
+landingzones --> corp
+  corp["Corp
+(corp)"]
+  landingzones --> confidential-online
+  confidential-online["Confidential Online
+(confidential-online)"]
+  landingzones --> online
+  online["Online
+(online)"]
+  slzroot --> platform
+  platform["Platform
+(platform)"]
+  platform --> connectivity
+  connectivity["Connectivity
+(connectivity)"]
+  platform --> identity
+  identity["Identity
+(identity)"]
+  platform --> management
+  management["Management
+(management)"]
+  slzroot --> sandboxes
+  sandboxes["Sandboxes
+(sandboxes)"]
+
+```
+  
+## Archetypes
+  
+### archetype `confidential`
+  
+#### confidential policy assignments
+  
+<details><summary>1 policy assignments</summary>
+
+- Enforce-Sovereign-Conf
+</details>
+
+### archetype `global`
+  
+#### global policy assignments
+  
+<details><summary>1 policy assignments</summary>
+
+- Enforce-Sovereign-Global
+</details>  
+
+## Policy Default Values
+  
+The following policy default values are available in this library:
+
+### default name `allowedLocationsForConfidentialComputing`
+
+#### assignment `Enforce-Sovereign-Conf`
+  
+<details><summary>1 parameter names</summary>
+
+- listOfAllowedLocations
+</details>
+
+### default name `listOfAllowedLocations`
+
+#### assignment `Enforce-Sovereign-Global`
+  
+<details><summary>1 parameter names</summary>
+
+- listOfAllowedLocations
+</details>
+
+### default name `policyEffect`
+
+#### assignment `Enforce-Sovereign-Conf`
+  
+<details><summary>1 parameter names</summary>
+
+- effect
+</details>
+
+#### assignment `Enforce-Sovereign-Global`
+  
+<details><summary>1 parameter names</summary>
+
+- effect
+</details>
+
+> [!NOTE]  
+> Set the apply_alz_archetypes_via_architecture_definition_template parameter to true in the inputs.yaml file to apply ALZ archetypes to your landing zones. For more details, visit the [Azure Landing Zones Library](https://github.com/Azure/Azure-Landing-Zones-Library/tree/main/platform/alz).
\ No newline at end of file
diff --git a/platform/slz/alz_library_metadata.json b/platform/slz/alz_library_metadata.json
new file mode 100644
index 0000000..fc77399
--- /dev/null
+++ b/platform/slz/alz_library_metadata.json
@@ -0,0 +1,13 @@
+{
+  "$schema": "https://raw.githubusercontent.com/Azure/Azure-Landing-Zones-Library/main/schemas/library_metadata.json",
+  "name": "SLZ",
+  "display_name": "Sovereign Landing Zones",
+  "description": "This library provides the reference set of Sovereign Landing Zones (SLZ) policies, archetypes, and management group architecture.",
+  "path": "platform/slz",
+  "dependencies": [
+    {
+      "path": "platform/alz",
+      "ref": "2024.07.02"
+    }
+  ]
+}
diff --git a/platform/slz/alz_policy_default_values.json b/platform/slz/alz_policy_default_values.json
new file mode 100644
index 0000000..0306292
--- /dev/null
+++ b/platform/slz/alz_policy_default_values.json
@@ -0,0 +1,76 @@
+{
+  "defaults": [
+    {
+      "default_name": "allowedLocationsForConfidentialComputing",
+      "policy_assignments": [
+        {
+          "parameter_names": [
+            "listOfAllowedLocations"
+          ],
+          "policy_assignment_name": "Enforce-Sovereign-Conf"
+        }
+      ]
+    },
+    {
+      "default_name": "listOfAllowedLocations",
+      "policy_assignments": [
+        {
+          "parameter_names": [
+            "listOfAllowedLocations"
+          ],
+          "policy_assignment_name": "Enforce-Sovereign-Global"
+        }
+      ]
+    },
+    {
+      "default_name": "policyEffect",
+      "policy_assignments": [
+        {
+          "parameter_names": [
+            "effect"
+          ],
+          "policy_assignment_name": "Enforce-Sovereign-Conf"
+        },
+        {
+          "parameter_names": [
+            "effect"
+          ],
+          "policy_assignment_name": "Enforce-Sovereign-Global"
+        }
+      ]
+    },
+    {
+      "default_name": "ddos_protection_plan_id",
+      "policy_assignments": [
+        {
+          "parameter_names": [
+            "ddosPlan"
+          ],
+          "policy_assignment_name": "Enable-DDoS-VNET"
+        }
+      ]
+    },
+    {
+      "default_name": "ddos_protection_plan_effect",
+      "policy_assignments": [
+        {
+          "parameter_names": [
+            "effect"
+          ],
+          "policy_assignment_name": "Enable-DDoS-VNET"
+        }
+      ]
+    },
+    {
+      "default_name": "emailSecurityContact",
+      "policy_assignments": [
+        {
+          "parameter_names": [
+            "emailSecurityContact"
+          ],
+          "policy_assignment_name": "Deploy-MDFC-Config-H224"
+        }
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/platform/slz/archetype_definitions/confidential.alz_archetype_definition.json b/platform/slz/archetype_definitions/confidential.alz_archetype_definition.json
new file mode 100644
index 0000000..9ce83e9
--- /dev/null
+++ b/platform/slz/archetype_definitions/confidential.alz_archetype_definition.json
@@ -0,0 +1,9 @@
+{
+  "name": "confidential",
+  "policy_assignments": [
+    "Enforce-Sovereign-Conf"
+  ],
+  "policy_definitions": [],
+  "policy_set_definitions": [],
+  "role_definitions": []
+}
diff --git a/platform/slz/archetype_definitions/global.alz_archetype_definition.json b/platform/slz/archetype_definitions/global.alz_archetype_definition.json
new file mode 100644
index 0000000..2a6db9f
--- /dev/null
+++ b/platform/slz/archetype_definitions/global.alz_archetype_definition.json
@@ -0,0 +1,9 @@
+{
+    "name": "global",
+    "policy_assignments": [
+        "Enforce-Sovereign-Global"
+    ],
+    "policy_definitions": [],
+    "policy_set_definitions": [],
+    "role_definitions": []
+}
diff --git a/platform/slz/architecture_definitions/slz.alz_architecture_definition.json b/platform/slz/architecture_definitions/slz.alz_architecture_definition.json
new file mode 100644
index 0000000..e667d2e
--- /dev/null
+++ b/platform/slz/architecture_definitions/slz.alz_architecture_definition.json
@@ -0,0 +1,89 @@
+{
+  "name": "slz",
+  "management_groups": [
+    {
+      "archetypes": ["global", "root"],
+      "display_name": "Sovereign Landing Zone",
+      "exists": false,
+      "id": "mcfs",
+      "parent_id": null
+    },
+    {
+      "archetypes": ["landing_zones"],
+      "display_name": "Landing Zones",
+      "exists": false,
+      "id": "mcfs-landingzones",
+      "parent_id": "mcfs"
+    },
+    {
+      "archetypes": ["platform"],
+      "display_name": "Platform",
+      "exists": false,
+      "id": "mcfs-platform",
+      "parent_id": "mcfs"
+    },
+    {
+      "archetypes": ["identity"],
+      "display_name": "Identity",
+      "exists": false,
+      "id": "mcfs-platform-identity",
+      "parent_id": "mcfs-platform"
+    },
+    {
+      "archetypes": ["connectivity"],
+      "display_name": "Connectivity",
+      "exists": false,
+      "id": "mcfs-platform-connectivity",
+      "parent_id": "mcfs-platform"
+    },
+    {
+      "archetypes": ["management"],
+      "display_name": "Management",
+      "exists": false,
+      "id": "mcfs-platform-management",
+      "parent_id": "mcfs-platform"
+    },
+    {
+      "archetypes": ["corp"],
+      "display_name": "Corp",
+      "exists": false,
+      "id": "mcfs-landingzones-corp",
+      "parent_id": "mcfs-landingzones"
+    },
+    {
+      "archetypes": ["confidential", "corp"],
+      "display_name": "Confidential Corp",
+      "exists": false,
+      "id": "mcfs-landingzones-confidential-corp",
+      "parent_id": "mcfs-landingzones"
+    },
+    {
+      "archetypes": ["online"],
+      "display_name": "Online",
+      "exists": false,
+      "id": "mcfs-landingzones-online",
+      "parent_id": "mcfs-landingzones"
+    },
+    {
+      "archetypes": ["confidential", "online"],
+      "display_name": "Confidential Online",
+      "exists": false,
+      "id": "mcfs-landingzones-confidential-online",
+      "parent_id": "mcfs-landingzones"
+    },
+    {
+      "archetypes": ["sandboxes"],
+      "display_name": "Sandbox",
+      "exists": false,
+      "id": "mcfs-sandbox",
+      "parent_id": "mcfs"
+    },
+    {
+      "archetypes": ["decommissioned"],
+      "display_name": "Decommissioned",
+      "exists": false,
+      "id": "mcfs-decommissioned",
+      "parent_id": "mcfs"
+    }
+  ]
+}
diff --git a/platform/slz/policy_assignments/enforce_sovereign_conf.alz_policy_assignment.json b/platform/slz/policy_assignments/enforce_sovereign_conf.alz_policy_assignment.json
new file mode 100644
index 0000000..f6289ec
--- /dev/null
+++ b/platform/slz/policy_assignments/enforce_sovereign_conf.alz_policy_assignment.json
@@ -0,0 +1,277 @@
+{
+  "name": "Enforce-Sovereign-Conf",
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2019-09-01",
+  "properties": {
+    "description": "The Microsoft Cloud for Sovereignty recommends confidential policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions, denying resources that are not backed by Azure Confidential Computing, and denying data storage resources that are not using Customer-Managed Keys. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies",
+    "displayName": "[Preview]: Sovereignty Baseline - Confidential Policies",
+    "notScopes": [],
+    "parameters": {
+      "allowedResourceTypes": {
+        "value": [
+          "Microsoft.Attestation/attestationProviders",
+          "Microsoft.Compute/availabilitySets",
+          "Microsoft.Compute/capacityReservationGroups",
+          "Microsoft.Compute/capacityReservationGroups/capacityReservations",
+          "Microsoft.Compute/cloudServices",
+          "Microsoft.Compute/cloudServices/roles",
+          "Microsoft.Compute/cloudServices/roleInstances",
+          "Microsoft.Compute/cloudServices/networkInterfaces",
+          "Microsoft.Compute/cloudServices/roleInstances/networkInterfaces",
+          "Microsoft.Compute/cloudServices/publicIPAddresses",
+          "Microsoft.Compute/disks",
+          "Microsoft.Compute/diskEncryptionSets",
+          "Microsoft.Compute/diskAccesses",
+          "Microsoft.Compute/galleries",
+          "Microsoft.Compute/galleries/images",
+          "Microsoft.Compute/galleries/images/versions",
+          "Microsoft.Compute/galleries/applications",
+          "Microsoft.Compute/galleries/applications/versions",
+          "Microsoft.Compute/hostGroups",
+          "Microsoft.Compute/hostGroups/hosts",
+          "Microsoft.Compute/images",
+          "Microsoft.Compute/locations",
+          "Microsoft.Compute/locations/artifactPublishers",
+          "Microsoft.Compute/locations/csoperations",
+          "Microsoft.Compute/locations/cloudServiceOsVersions",
+          "Microsoft.Compute/locations/cloudServiceOsFamilies",
+          "Microsoft.Compute/locations/capsoperations",
+          "Microsoft.Compute/locations/communityGalleries",
+          "Microsoft.Compute/locations/diagnostics",
+          "Microsoft.Compute/locations/diagnosticOperations",
+          "Microsoft.Compute/locations/diskoperations",
+          "Microsoft.Compute/locations/edgeZones",
+          "Microsoft.Compute/locations/edgeZones/vmimages",
+          "Microsoft.Compute/locations/edgeZones/publishers",
+          "Microsoft.Compute/locations/galleries",
+          "Microsoft.Compute/locations/logAnalytics",
+          "Microsoft.Compute/locations/recommendations",
+          "Microsoft.Compute/locations/runCommands",
+          "Microsoft.Compute/locations/sharedGalleries",
+          "Microsoft.Compute/locations/spotEvictionRates",
+          "Microsoft.Compute/locations/spotPriceHistory",
+          "Microsoft.Compute/locations/operations",
+          "Microsoft.Compute/locations/publishers",
+          "Microsoft.Compute/locations/usages",
+          "Microsoft.Compute/locations/vmSizes",
+          "Microsoft.Compute/locations/virtualMachines",
+          "Microsoft.Compute/locations/virtualMachineScaleSets",
+          "Microsoft.Compute/operations",
+          "Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints",
+          "Microsoft.Compute/virtualMachines",
+          "Microsoft.Compute/virtualMachines/applications",
+          "Microsoft.Compute/virtualMachines/extensions",
+          "Microsoft.Compute/virtualMachines/metricDefinitions",
+          "Microsoft.Compute/virtualMachines/runCommands",
+          "Microsoft.Compute/virtualMachineScaleSets",
+          "Microsoft.Compute/virtualMachineScaleSets/applications",
+          "Microsoft.Compute/virtualMachineScaleSets/extensions",
+          "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces",
+          "Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses",
+          "Microsoft.Compute/virtualMachineScaleSets/virtualMachines",
+          "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions",
+          "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces",
+          "Microsoft.Compute/restorePointCollections",
+          "Microsoft.Compute/restorePointCollections/restorePoints",
+          "Microsoft.Compute/proximityPlacementGroups",
+          "Microsoft.Compute/sshPublicKeys",
+          "Microsoft.Compute/sharedVMImages",
+          "Microsoft.Compute/sharedVMImages/versions",
+          "Microsoft.Compute/snapshots",
+          "Microsoft.ConfidentialLedger/checkNameAvailability",
+          "Microsoft.ConfidentialLedger/Ledgers",
+          "Microsoft.ConfidentialLedger/Locations",
+          "Microsoft.ConfidentialLedger/Locations/operations",
+          "Microsoft.ConfidentialLedger/Locations/operationstatuses",
+          "Microsoft.ConfidentialLedger/ManagedCCFs",
+          "Microsoft.ContainerService/managedClusters",
+          "Microsoft.ContainerService/managedClusters/agentPools",
+          "Microsoft.HardwareSecurityModules/dedicatedHSMs",
+          "Microsoft.HardwareSecurityModules/locations",
+          "Microsoft.HardwareSecurityModules/locations/operationResults",
+          "Microsoft.HardwareSecurityModules/operations",
+          "Microsoft.KeyVault/hsmPools",
+          "Microsoft.KeyVault/managedHSMs",
+          "Microsoft.KeyVault/locations/managedHsmOperationResults",
+          "Microsoft.KeyVault/checkMhsmNameAvailability",
+          "Microsoft.KeyVault/checkNameAvailability",
+          "Microsoft.KeyVault/deletedManagedHSMs",
+          "Microsoft.KeyVault/deletedVaults",
+          "Microsoft.KeyVault/locations",
+          "Microsoft.KeyVault/locations/deletedManagedHSMs",
+          "Microsoft.KeyVault/locations/deletedVaults",
+          "Microsoft.KeyVault/locations/notifyNetworkSecurityPerimeterUpdatesAvailable",
+          "Microsoft.KeyVault/locations/operationResults",
+          "Microsoft.KeyVault/managedHSMs/privateEndpointConnections",
+          "Microsoft.KeyVault/operations",
+          "Microsoft.KeyVault/vaults",
+          "Microsoft.KeyVault/vaults/accessPolicies",
+          "Microsoft.KeyVault/vaults/eventGridFilters",
+          "Microsoft.KeyVault/vaults/keys",
+          "Microsoft.KeyVault/vaults/keys/versions",
+          "Microsoft.KeyVault/vaults/privateEndpointConnections",
+          "Microsoft.KeyVault/vaults/secrets",
+          "Microsoft.Kubernetes/connectedClusters",
+          "Microsoft.Kubernetes/locations",
+          "Microsoft.Kubernetes/locations/operationStatuses",
+          "Microsoft.Kubernetes/registeredSubscriptions",
+          "Microsoft.Kubernetes/Operations",
+          "Microsoft.KubernetesConfiguration/sourceControlConfigurations",
+          "Microsoft.KubernetesConfiguration/extensions",
+          "Microsoft.KubernetesConfiguration/fluxConfigurations",
+          "Microsoft.KubernetesConfiguration/operations",
+          "Microsoft.KubernetesConfiguration/privateLinkScopes",
+          "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnections",
+          "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnectionProxies",
+          "Microsoft.ManagedIdentity/userAssignedIdentities",
+          "Microsoft.Network/ddosProtectionPlans",
+          "Microsoft.Network/loadBalancers",
+          "Microsoft.Network/networkSecurityGroups",
+          "Microsoft.Network/networkInterfaces",
+          "Microsoft.Network/privateDnsZones",
+          "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
+          "Microsoft.Network/privateEndpoints",
+          "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
+          "Microsoft.Network/publicIPAddresses",
+          "Microsoft.Network/routeTables",
+          "Microsoft.Network/virtualNetworks",
+          "Microsoft.Network/virtualNetworks/subnets",
+          "Microsoft.Resources/deployments",
+          "Microsoft.Sql/locations/syncDatabaseIds",
+          "Microsoft.Sql/locations/longTermRetentionServers",
+          "Microsoft.Sql/locations/longTermRetentionBackups",
+          "Microsoft.Sql/locations/longTermRetentionPolicyOperationResults",
+          "Microsoft.Sql/locations/longTermRetentionPolicyAzureAsyncOperation",
+          "Microsoft.Sql/locations/longTermRetentionBackupOperationResults",
+          "Microsoft.Sql/locations/longTermRetentionBackupAzureAsyncOperation",
+          "Microsoft.Sql/locations/shortTermRetentionPolicyOperationResults",
+          "Microsoft.Sql/locations/shortTermRetentionPolicyAzureAsyncOperation",
+          "Microsoft.Sql/locations/managedShortTermRetentionPolicyOperationResults",
+          "Microsoft.Sql/locations/managedShortTermRetentionPolicyAzureAsyncOperation",
+          "Microsoft.Sql/locations/instanceFailoverGroups",
+          "Microsoft.Sql/locations/instanceFailoverGroupAzureAsyncOperation",
+          "Microsoft.Sql/locations/instanceFailoverGroupOperationResults",
+          "Microsoft.Sql/locations/privateEndpointConnectionProxyOperationResults",
+          "Microsoft.Sql/locations/privateEndpointConnectionProxyAzureAsyncOperation",
+          "Microsoft.Sql/locations/privateEndpointConnectionOperationResults",
+          "Microsoft.Sql/locations/outboundFirewallRulesAzureAsyncOperation",
+          "Microsoft.Sql/locations/outboundFirewallRulesOperationResults",
+          "Microsoft.Sql/locations/privateEndpointConnectionAzureAsyncOperation",
+          "Microsoft.Sql/locations/notifyAzureAsyncOperation",
+          "Microsoft.Sql/locations/serverTrustGroups",
+          "Microsoft.Sql/locations/serverTrustGroupOperationResults",
+          "Microsoft.Sql/locations/serverTrustGroupAzureAsyncOperation",
+          "Microsoft.Sql/locations/managedDatabaseMoveOperationResults",
+          "Microsoft.Sql/locations/managedDatabaseMoveAzureAsyncOperation",
+          "Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation",
+          "Microsoft.Sql/locations/connectionPoliciesOperationResults",
+          "Microsoft.Sql/locations/notifyNetworkSecurityPerimeterUpdatesAvailable",
+          "Microsoft.Sql/locations/replicationLinksAzureAsyncOperation",
+          "Microsoft.Sql/locations/replicationLinksOperationResults",
+          "Microsoft.Sql/locations/managedInstanceDtcAzureAsyncOperation",
+          "Microsoft.Sql/servers",
+          "Microsoft.Sql/servers/advancedThreatProtectionSettings",
+          "Microsoft.Sql/servers/advisors",
+          "Microsoft.Sql/servers/auditingPolicies",
+          "Microsoft.Sql/servers/auditingSettings",
+          "Microsoft.Sql/servers/connectionPolicies",
+          "Microsoft.Sql/servers/databases",
+          "Microsoft.Sql/servers/databases/advisors",
+          "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings",
+          "Microsoft.Sql/servers/databases/auditingPolicies",
+          "Microsoft.Sql/servers/databases/auditingSettings",
+          "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies",
+          "Microsoft.Sql/servers/databases/extendedAuditingSettings",
+          "Microsoft.Sql/servers/databases/geoBackupPolicies",
+          "Microsoft.Sql/servers/databases/ledgerDigestUploads",
+          "Microsoft.Sql/servers/databases/securityAlertPolicies",
+          "Microsoft.Sql/servers/databases/transparentDataEncryption",
+          "Microsoft.Sql/servers/databases/transparentDataEncryption",
+          "Microsoft.Sql/servers/databases/vulnerabilityAssessments",
+          "Microsoft.Sql/servers/devOpsAuditingSettings",
+          "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings",
+          "Microsoft.Sql/servers/encryptionProtector",
+          "Microsoft.Sql/servers/extendedAuditingSettings",
+          "Microsoft.Sql/servers/firewallRules",
+          "Microsoft.Sql/servers/keys",
+          "Microsoft.Sql/servers/securityAlertPolicies",
+          "Microsoft.Sql/servers/sqlVulnerabilityAssessments",
+          "Microsoft.Sql/servers/vulnerabilityAssessments"
+        ]
+      },
+      "allowedVirtualMachineSKUs": {
+        "value": [
+          "Standard_DC1s_v2",
+          "Standard_DC2s_v2",
+          "Standard_DC4s_v2",
+          "Standard_DC8_v2",
+          "Standard_DC1s_v3",
+          "Standard_DC2s_v3",
+          "Standard_DC4s_v3",
+          "Standard_DC8s_v3",
+          "Standard_DC16s_v3",
+          "Standard_DC24s_v3",
+          "Standard_DC32s_v3",
+          "Standard_DC48s_v3",
+          "Standard_DC1ds_v3",
+          "Standard_DC2ds_v3",
+          "Standard_DC4ds_v3",
+          "Standard_DC8ds_v3",
+          "Standard_DC16ds_v3",
+          "Standard_DC24ds_v3",
+          "Standard_DC32ds_v3",
+          "Standard_DC48ds_v3",
+          "Standard_DC2ads_v5",
+          "Standard_DC2as_v5",
+          "Standard_DC4ads_v5",
+          "Standard_DC4as_v5",
+          "Standard_DC8ads_v5",
+          "Standard_DC8as_v5",
+          "Standard_DC16ads_v5",
+          "Standard_DC16as_v5",
+          "Standard_DC32ads_v5",
+          "Standard_DC32as_v5",
+          "Standard_DC48ads_v5",
+          "Standard_DC48as_v5",
+          "Standard_DC64ads_v5",
+          "Standard_DC64as_v5",
+          "Standard_DC96ads_v5",
+          "Standard_DC96as_v5",
+          "Standard_EC2ads_v5",
+          "Standard_EC2as_v5",
+          "Standard_EC4ads_v5",
+          "Standard_EC4as_v5",
+          "Standard_EC8ads_v5",
+          "Standard_EC8as_v5",
+          "Standard_EC16ads_v5",
+          "Standard_EC16as_v5",
+          "Standard_EC20ads_v5",
+          "Standard_EC20as_v5",
+          "Standard_EC32ads_v5",
+          "Standard_EC32as_v5",
+          "Standard_EC48ads_v5",
+          "Standard_EC48as_v5",
+          "Standard_EC64ads_v5",
+          "Standard_EC64as_v5",
+          "Standard_EC96ads_v5",
+          "Standard_EC96as_v5",
+          "Standard_EC96iads_v5",
+          "Standard_EC96ias_v5"
+        ]
+      },
+      "effect": {
+        "value": "Deny"
+      },
+      "listOfAllowedLocations": {
+        "value": []
+      }
+    },
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/03de05a4-c324-4ccd-882f-a814ea8ab9ea",
+    "scope": null,
+    "enforcementMode": "Default"
+  },
+  "location": null,
+  "identity": {
+    "type": "None"
+  }
+}
\ No newline at end of file
diff --git a/platform/slz/policy_assignments/enforce_sovereign_global.alz_policy_assignment.json b/platform/slz/policy_assignments/enforce_sovereign_global.alz_policy_assignment.json
new file mode 100644
index 0000000..fc85caf
--- /dev/null
+++ b/platform/slz/policy_assignments/enforce_sovereign_global.alz_policy_assignment.json
@@ -0,0 +1,25 @@
+{
+  "name": "Enforce-Sovereign-Global",
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2019-09-01",
+  "properties": {
+    "description": "The Microsoft Cloud for Sovereignty recommends global policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies",
+    "displayName": "[Preview]: Sovereignty Baseline - Global Policies",
+    "notScopes": [],
+    "parameters": {
+      "effect": {
+        "value": "Deny"
+      },
+      "listOfAllowedLocations": {
+        "value": []
+      }
+    },
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/c1cbff38-87c0-4b9f-9f70-035c7a3b5523",
+    "scope": null,
+    "enforcementMode": "Default"
+  },
+  "location": null,
+  "identity": {
+    "type": "None"
+  }
+}
\ No newline at end of file
diff --git a/platform/slz/policy_definitions/.gitkeep b/platform/slz/policy_definitions/.gitkeep
new file mode 100644
index 0000000..133e542
--- /dev/null
+++ b/platform/slz/policy_definitions/.gitkeep
@@ -0,0 +1,6 @@
+# adding .gitignore to maintain lib folder structure, remove after adding files to the folder
+# Ignore all files in this dir...
+*
+
+# ... except for this one.
+!.gitignore
\ No newline at end of file
diff --git a/platform/slz/policy_set_definitions/.gitkeep b/platform/slz/policy_set_definitions/.gitkeep
new file mode 100644
index 0000000..133e542
--- /dev/null
+++ b/platform/slz/policy_set_definitions/.gitkeep
@@ -0,0 +1,6 @@
+# adding .gitignore to maintain lib folder structure, remove after adding files to the folder
+# Ignore all files in this dir...
+*
+
+# ... except for this one.
+!.gitignore
\ No newline at end of file
diff --git a/platform/slz/role_definitions/.gitkeep b/platform/slz/role_definitions/.gitkeep
new file mode 100644
index 0000000..133e542
--- /dev/null
+++ b/platform/slz/role_definitions/.gitkeep
@@ -0,0 +1,6 @@
+# adding .gitignore to maintain lib folder structure, remove after adding files to the folder
+# Ignore all files in this dir...
+*
+
+# ... except for this one.
+!.gitignore
\ No newline at end of file

From f3447867850a81455dbfd5e13d7713ec9d8649be Mon Sep 17 00:00:00 2001
From: Matt White <16320656+matt-FFFFFF@users.noreply.github.com>
Date: Tue, 15 Oct 2024 14:32:02 +0100
Subject: [PATCH 2/5] ci: update alzlibtool in workflows

---
 .github/workflows/pr-check.yml   |   4 +-
 .github/workflows/update-alz.yml |   2 +-
 platform/slz/README.md           | 859 +++++++++++++++++++++++++++++++
 3 files changed, 862 insertions(+), 3 deletions(-)
 create mode 100644 platform/slz/README.md

diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml
index e02f8eb..228c901 100644
--- a/.github/workflows/pr-check.yml
+++ b/.github/workflows/pr-check.yml
@@ -57,7 +57,7 @@ jobs:
           go-version: 'stable'
 
       - name: Install alzlibtool
-        run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.5
+        run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.6
 
       - name: Azure login
         uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
@@ -72,7 +72,7 @@ jobs:
           if [ -z "$(git status -suno)" ]; then
             echo "README.md is up to date"
           else
-            echo "README.md is out of date"
+            echo "README.md is out of date, generate using `alzlibtool document library . >README.md`"
             git --no-pager diff
             exit 1
           fi
diff --git a/.github/workflows/update-alz.yml b/.github/workflows/update-alz.yml
index 12a935c..0702daa 100644
--- a/.github/workflows/update-alz.yml
+++ b/.github/workflows/update-alz.yml
@@ -44,7 +44,7 @@ jobs:
           go-version: 'stable'
 
       - name: install alzlibtool
-        run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.5
+        run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.6
 
       - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
         id: generate-token
diff --git a/platform/slz/README.md b/platform/slz/README.md
new file mode 100644
index 0000000..b218833
--- /dev/null
+++ b/platform/slz/README.md
@@ -0,0 +1,859 @@
+# SLZ (Sovereign Landing Zones)
+  
+This library provides the reference set of Sovereign Landing Zones (SLZ) policies, archetypes, and management group architecture.
+  
+## Dependencies
+  
+- platform/alz@2024.07.02
+  
+## Usage
+  
+```terraform
+provider "alz" {
+  library_references = [
+    {
+      path = "platform/slz"
+      tag  = "0000.00.0" # Replace with the desired version
+    }
+  ]
+}
+```
+  
+## Architectures
+  
+The following architectures are available in this library, please note that the diagrams denote the management group display name and, in brackets, the associated archetypes:
+  
+### architecture `alz`
+  
+> [!NOTE]  
+> This hierarchy will be deployed as a child of the user-supplied root management group.
+  
+```mermaid
+flowchart TD
+  alzroot["ALZ root
+(root)"]
+  alzroot --> landingzones
+  landingzones["Landing zones
+(landing_zones)"]
+  landingzones --> corp
+  corp["Corp
+(corp)"]
+  landingzones --> online
+  online["Online
+(online)"]
+  alzroot --> platform
+  platform["Platform
+(platform)"]
+  platform --> connectivity
+  connectivity["Connectivity
+(connectivity)"]
+  platform --> identity
+  identity["Identity
+(identity)"]
+  platform --> management
+  management["Management
+(management)"]
+  alzroot --> sandboxes
+  sandboxes["Sandboxes
+(sandboxes)"]
+
+```
+  
+### architecture `slz`
+  
+> [!NOTE]  
+> This hierarchy will be deployed as a child of the user-supplied root management group.
+  
+```mermaid
+flowchart TD
+  mcfs["Sovereign Landing Zone
+(global, root)"]
+  mcfs --> mcfs-decommissioned
+  mcfs-decommissioned["Decommissioned
+(decommissioned)"]
+  mcfs --> mcfs-landingzones
+  mcfs-landingzones["Landing Zones
+(landing_zones)"]
+  mcfs-landingzones --> mcfs-landingzones-confidential-corp
+  mcfs-landingzones-confidential-corp["Confidential Corp
+(corp, confidential)"]
+  mcfs-landingzones --> mcfs-landingzones-confidential-online
+  mcfs-landingzones-confidential-online["Confidential Online
+(confidential, online)"]
+  mcfs-landingzones --> mcfs-landingzones-corp
+  mcfs-landingzones-corp["Corp
+(corp)"]
+  mcfs-landingzones --> mcfs-landingzones-online
+  mcfs-landingzones-online["Online
+(online)"]
+  mcfs --> mcfs-platform
+  mcfs-platform["Platform
+(platform)"]
+  mcfs-platform --> mcfs-platform-connectivity
+  mcfs-platform-connectivity["Connectivity
+(connectivity)"]
+  mcfs-platform --> mcfs-platform-identity
+  mcfs-platform-identity["Identity
+(identity)"]
+  mcfs-platform --> mcfs-platform-management
+  mcfs-platform-management["Management
+(management)"]
+  mcfs --> mcfs-sandbox
+  mcfs-sandbox["Sandbox
+(sandboxes)"]
+
+```
+  
+## Archetypes
+  
+### archetype `confidential`
+  
+#### confidential policy assignments
+  
+<details><summary>1 policy assignments</summary>
+
+- Enforce-Sovereign-Conf
+</details>
+  
+### archetype `connectivity`
+  
+#### connectivity policy assignments
+  
+<details><summary>1 policy assignments</summary>
+
+- Enable-DDoS-VNET
+</details>
+  
+### archetype `corp`
+  
+#### corp policy assignments
+  
+<details><summary>5 policy assignments</summary>
+
+- Audit-PeDnsZones
+- Deny-HybridNetworking
+- Deny-Public-Endpoints
+- Deny-Public-IP-On-NIC
+- Deploy-Private-DNS-Zones
+</details>
+  
+### archetype `decommissioned`
+  
+#### decommissioned policy assignments
+  
+<details><summary>1 policy assignments</summary>
+
+- Enforce-ALZ-Decomm
+</details>
+  
+### archetype `global`
+  
+#### global policy assignments
+  
+<details><summary>1 policy assignments</summary>
+
+- Enforce-Sovereign-Global
+</details>
+  
+### archetype `identity`
+  
+#### identity policy assignments
+  
+<details><summary>4 policy assignments</summary>
+
+- Deny-MgmtPorts-Internet
+- Deny-Public-IP
+- Deny-Subnet-Without-Nsg
+- Deploy-VM-Backup
+</details>
+  
+### archetype `landing_zones`
+  
+#### landing_zones policy assignments
+  
+<details><summary>25 policy assignments</summary>
+
+- Audit-AppGW-WAF
+- Deny-IP-forwarding
+- Deny-MgmtPorts-Internet
+- Deny-Priv-Esc-AKS
+- Deny-Privileged-AKS
+- Deny-Storage-http
+- Deny-Subnet-Without-Nsg
+- Deploy-AKS-Policy
+- Deploy-AzSqlDb-Auditing
+- Deploy-MDFC-DefSQL-AMA
+- Deploy-SQL-TDE
+- Deploy-SQL-Threat
+- Deploy-VM-Backup
+- Deploy-VM-ChangeTrack
+- Deploy-VM-Monitoring
+- Deploy-VMSS-ChangeTrack
+- Deploy-VMSS-Monitoring
+- Deploy-vmArc-ChangeTrack
+- Deploy-vmHybr-Monitoring
+- Enable-AUM-CheckUpdates
+- Enable-DDoS-VNET
+- Enforce-AKS-HTTPS
+- Enforce-ASR
+- Enforce-GR-KeyVault
+- Enforce-TLS-SSL-H224
+</details>
+  
+### archetype `management`
+  
+#### management policy assignments
+  
+<details><summary>1 policy assignments</summary>
+
+- Deploy-Log-Analytics
+</details>
+  
+### archetype `platform`
+  
+#### platform policy assignments
+  
+<details><summary>11 policy assignments</summary>
+
+- DenyAction-DeleteUAMIAMA
+- Deploy-MDFC-DefSQL-AMA
+- Deploy-VM-ChangeTrack
+- Deploy-VM-Monitoring
+- Deploy-VMSS-ChangeTrack
+- Deploy-VMSS-Monitoring
+- Deploy-vmArc-ChangeTrack
+- Deploy-vmHybr-Monitoring
+- Enable-AUM-CheckUpdates
+- Enforce-ASR
+- Enforce-GR-KeyVault
+</details>
+  
+### archetype `root`
+  
+#### root policy definitions
+  
+<details><summary>158 policy definitions</summary>
+
+- Append-AppService-httpsonly
+- Append-AppService-latestTLS
+- Append-KV-SoftDelete
+- Append-Redis-disableNonSslPort
+- Append-Redis-sslEnforcement
+- Audit-AzureHybridBenefit
+- Audit-Disks-UnusedResourcesCostOptimization
+- Audit-MachineLearning-PrivateEndpointId
+- Audit-PrivateLinkDnsZones
+- Audit-PublicIpAddresses-UnusedResourcesCostOptimization
+- Audit-ServerFarms-UnusedResourcesCostOptimization
+- Deny-AA-child-resources
+- Deny-APIM-TLS
+- Deny-AppGW-Without-WAF
+- Deny-AppGw-Without-Tls
+- Deny-AppService-without-BYOC
+- Deny-AppServiceApiApp-http
+- Deny-AppServiceFunctionApp-http
+- Deny-AppServiceWebApp-http
+- Deny-AzFw-Without-Policy
+- Deny-CognitiveServices-NetworkAcls
+- Deny-CognitiveServices-Resource-Kinds
+- Deny-CognitiveServices-RestrictOutboundNetworkAccess
+- Deny-Databricks-NoPublicIp
+- Deny-Databricks-Sku
+- Deny-Databricks-VirtualNetwork
+- Deny-EH-Premium-CMK
+- Deny-EH-minTLS
+- Deny-FileServices-InsecureAuth
+- Deny-FileServices-InsecureKerberos
+- Deny-FileServices-InsecureSmbChannel
+- Deny-FileServices-InsecureSmbVersions
+- Deny-LogicApp-Public-Network
+- Deny-LogicApps-Without-Https
+- Deny-MachineLearning-Aks
+- Deny-MachineLearning-Compute-SubnetId
+- Deny-MachineLearning-Compute-VmSize
+- Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess
+- Deny-MachineLearning-ComputeCluster-Scale
+- Deny-MachineLearning-HbiWorkspace
+- Deny-MachineLearning-PublicAccessWhenBehindVnet
+- Deny-MachineLearning-PublicNetworkAccess
+- Deny-MgmtPorts-From-Internet
+- Deny-MySql-http
+- Deny-PostgreSql-http
+- Deny-Private-DNS-Zones
+- Deny-PublicEndpoint-MariaDB
+- Deny-PublicIP
+- Deny-RDP-From-Internet
+- Deny-Redis-http
+- Deny-Service-Endpoints
+- Deny-Sql-minTLS
+- Deny-SqlMi-minTLS
+- Deny-Storage-ContainerDeleteRetentionPolicy
+- Deny-Storage-CopyScope
+- Deny-Storage-CorsRules
+- Deny-Storage-LocalUser
+- Deny-Storage-NetworkAclsBypass
+- Deny-Storage-NetworkAclsVirtualNetworkRules
+- Deny-Storage-ResourceAccessRulesResourceId
+- Deny-Storage-ResourceAccessRulesTenantId
+- Deny-Storage-SFTP
+- Deny-Storage-ServicesEncryption
+- Deny-Storage-minTLS
+- Deny-StorageAccount-CustomDomain
+- Deny-Subnet-Without-Nsg
+- Deny-Subnet-Without-Penp
+- Deny-Subnet-Without-Udr
+- Deny-UDR-With-Specific-NextHop
+- Deny-VNET-Peer-Cross-Sub
+- Deny-VNET-Peering-To-Non-Approved-VNETs
+- Deny-VNet-Peering
+- DenyAction-ActivityLogs
+- DenyAction-DeleteResources
+- DenyAction-DiagnosticLogs
+- Deploy-ASC-SecurityContacts
+- Deploy-Budget
+- Deploy-Custom-Route-Table
+- Deploy-DDoSProtection
+- Deploy-Diagnostics-AA
+- Deploy-Diagnostics-ACI
+- Deploy-Diagnostics-ACR
+- Deploy-Diagnostics-APIMgmt
+- Deploy-Diagnostics-AVDScalingPlans
+- Deploy-Diagnostics-AnalysisService
+- Deploy-Diagnostics-ApiForFHIR
+- Deploy-Diagnostics-ApplicationGateway
+- Deploy-Diagnostics-Bastion
+- Deploy-Diagnostics-CDNEndpoints
+- Deploy-Diagnostics-CognitiveServices
+- Deploy-Diagnostics-CosmosDB
+- Deploy-Diagnostics-DLAnalytics
+- Deploy-Diagnostics-DataExplorerCluster
+- Deploy-Diagnostics-DataFactory
+- Deploy-Diagnostics-Databricks
+- Deploy-Diagnostics-EventGridSub
+- Deploy-Diagnostics-EventGridSystemTopic
+- Deploy-Diagnostics-EventGridTopic
+- Deploy-Diagnostics-ExpressRoute
+- Deploy-Diagnostics-Firewall
+- Deploy-Diagnostics-FrontDoor
+- Deploy-Diagnostics-Function
+- Deploy-Diagnostics-HDInsight
+- Deploy-Diagnostics-LoadBalancer
+- Deploy-Diagnostics-LogAnalytics
+- Deploy-Diagnostics-LogicAppsISE
+- Deploy-Diagnostics-MariaDB
+- Deploy-Diagnostics-MediaService
+- Deploy-Diagnostics-MlWorkspace
+- Deploy-Diagnostics-MySQL
+- Deploy-Diagnostics-NIC
+- Deploy-Diagnostics-NetworkSecurityGroups
+- Deploy-Diagnostics-PostgreSQL
+- Deploy-Diagnostics-PowerBIEmbedded
+- Deploy-Diagnostics-RedisCache
+- Deploy-Diagnostics-Relay
+- Deploy-Diagnostics-SQLElasticPools
+- Deploy-Diagnostics-SQLMI
+- Deploy-Diagnostics-SignalR
+- Deploy-Diagnostics-TimeSeriesInsights
+- Deploy-Diagnostics-TrafficManager
+- Deploy-Diagnostics-VM
+- Deploy-Diagnostics-VMSS
+- Deploy-Diagnostics-VNetGW
+- Deploy-Diagnostics-VWanS2SVPNGW
+- Deploy-Diagnostics-VirtualNetwork
+- Deploy-Diagnostics-WVDAppGroup
+- Deploy-Diagnostics-WVDHostPools
+- Deploy-Diagnostics-WVDWorkspace
+- Deploy-Diagnostics-WebServerFarm
+- Deploy-Diagnostics-Website
+- Deploy-Diagnostics-iotHub
+- Deploy-FirewallPolicy
+- Deploy-LogicApp-TLS
+- Deploy-MDFC-Arc-SQL-DCR-Association
+- Deploy-MDFC-Arc-Sql-DefenderSQL-DCR
+- Deploy-MDFC-SQL-AMA
+- Deploy-MDFC-SQL-DefenderSQL
+- Deploy-MDFC-SQL-DefenderSQL-DCR
+- Deploy-MySQL-sslEnforcement
+- Deploy-Nsg-FlowLogs
+- Deploy-Nsg-FlowLogs-to-LA
+- Deploy-PostgreSQL-sslEnforcement
+- Deploy-Private-DNS-Generic
+- Deploy-SQL-minTLS
+- Deploy-Sql-AuditingSettings
+- Deploy-Sql-SecurityAlertPolicies
+- Deploy-Sql-Tde
+- Deploy-Sql-vulnerabilityAssessments
+- Deploy-Sql-vulnerabilityAssessments_20230706
+- Deploy-SqlMi-minTLS
+- Deploy-Storage-sslEnforcement
+- Deploy-UserAssignedManagedIdentity-VMInsights
+- Deploy-VNET-HubSpoke
+- Deploy-Vm-autoShutdown
+- Deploy-Windows-DomainJoin
+- Modify-NSG
+- Modify-UDR
+</details>
+  
+#### root policy set definitions
+  
+<details><summary>45 policy set definitions</summary>
+
+- Audit-TrustedLaunch
+- Audit-UnusedResourcesCostOptimization
+- Deny-PublicPaaSEndpoints
+- DenyAction-DeleteProtection
+- Deploy-AUM-CheckUpdates
+- Deploy-Diagnostics-LogAnalytics
+- Deploy-MDFC-Config
+- Deploy-MDFC-Config_20240319
+- Deploy-MDFC-DefenderSQL-AMA
+- Deploy-Private-DNS-Zones
+- Deploy-Sql-Security
+- Deploy-Sql-Security_20240529
+- Enforce-ACSB
+- Enforce-ALZ-Decomm
+- Enforce-ALZ-Sandbox
+- Enforce-Backup
+- Enforce-EncryptTransit
+- Enforce-EncryptTransit_20240509
+- Enforce-Encryption-CMK
+- Enforce-Guardrails-APIM
+- Enforce-Guardrails-AppServices
+- Enforce-Guardrails-Automation
+- Enforce-Guardrails-CognitiveServices
+- Enforce-Guardrails-Compute
+- Enforce-Guardrails-ContainerApps
+- Enforce-Guardrails-ContainerInstance
+- Enforce-Guardrails-ContainerRegistry
+- Enforce-Guardrails-CosmosDb
+- Enforce-Guardrails-DataExplorer
+- Enforce-Guardrails-DataFactory
+- Enforce-Guardrails-EventGrid
+- Enforce-Guardrails-EventHub
+- Enforce-Guardrails-KeyVault
+- Enforce-Guardrails-KeyVault-Sup
+- Enforce-Guardrails-Kubernetes
+- Enforce-Guardrails-MachineLearning
+- Enforce-Guardrails-MySQL
+- Enforce-Guardrails-Network
+- Enforce-Guardrails-OpenAI
+- Enforce-Guardrails-PostgreSQL
+- Enforce-Guardrails-SQL
+- Enforce-Guardrails-ServiceBus
+- Enforce-Guardrails-Storage
+- Enforce-Guardrails-Synapse
+- Enforce-Guardrails-VirtualDesktop
+</details>
+  
+#### root policy assignments
+  
+<details><summary>15 policy assignments</summary>
+
+- Audit-ResourceRGLocation
+- Audit-TrustedLaunch
+- Audit-UnusedResources
+- Audit-ZoneResiliency
+- Deny-Classic-Resources
+- Deny-UnmanagedDisk
+- Deploy-ASC-Monitoring
+- Deploy-AzActivity-Log
+- Deploy-Diag-Logs
+- Deploy-MDEndpoints
+- Deploy-MDEndpointsAMA
+- Deploy-MDFC-Config-H224
+- Deploy-MDFC-OssDb
+- Deploy-MDFC-SqlAtp
+- Enforce-ACSB
+</details>
+  
+#### root role definitions
+  
+<details><summary>5 role definitions</summary>
+
+- Application-Owners
+- Network-Management
+- Network-Subnet-Contributor
+- Security-Operations
+- Subscription-Owner
+</details>
+  
+### archetype `sandboxes`
+  
+#### sandboxes policy assignments
+  
+<details><summary>1 policy assignments</summary>
+
+- Enforce-ALZ-Sandbox
+</details>
+  
+## Policy Default Values
+  
+The following policy default values are available in this library:
+  
+### default name `allowedLocationsForConfidentialComputing`
+  
+#### assignment `Enforce-Sovereign-Conf`
+  
+<details><summary>1 parameter names</summary>
+
+- listOfAllowedLocations
+</details>
+  
+### default name `ddos_protection_plan_effect`
+  
+#### assignment `Enable-DDoS-VNET`
+  
+<details><summary>1 parameter names</summary>
+
+- effect
+</details>
+  
+### default name `ddos_protection_plan_id`
+  
+#### assignment `Enable-DDoS-VNET`
+  
+<details><summary>1 parameter names</summary>
+
+- ddosPlan
+</details>
+  
+### default name `emailSecurityContact`
+  
+#### assignment `Deploy-MDFC-Config-H224`
+  
+<details><summary>1 parameter names</summary>
+
+- emailSecurityContact
+</details>
+  
+### default name `listOfAllowedLocations`
+  
+#### assignment `Enforce-Sovereign-Global`
+  
+<details><summary>1 parameter names</summary>
+
+- listOfAllowedLocations
+</details>
+  
+### default name `policyEffect`
+  
+#### assignment `Enforce-Sovereign-Conf`
+  
+<details><summary>1 parameter names</summary>
+
+- effect
+</details>
+  
+#### assignment `Enforce-Sovereign-Global`
+  
+<details><summary>1 parameter names</summary>
+
+- effect
+</details>
+  
+---
+## Contents
+  
+### all policy definitions
+  
+<details><summary>158 policy definitions</summary>
+
+- Append-AppService-httpsonly
+- Append-AppService-latestTLS
+- Append-KV-SoftDelete
+- Append-Redis-disableNonSslPort
+- Append-Redis-sslEnforcement
+- Audit-AzureHybridBenefit
+- Audit-Disks-UnusedResourcesCostOptimization
+- Audit-MachineLearning-PrivateEndpointId
+- Audit-PrivateLinkDnsZones
+- Audit-PublicIpAddresses-UnusedResourcesCostOptimization
+- Audit-ServerFarms-UnusedResourcesCostOptimization
+- Deny-AA-child-resources
+- Deny-APIM-TLS
+- Deny-AppGW-Without-WAF
+- Deny-AppGw-Without-Tls
+- Deny-AppService-without-BYOC
+- Deny-AppServiceApiApp-http
+- Deny-AppServiceFunctionApp-http
+- Deny-AppServiceWebApp-http
+- Deny-AzFw-Without-Policy
+- Deny-CognitiveServices-NetworkAcls
+- Deny-CognitiveServices-Resource-Kinds
+- Deny-CognitiveServices-RestrictOutboundNetworkAccess
+- Deny-Databricks-NoPublicIp
+- Deny-Databricks-Sku
+- Deny-Databricks-VirtualNetwork
+- Deny-EH-Premium-CMK
+- Deny-EH-minTLS
+- Deny-FileServices-InsecureAuth
+- Deny-FileServices-InsecureKerberos
+- Deny-FileServices-InsecureSmbChannel
+- Deny-FileServices-InsecureSmbVersions
+- Deny-LogicApp-Public-Network
+- Deny-LogicApps-Without-Https
+- Deny-MachineLearning-Aks
+- Deny-MachineLearning-Compute-SubnetId
+- Deny-MachineLearning-Compute-VmSize
+- Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess
+- Deny-MachineLearning-ComputeCluster-Scale
+- Deny-MachineLearning-HbiWorkspace
+- Deny-MachineLearning-PublicAccessWhenBehindVnet
+- Deny-MachineLearning-PublicNetworkAccess
+- Deny-MgmtPorts-From-Internet
+- Deny-MySql-http
+- Deny-PostgreSql-http
+- Deny-Private-DNS-Zones
+- Deny-PublicEndpoint-MariaDB
+- Deny-PublicIP
+- Deny-RDP-From-Internet
+- Deny-Redis-http
+- Deny-Service-Endpoints
+- Deny-Sql-minTLS
+- Deny-SqlMi-minTLS
+- Deny-Storage-ContainerDeleteRetentionPolicy
+- Deny-Storage-CopyScope
+- Deny-Storage-CorsRules
+- Deny-Storage-LocalUser
+- Deny-Storage-NetworkAclsBypass
+- Deny-Storage-NetworkAclsVirtualNetworkRules
+- Deny-Storage-ResourceAccessRulesResourceId
+- Deny-Storage-ResourceAccessRulesTenantId
+- Deny-Storage-SFTP
+- Deny-Storage-ServicesEncryption
+- Deny-Storage-minTLS
+- Deny-StorageAccount-CustomDomain
+- Deny-Subnet-Without-Nsg
+- Deny-Subnet-Without-Penp
+- Deny-Subnet-Without-Udr
+- Deny-UDR-With-Specific-NextHop
+- Deny-VNET-Peer-Cross-Sub
+- Deny-VNET-Peering-To-Non-Approved-VNETs
+- Deny-VNet-Peering
+- DenyAction-ActivityLogs
+- DenyAction-DeleteResources
+- DenyAction-DiagnosticLogs
+- Deploy-ASC-SecurityContacts
+- Deploy-Budget
+- Deploy-Custom-Route-Table
+- Deploy-DDoSProtection
+- Deploy-Diagnostics-AA
+- Deploy-Diagnostics-ACI
+- Deploy-Diagnostics-ACR
+- Deploy-Diagnostics-APIMgmt
+- Deploy-Diagnostics-AVDScalingPlans
+- Deploy-Diagnostics-AnalysisService
+- Deploy-Diagnostics-ApiForFHIR
+- Deploy-Diagnostics-ApplicationGateway
+- Deploy-Diagnostics-Bastion
+- Deploy-Diagnostics-CDNEndpoints
+- Deploy-Diagnostics-CognitiveServices
+- Deploy-Diagnostics-CosmosDB
+- Deploy-Diagnostics-DLAnalytics
+- Deploy-Diagnostics-DataExplorerCluster
+- Deploy-Diagnostics-DataFactory
+- Deploy-Diagnostics-Databricks
+- Deploy-Diagnostics-EventGridSub
+- Deploy-Diagnostics-EventGridSystemTopic
+- Deploy-Diagnostics-EventGridTopic
+- Deploy-Diagnostics-ExpressRoute
+- Deploy-Diagnostics-Firewall
+- Deploy-Diagnostics-FrontDoor
+- Deploy-Diagnostics-Function
+- Deploy-Diagnostics-HDInsight
+- Deploy-Diagnostics-LoadBalancer
+- Deploy-Diagnostics-LogAnalytics
+- Deploy-Diagnostics-LogicAppsISE
+- Deploy-Diagnostics-MariaDB
+- Deploy-Diagnostics-MediaService
+- Deploy-Diagnostics-MlWorkspace
+- Deploy-Diagnostics-MySQL
+- Deploy-Diagnostics-NIC
+- Deploy-Diagnostics-NetworkSecurityGroups
+- Deploy-Diagnostics-PostgreSQL
+- Deploy-Diagnostics-PowerBIEmbedded
+- Deploy-Diagnostics-RedisCache
+- Deploy-Diagnostics-Relay
+- Deploy-Diagnostics-SQLElasticPools
+- Deploy-Diagnostics-SQLMI
+- Deploy-Diagnostics-SignalR
+- Deploy-Diagnostics-TimeSeriesInsights
+- Deploy-Diagnostics-TrafficManager
+- Deploy-Diagnostics-VM
+- Deploy-Diagnostics-VMSS
+- Deploy-Diagnostics-VNetGW
+- Deploy-Diagnostics-VWanS2SVPNGW
+- Deploy-Diagnostics-VirtualNetwork
+- Deploy-Diagnostics-WVDAppGroup
+- Deploy-Diagnostics-WVDHostPools
+- Deploy-Diagnostics-WVDWorkspace
+- Deploy-Diagnostics-WebServerFarm
+- Deploy-Diagnostics-Website
+- Deploy-Diagnostics-iotHub
+- Deploy-FirewallPolicy
+- Deploy-LogicApp-TLS
+- Deploy-MDFC-Arc-SQL-DCR-Association
+- Deploy-MDFC-Arc-Sql-DefenderSQL-DCR
+- Deploy-MDFC-SQL-AMA
+- Deploy-MDFC-SQL-DefenderSQL
+- Deploy-MDFC-SQL-DefenderSQL-DCR
+- Deploy-MySQL-sslEnforcement
+- Deploy-Nsg-FlowLogs
+- Deploy-Nsg-FlowLogs-to-LA
+- Deploy-PostgreSQL-sslEnforcement
+- Deploy-Private-DNS-Generic
+- Deploy-SQL-minTLS
+- Deploy-Sql-AuditingSettings
+- Deploy-Sql-SecurityAlertPolicies
+- Deploy-Sql-Tde
+- Deploy-Sql-vulnerabilityAssessments
+- Deploy-Sql-vulnerabilityAssessments_20230706
+- Deploy-SqlMi-minTLS
+- Deploy-Storage-sslEnforcement
+- Deploy-UserAssignedManagedIdentity-VMInsights
+- Deploy-VNET-HubSpoke
+- Deploy-Vm-autoShutdown
+- Deploy-Windows-DomainJoin
+- Modify-NSG
+- Modify-UDR
+</details>
+  
+### all policy set definitions
+  
+<details><summary>45 policy set definitions</summary>
+
+- Audit-TrustedLaunch
+- Audit-UnusedResourcesCostOptimization
+- Deny-PublicPaaSEndpoints
+- DenyAction-DeleteProtection
+- Deploy-AUM-CheckUpdates
+- Deploy-Diagnostics-LogAnalytics
+- Deploy-MDFC-Config
+- Deploy-MDFC-Config_20240319
+- Deploy-MDFC-DefenderSQL-AMA
+- Deploy-Private-DNS-Zones
+- Deploy-Sql-Security
+- Deploy-Sql-Security_20240529
+- Enforce-ACSB
+- Enforce-ALZ-Decomm
+- Enforce-ALZ-Sandbox
+- Enforce-Backup
+- Enforce-EncryptTransit
+- Enforce-EncryptTransit_20240509
+- Enforce-Encryption-CMK
+- Enforce-Guardrails-APIM
+- Enforce-Guardrails-AppServices
+- Enforce-Guardrails-Automation
+- Enforce-Guardrails-CognitiveServices
+- Enforce-Guardrails-Compute
+- Enforce-Guardrails-ContainerApps
+- Enforce-Guardrails-ContainerInstance
+- Enforce-Guardrails-ContainerRegistry
+- Enforce-Guardrails-CosmosDb
+- Enforce-Guardrails-DataExplorer
+- Enforce-Guardrails-DataFactory
+- Enforce-Guardrails-EventGrid
+- Enforce-Guardrails-EventHub
+- Enforce-Guardrails-KeyVault
+- Enforce-Guardrails-KeyVault-Sup
+- Enforce-Guardrails-Kubernetes
+- Enforce-Guardrails-MachineLearning
+- Enforce-Guardrails-MySQL
+- Enforce-Guardrails-Network
+- Enforce-Guardrails-OpenAI
+- Enforce-Guardrails-PostgreSQL
+- Enforce-Guardrails-SQL
+- Enforce-Guardrails-ServiceBus
+- Enforce-Guardrails-Storage
+- Enforce-Guardrails-Synapse
+- Enforce-Guardrails-VirtualDesktop
+</details>
+  
+### all policy assignments
+  
+<details><summary>71 policy assignments</summary>
+
+- Audit-AppGW-WAF
+- Audit-PeDnsZones
+- Audit-ResourceRGLocation
+- Audit-TrustedLaunch
+- Audit-UnusedResources
+- Audit-ZoneResiliency
+- Deny-AppGW-Without-WAF
+- Deny-Classic-Resources
+- Deny-DataB-Pip
+- Deny-DataB-Sku
+- Deny-DataB-Vnet
+- Deny-HybridNetworking
+- Deny-IP-forwarding
+- Deny-MgmtPorts-Internet
+- Deny-Priv-Esc-AKS
+- Deny-Private-DNS-Zones
+- Deny-Privileged-AKS
+- Deny-Public-Endpoints
+- Deny-Public-IP
+- Deny-Public-IP-On-NIC
+- Deny-RDP-From-Internet
+- Deny-RSG-Locations
+- Deny-Resource-Locations
+- Deny-Resource-Types
+- Deny-Storage-http
+- Deny-Subnet-Without-Nsg
+- Deny-Subnet-Without-Udr
+- Deny-UnmanagedDisk
+- DenyAction-DeleteUAMIAMA
+- Deploy-AKS-Policy
+- Deploy-ASC-Monitoring
+- Deploy-AzActivity-Log
+- Deploy-AzSqlDb-Auditing
+- Deploy-Diag-Logs
+- Deploy-Log-Analytics
+- Deploy-MDEndpoints
+- Deploy-MDEndpointsAMA
+- Deploy-MDFC-Config
+- Deploy-MDFC-Config-H224
+- Deploy-MDFC-DefSQL-AMA
+- Deploy-MDFC-DefenSQL-AMA
+- Deploy-MDFC-OssDb
+- Deploy-MDFC-SqlAtp
+- Deploy-Private-DNS-Zones
+- Deploy-Resource-Diag
+- Deploy-SQL-DB-Auditing
+- Deploy-SQL-Security
+- Deploy-SQL-TDE
+- Deploy-SQL-Threat
+- Deploy-UAMI-VMInsights
+- Deploy-VM-Backup
+- Deploy-VM-ChangeTrack
+- Deploy-VM-Monitoring
+- Deploy-VMSS-ChangeTrack
+- Deploy-VMSS-Monitoring
+- Deploy-vmArc-ChangeTrack
+- Deploy-vmHybr-Monitoring
+- Enable-AUM-CheckUpdates
+- Enable-AUM-VM-Windows
+- Enable-AUM-VMHyb-Windows
+- Enable-DDoS-VNET
+- Enforce-ACSB
+- Enforce-AKS-HTTPS
+- Enforce-ALZ-Decomm
+- Enforce-ALZ-Sandbox
+- Enforce-ASR
+- Enforce-GR-KeyVault
+- Enforce-Sovereign-Conf
+- Enforce-Sovereign-Global
+- Enforce-TLS-SSL
+- Enforce-TLS-SSL-H224
+</details>
+  
+### all role definitions
+  
+<details><summary>5 role definitions</summary>
+
+- Application-Owners
+- Network-Management
+- Network-Subnet-Contributor
+- Security-Operations
+- Subscription-Owner
+</details>
+  
\ No newline at end of file

From e214502d641117a11a10a86c5957ddb2e097ef4f Mon Sep 17 00:00:00 2001
From: Matt White <16320656+matt-FFFFFF@users.noreply.github.com>
Date: Tue, 15 Oct 2024 14:36:10 +0100
Subject: [PATCH 3/5] doc(slz): generate docs again

---
 platform/slz/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/platform/slz/README.md b/platform/slz/README.md
index b218833..d7dd143 100644
--- a/platform/slz/README.md
+++ b/platform/slz/README.md
@@ -76,7 +76,7 @@ flowchart TD
 (landing_zones)"]
   mcfs-landingzones --> mcfs-landingzones-confidential-corp
   mcfs-landingzones-confidential-corp["Confidential Corp
-(corp, confidential)"]
+(confidential, corp)"]
   mcfs-landingzones --> mcfs-landingzones-confidential-online
   mcfs-landingzones-confidential-online["Confidential Online
 (confidential, online)"]

From a555d806b0abf1660ecef597c517dbd5605eb4c5 Mon Sep 17 00:00:00 2001
From: Matt White <16320656+matt-FFFFFF@users.noreply.github.com>
Date: Tue, 15 Oct 2024 14:40:18 +0100
Subject: [PATCH 4/5] ci: update check workflow

---
 .github/workflows/pr-check.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml
index 228c901..da32d4c 100644
--- a/.github/workflows/pr-check.yml
+++ b/.github/workflows/pr-check.yml
@@ -72,7 +72,7 @@ jobs:
           if [ -z "$(git status -suno)" ]; then
             echo "README.md is up to date"
           else
-            echo "README.md is out of date, generate using `alzlibtool document library . >README.md`"
+            echo "README.md is out of date, generate using 'alzlibtool document library . >README.md'"
             git --no-pager diff
             exit 1
           fi

From f4657c148bdc434d40275a90d09d1531069a70ab Mon Sep 17 00:00:00 2001
From: Matt White <16320656+matt-FFFFFF@users.noreply.github.com>
Date: Tue, 15 Oct 2024 14:57:18 +0100
Subject: [PATCH 5/5] chore: alzlib 0.21.7

---
 .github/workflows/pr-check.yml   | 2 +-
 .github/workflows/update-alz.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml
index da32d4c..839f003 100644
--- a/.github/workflows/pr-check.yml
+++ b/.github/workflows/pr-check.yml
@@ -57,7 +57,7 @@ jobs:
           go-version: 'stable'
 
       - name: Install alzlibtool
-        run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.6
+        run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.7
 
       - name: Azure login
         uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
diff --git a/.github/workflows/update-alz.yml b/.github/workflows/update-alz.yml
index 0702daa..ea3b79f 100644
--- a/.github/workflows/update-alz.yml
+++ b/.github/workflows/update-alz.yml
@@ -44,7 +44,7 @@ jobs:
           go-version: 'stable'
 
       - name: install alzlibtool
-        run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.6
+        run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.7
 
       - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
         id: generate-token