update az monitor assignment and storage account definitions (#8)

* Add microsoft.com to allowed email domains for Azure Monitor policies

* Remove application tag restrictions from storage account policies

* Remove deprecated pipeline template deployment script from integration test config

* Enhance verbose logging in policy integration test case retrieval

Author: taoyangcloud

policyAssignments/dev/pa-d-monitor.json

@@ -14,7 +14,8 @@
       },
       "MON-001_allowedEmailDomains": {
         "value": [
-          "contoso.com"
+          "contoso.com",
+          "microsoft.com"
         ]
       },
       "MON-002_Effect": {

policyAssignments/prod/pa-p-monitor.json

@@ -14,7 +14,8 @@
       },
       "MON-001_allowedEmailDomains": {
         "value": [
-          "contoso.com"
+          "contoso.com",
+          "microsoft.com"
         ]
       },
       "MON-002_Effect": {

policyDefinitions/storage-account/pol-deny-storage-account-public-endpoint.json

@@ -32,18 +32,6 @@
             "field": "type",
             "equals": "Microsoft.Storage/storageAccounts"
           },
-          {
-            "not": {
-              "field": "tags[application]",
-              "equals": "databricks"
-            }
-          },
-          {
-            "not": {
-              "field": "tags[application]",
-              "equals": "purview"
-            }
-          },
           {
             "anyOf": [
               {

policyDefinitions/storage-account/pol-deny-storage-account-restrict-virtual-network-rules.json

@@ -33,18 +33,6 @@
             "field": "type",
             "equals": "Microsoft.Storage/storageAccounts"
           },
-          {
-            "not": {
-              "field": "tags[application]",
-              "equals": "databricks"
-            }
-          },
-          {
-            "not": {
-              "field": "tags[application]",
-              "equals": "purview"
-            }
-          },
           {
             "anyOf": [
               {

policyDefinitions/storage-account/pol-deny-storage-accounts-should-restrict-network-access.json

@@ -33,18 +33,6 @@
             "field": "type",
             "equals": "Microsoft.Storage/storageAccounts"
           },
-          {
-            "not": {
-              "field": "tags[application]",
-              "equals": "databricks"
-            }
-          },
-          {
-            "not": {
-              "field": "tags[application]",
-              "equals": "purview"
-            }
-          },
           {
             "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
             "notEquals": "Deny"

policyDefinitions/storage-account/pol-deploy-storage-account-blob-soft-delete.json

@@ -55,18 +55,6 @@
             "field": "type",
             "equals": "Microsoft.Storage/storageAccounts"
           },
-          {
-            "not": {
-              "field": "tags[application]",
-              "equals": "databricks"
-            }
-          },
-          {
-            "not": {
-              "field": "tags[application]",
-              "equals": "purview"
-            }
-          },
           {
             "field": "kind",
             "in": [

scripts/pipelines/policy-integration-tests/pipeline-map-policy-integration-test-cases.ps1

@@ -159,9 +159,11 @@ function getTestCasesFromAssignment {
     [string]$policyIntegrationTestsPath
   )
   $testsInScope = @()
-  $testCases = Get-ChildItem -path $policyIntegrationTestsPath -Depth 1 -Directory
+  Write-Verbose "  - Looking for test cases that are impacted by the policy assignment '$assignmentName' from '$policyIntegrationTestsPath'." -Verbose
+  $testCases = Get-ChildItem -path $policyIntegrationTestsPath -Depth 0 -Directory
 
   foreach ($testCase in $testCases) {
+    Write-Verbose "   - Checking test case '$($testCase.Name)' for assignment '$assignmentName'..." -Verbose
     $testConfigFile = join-Path -Path $testCase.FullName -ChildPath 'config.json' -Resolve
     $testConfig = Get-Content -Path $testConfigFile -Raw | ConvertFrom-Json -Depth 99
     $policyAssignmentIds = $testConfig.policyAssignmentIds
@@ -523,7 +525,6 @@ Foreach ($file in $modifiedFiles) {
     Write-Verbose "  - File '$file' is not in the global test paths. Will Check if individual tests need to be executed." -Verbose
     $getRequiredTestCasesParams = @{
       changeFilePath                                             = $file
-      policyIntegrationTestsPath                                 = $policyIntegrationTestsPath
       policyInitiativesPath                                      = $policyInitiativesPath
       policyAssignmentsPath                                      = $policyAssignmentsPath
       gitRoot                                                    = $gitRoot

tests/policy-integration-tests/.shared/policy_integration_test_config.jsonc

@@ -119,7 +119,6 @@
       "scripts/pipelines/pipeline-get-deployment-target-from-parameter-file.ps1",
       "scripts/pipelines/pipeline-get-parameter-files.ps1",
       "scripts/pipelines/pipeline-install-moduleFromRepo.ps1",
-      "scripts/pipelines/pipeline-template-deployment.ps1",
       "scripts/pipelines/pipeline-template-deployment-rest.ps1",
       "scripts/pipelines/pipeline-template-validation.ps1",
       "scripts/pipelines/pipeline-set-policy-resource-bicep-template-file.ps1",