Add ai foundry policies, various bug fixes

.azuredevops/templates/template-stage-policy-tests.yml

@@ -62,7 +62,7 @@ stages:
         - template: ./template-task-install-ps-modules.yml
           parameters:
             displayName: "Install AzPolicyTest Module"
-            moduleNames: "AzPolicyTest`@2.8.2"
+            moduleNames: "AzPolicyTest`@3.1.1"
             shouldInstall: ${{ or(eq(parameters.runPolicyJsonPesterTests, true), eq(parameters.runPolicyInitiativePesterTests, true), eq(parameters.runPolicyDefinitionPesterTests, true)) }}
 
         - pwsh: |

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1,5 @@
 blank_issues_enabled: false
 contact_links:
   - name: Documentation
-    url: https://github.com/AzPolicyFactory/AzPolicyFactory/tree/main/docs
+    url: https://github.com/Azure/AzPolicyFactory/tree/main/docs
     about: Check the documentation before opening an issue

.github/actions/templates/test-policy-def/action.yml

@@ -1,5 +1,6 @@
 name: "Policy Definition Pester Tests"
-description: "Runs Pester tests for Azure Policy Definitions, Initiatives, and JSON content using the AzPolicyTest module"
+description: "Runs Pester tests for Azure Policy Definitions, Initiatives, and
+  JSON content using the AzPolicyTest module"
 author: "Tao Yang"
 
 inputs:
@@ -41,7 +42,9 @@ runs:
   using: "composite"
   steps:
     - name: Install AzPolicyTest Module
-      if: inputs.run-policy-json-pester-tests == 'true' || inputs.run-policy-initiative-pester-tests == 'true' || inputs.run-policy-definition-pester-tests == 'true'
+      if: inputs.run-policy-json-pester-tests == 'true' ||
+        inputs.run-policy-initiative-pester-tests == 'true' ||
+        inputs.run-policy-definition-pester-tests == 'true'
       shell: pwsh
       env:
         INPUT_WORKSPACE_DIRECTORY: ${{ github.workspace }}
@@ -50,7 +53,7 @@ runs:
         Write-Output '::group::Install AzPolicyTest Module'
         $scriptPath = "$env:INPUT_WORKSPACE_DIRECTORY/scripts/pipelines/pipeline-install-moduleFromRepo.ps1"
         & $scriptPath `
-          -modules 'AzPolicyTest@2.8.2' `
+          -modules 'AzPolicyTest@3.1.1' `
           -repoName 'PSGallery' `
           -maxRetry 3 `
           -allowPrerelease 'false'

.github/workflows/policy-initiatives.yml

@@ -1,7 +1,8 @@
 name: policy-initiatives
 
 on:
-  workflow_dispatch: # allows a manual run from the UI
+  workflow_dispatch:
+    # allows a manual run from the UI
     inputs:
       debug:
         description: "Enable debug logging"
@@ -28,7 +29,9 @@ jobs:
   job_call_initiation:
     name: Initiation
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}
+    if:
+      ${{ github.event.workflow_run.conclusion == 'success' || github.event_name
+      == 'workflow_dispatch' }}
     steps:
       - name: "Checkout"
         uses: actions/checkout@v6
@@ -79,7 +82,7 @@ jobs:
           definition-file-path: "${{env.definitionFileDirectory}}"
           template-file-directory: "${{env.templateFileDirectory}}"
           bicep-file-path: "${{env.templateFileDirectory}}/${{env.templateFileName}}"
-          bicep-variable-name: "policyInitiatives"
+          bicep-variable-name: "policySetDefinitions"
           build-artifact-name: "policy_set_bicep_dev"
 
   job_build_prod:
@@ -100,7 +103,7 @@ jobs:
           definition-file-path: "${{env.definitionFileDirectory}}"
           template-file-directory: "${{env.templateFileDirectory}}"
           bicep-file-path: "${{env.templateFileDirectory}}/${{env.templateFileName}}"
-          bicep-variable-name: "policyInitiatives"
+          bicep-variable-name: "policySetDefinitions"
           build-artifact-name: "policy_set_bicep_prod"
 
   job_test_dev:

.gitignore

@@ -418,4 +418,6 @@ FodyWeavers.xsd
 *.msp
 
 #Mac
-.DS_Store
+.DS_Store
+.github/workflows/package.json
+.github/workflows/package-lock.json

.vscode/settings.json

@@ -54,5 +54,6 @@
     "unauthorized",
     "vnet",
     "whatif"
-  ]
+  ],
+  "sarif-viewer.connectToGithubCodeScanning": "off"
 }

bicep/modules/authorization/policy-assignment/management-group/main.bicep

@@ -32,7 +32,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned'
         }
       : null
 
-resource assignment 'Microsoft.Authorization/policyAssignments@2025-03-01' = {
+resource assignment 'Microsoft.Authorization/policyAssignments@2025-12-01-preview' = {
   name: policyAssignment.name
   location: location
   properties: {

bicep/modules/authorization/policy-assignment/management-group/version.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "pathFilters": [
     "./main.json"
   ]

bicep/modules/authorization/policy-assignment/resource-group/main.bicep

@@ -35,7 +35,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned'
         }
       : null
 
-resource assignment 'Microsoft.Authorization/policyAssignments@2025-03-01' = {
+resource assignment 'Microsoft.Authorization/policyAssignments@2025-12-01-preview' = {
   name: policyAssignment.name
   location: location
   properties: {

bicep/modules/authorization/policy-assignment/resource-group/version.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "pathFilters": [
     "./main.json"
   ]

bicep/modules/authorization/policy-assignment/subscription/main.bicep

@@ -31,7 +31,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned'
         }
       : null
 
-resource assignment 'Microsoft.Authorization/policyAssignments@2025-03-01' = {
+resource assignment 'Microsoft.Authorization/policyAssignments@2025-12-01-preview' = {
   name: policyAssignment.name
   location: location
   properties: {

bicep/modules/authorization/policy-assignment/subscription/version.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "pathFilters": [
     "./main.json"
   ]

bicep/modules/authorization/policy-assignment/version.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "pathFilters": [
     "./main.json"
   ]

bicep/modules/authorization/policy-definition/management-group/main.bicep

@@ -16,7 +16,7 @@ var additionalMetadata = {
 }
 
 @batchSize(15)
-resource policies 'Microsoft.Authorization/policyDefinitions@2025-03-01' = [
+resource policies 'Microsoft.Authorization/policyDefinitions@2025-12-01-preview' = [
   for policyDefinition in policyDefinitions: {
     name: policyDefinition.name
     properties: {

bicep/modules/authorization/policy-definition/management-group/version.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "pathFilters": [
     "./main.json"
   ]

bicep/modules/authorization/policy-definition/subscription/main.bicep

@@ -17,7 +17,7 @@ var additionalMetadata = {
 }
 
 @batchSize(15)
-resource policies 'Microsoft.Authorization/policyDefinitions@2025-03-01' = [
+resource policies 'Microsoft.Authorization/policyDefinitions@2025-12-01-preview' = [
   for policyDefinition in policyDefinitions: {
     name: policyDefinition.name
     properties: {

bicep/modules/authorization/policy-definition/subscription/version.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "pathFilters": [
     "./main.json"
   ]

bicep/modules/authorization/policy-definition/version.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "pathFilters": [
     "./main.json"
   ]

bicep/modules/authorization/policy-exemption/management-group/main.bicep

@@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, {
   hidden_vml_version: loadJsonContent('./version.json').version
 })
 
-resource exemption 'Microsoft.Authorization/policyExemptions@2024-12-01-preview' = {
+resource exemption 'Microsoft.Authorization/policyExemptions@2025-12-01-preview' = {
   name: policyExemption.name
   properties: {
     displayName: policyExemption.?displayName

bicep/modules/authorization/policy-exemption/management-group/version.json

@@ -1,6 +1,6 @@
 {
     "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-    "version": "0.1",
+    "version": "3.1.0",
     "pathFilters": [
         "./main.json"
     ]

bicep/modules/authorization/policy-exemption/resource-group/main.bicep

@@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, {
   hidden_vml_version: loadJsonContent('./version.json').version
 })
 
-resource exemption 'Microsoft.Authorization/policyExemptions@2024-12-01-preview' = {
+resource exemption 'Microsoft.Authorization/policyExemptions@2025-12-01-preview' = {
   name: policyExemption.name
   properties: {
     displayName: policyExemption.?displayName

bicep/modules/authorization/policy-exemption/resource-group/version.json

@@ -1,6 +1,6 @@
 {
     "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-    "version": "0.1",
+    "version": "3.1.0",
     "pathFilters": [
         "./main.json"
     ]

bicep/modules/authorization/policy-exemption/subscription/main.bicep

@@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, {
   hidden_vml_version: loadJsonContent('./version.json').version
 })
 
-resource exemption 'Microsoft.Authorization/policyExemptions@2024-12-01-preview' = {
+resource exemption 'Microsoft.Authorization/policyExemptions@2025-12-01-preview' = {
   name: policyExemption.name
   properties: {
     displayName: policyExemption.?displayName

bicep/modules/authorization/policy-exemption/subscription/version.json

@@ -1,6 +1,6 @@
 {
     "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-    "version": "0.1",
+    "version": "3.1.0",
     "pathFilters": [
         "./main.json"
     ]

bicep/modules/authorization/policy-exemption/version.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-  "version": "1.0.0",
+  "version": "3.1.0",
   "pathFilters": [
     "./main.json"
   ]

bicep/modules/authorization/policy-set-definition/management-group/main.bicep

@@ -16,7 +16,7 @@ var additionalMetadata = {
 }
 
 @batchSize(15)
-resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-03-01' = [
+resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-12-01-preview' = [
   for policySetDefinition in policySetDefinitions: {
     name: policySetDefinition.name
     properties: {

bicep/modules/authorization/policy-set-definition/management-group/version.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "pathFilters": [
     "./main.json"
   ]

bicep/modules/authorization/policy-set-definition/subscription/main.bicep

@@ -16,7 +16,7 @@ var additionalMetadata = {
 }
 
 @batchSize(15)
-resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-03-01' = [
+resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-12-01-preview' = [
   for policySetDefinition in policySetDefinitions: {
     name: policySetDefinition.name
     properties: {

bicep/modules/authorization/policy-set-definition/subscription/version.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "pathFilters": [
     "./main.json"
   ]

bicep/modules/authorization/policy-set-definition/version.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "pathFilters": [
     "./main.json"
   ]

bicep/templates/policyInitiatives/main.bicep

@@ -27,6 +27,7 @@ var mappedPolicySetDefinitions = map(range(0, length(policySetDefinitions)), i =
         '{policyLocationResourceId}',
         managementGroupId
       )
+      definitionVersion: policySetDefinitions[i].properties.policyDefinitions[c].?definitionVersion
       parameters: policySetDefinitions[i].properties.policyDefinitions[c].?parameters
       groupNames: policySetDefinitions[i].properties.policyDefinitions[c].?groupNames
     })

policyAssignments/dev/pa-d-cog-service.json

@@ -0,0 +1,61 @@
+{
+  "$schema": "../policyAssignment.schema.json",
+  "policyAssignment": {
+    "name": "pa-d-cog-service",
+    "displayName": "Azure Cognitive Services Policies Dev",
+    "description": "Policy Assignment for Azure Cognitive Services - Dev",
+    "metadata": {
+      "category": "Azure Cognitive Services"
+    },
+    "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policySetDefinitions/polset-cognitive-service",
+    "identity": "SystemAssigned",
+    "parameters": {
+      "COG-001_Effect": {
+        "value": "Modify"
+      },
+      "COG-002_Effect": {
+        "value": "Deny"
+      },
+      "COG-003_Effect": {
+        "value": "Deny"
+      },
+      "COG-004_Effect": {
+        "value": "Audit"
+      },
+      "COG-005_Effect": {
+        "value": "Deny"
+      },
+      "COG-005_listOfAllowedFormats": {
+        "value": [
+          "xAI",
+          "OpenAI"
+        ]
+      },
+      "COG-006_Effect": {
+        "value": "Deny"
+      },
+      "COG-006_listOfAllowedNames": {
+        "value": [
+          "gpt-4.1",
+          "gpt-5.4",
+          "gpt-5.3-codex"
+        ]
+      },
+      "COG-007_Effect": {
+        "value": "Deny"
+      },
+      "COG-007_listOfAllowedNames": {
+        "value": [
+          "grok-4",
+          "grok-4-1-fast-reasoning"
+        ]
+      }
+    },
+    "nonComplianceMessages": [],
+    "roleDefinitionIds": [
+      "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
+    ]
+  },
+  "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV",
+  "managementGroupId": "CONTOSO-DEV"
+}