From e641d0630b8456532501f45dfeb68c458caeee46 Mon Sep 17 00:00:00 2001
From: Brunoga-MS <bruno.gabrielli@microsoft.com>
Date: Tue, 15 Oct 2024 18:50:59 +0200
Subject: [PATCH] Updating script and documentation

---
 .../Bring-your-own-Notifications.md           |  8 +++-
 .../patterns/alz/deploy/Remediate-Policies.md | 40 ++++++++++++-------
 .../scripts/Start-AMBA-ALZ-Remediation.ps1    | 10 +++++
 3 files changed, 42 insertions(+), 16 deletions(-)

diff --git a/docs/content/patterns/alz/Available_features/Bring-your-own-Notifications.md b/docs/content/patterns/alz/Available_features/Bring-your-own-Notifications.md
index 426dc5b78..be9cef918 100644
--- a/docs/content/patterns/alz/Available_features/Bring-your-own-Notifications.md
+++ b/docs/content/patterns/alz/Available_features/Bring-your-own-Notifications.md
@@ -60,6 +60,12 @@ Should customers decide to switch, it will be enough to:
 - change the values in the parameter file to match one of the three cases previously discussed
 - redeploy the ALZ pattern
 - run the remediation for both [Notification Assets](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/policySetDefinitions/Deploy-Notification-Assets.json) and [Alerting-ServiceHealth](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/policySetDefinitions/Deploy-ServiceHealth-Alerts.json) policy initiatives
-- remove notification assets deployed by ALZ patterns using the [**Remove-AMBANotificationAssets.ps1**](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/scripts/Remove-AMBANotificationAssets.ps1) script (_<b>***</b> only if moving from ALZ notification assets to BYON_)
+- remove notification assets deployed by ALZ patterns using the [**Start-AMBA-ALZ-Maintenance.ps1**](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/refs/heads/main/patterns/alz/scripts/Start-AMBA-ALZ-Maintenance.ps1) script (_<b>***</b> only if moving from ALZ notification assets to BYON_). To Remove the notification assets, run the command passing the _**NotificationAssets**_ value to the _**-cleanItems**_ parameter:
+
+  ```powershell
+   ./Start-AMBA-ALZ-Maintenance.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -cleanItems NotificationAssets
+  ```
+
+  Documentation about the ***Start-AMBA-ALZ-Maintenance.ps1*** script can be found at [Cleaning up a Deployment](../../Cleaning-up-a-Deployment)
 
 The code will reconfigure the Service Health alerts to use either the customer's action groups to the ALZ pattern notification assets according to the selected case.
diff --git a/docs/content/patterns/alz/deploy/Remediate-Policies.md b/docs/content/patterns/alz/deploy/Remediate-Policies.md
index 62f0bbd92..ee9f3a4dc 100644
--- a/docs/content/patterns/alz/deploy/Remediate-Policies.md
+++ b/docs/content/patterns/alz/deploy/Remediate-Policies.md
@@ -14,6 +14,16 @@ This script requires PowerShell 7.0 or higher and the following PowerShell modul
 
 {{< /hint >}}
 
+{{< hint type=Important >}}
+The Azure Landing Zones pattern is _**not**_ officially supported on sovereign clouds like "Azure US Government" or "Azure China". However, this script has been update to work with these 2 environments. You need to specify the Azure environment you use as a parameter for the script.
+Allowed parameter values are:
+
+- AzureCloud
+- AzureUSGovernment
+- AzureChinaCloud
+
+{{< /hint >}}
+
 To use the script, do the following:
 
 - Sign in Azure PowerShell with an account with at least Resource Policy Contributor permissions at the pseudo-root management group level
@@ -32,7 +42,7 @@ To use the script, do the following:
 
   ```powershell
   #Run the following commands to initiate remediation
-  .\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $managementManagementGroup -policyName Alerting-Management
+  .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $managementManagementGroup -policyName Alerting-Management
   ```
 
 - The script will return the output from the REST API calls, which should be a status code 201. If the script fails, check the error message and ensure that the management group name and policy name are correct.
@@ -51,24 +61,24 @@ $LZManagementGroup="The management group id for Landing Zones"
 
 ```powershell
 #Run the following commands to initiate remediation
-.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $pseudoRootManagementGroup -policyName Notification-Assets
-.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $pseudoRootManagementGroup -policyName Alerting-ServiceHealth
-.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $connectivityManagementGroup -policyName Alerting-Connectivity
-.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $identityManagementGroup -policyName Alerting-Identity
-.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $managementManagementGroup -policyName Alerting-Management
-.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-KeyManagement
-.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-LoadBalancing
-.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-NetworkChanges
-.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-RecoveryServices
-.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-HybridVM
-.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-Storage
-.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-VM
-.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-Web
+.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName Notification-Assets
+.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName Alerting-ServiceHealth
+.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $connectivityManagementGroup -policyName Alerting-Connectivity
+.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $identityManagementGroup -policyName Alerting-Identity
+.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $managementManagementGroup -policyName Alerting-Management
+.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-KeyManagement
+.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-LoadBalancing
+.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-NetworkChanges
+.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-RecoveryServices
+.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-HybridVM
+.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Storage
+.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-VM
+.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Web
 ```
 
 Should you need to remediate just one policy definition and not the entire policy initiative, you can run the remediation script targeted at the policy reference id that can be found under [Policy Initiatives](../../Policy-Initiatives). For example, to remediate the **_Deploy AMBA Notification Assets_** policy, run the following command:
 
 ```powershell
 #Run the following command to initiate remediation of a single policy definition
-.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $pseudoRootManagementGroup -policyName ALZ_AlertProcessing_Rule
+.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName ALZ_AlertProcessing_Rule
 ```
diff --git a/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 b/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1
index a8605b1dc..3385c2968 100644
--- a/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1
+++ b/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1
@@ -46,6 +46,7 @@
     .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-KeyManagement
     .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-LoadBalancing
     .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-NetworkChanges
+    .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-RecoveryServices
     .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-HybridVM
     .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Storage
     .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-VM
@@ -210,6 +211,15 @@ function Enumerate-Policy {
 #endregion
 
 #Main script
+
+# Checking for required module presence
+If (-NOT(Get-Module -ListAvailable Az.Resources)) {
+  Write-Warning "This script requires the Az.Resources module."
+
+  $response = Read-Host "Would you like to install the 'Az.Resources' module now? (y/n)"
+  If ($response -match '[yY]') { Install-Module Az.Resources -Scope CurrentUser }
+}
+
 switch ($azureEnvironment) {
   "AzureCloud" {
     $azureEnvironmentURI = "management.azure.com"