Mooncake deployment

[faister]

Overview/Summary

This PR fixes the below-mentioned issues around deploying ESLZ ARM templates targeting Azure China regions aka Mooncake (Issue #438 ).
However this PR does not yet fix deploying the Azure Landing Zone accelerator from the Azure China portal due to the following reason:

• The ARM templates (eslzArm.json and eslz-portal.json) are hosted in https://raw.githubusercontent.com. Unfortunately this URL cannot be resolved in China. Having a separate thread to ask for official recommendation/guidance from GitHub.

This PR fixes/adds/changes/removes

1. Added new ARM templates for deployment in Mooncake due to the difference outlined below.
2. Removed policy definition 'Deploy-Budget' because resource provider 'Microsoft.Consumption' is not available in Mooncake.
3. Added custom policies for the following policy definitions because these policies are not available as built-in in Mooncake.
4. Separately having another internal thread raising this with the respective service teams because they determine whether to ship their policies in a particular cloud.

• Deploy-MySQLCMKEffect
• Deploy-PostgreSQLCMKEffect
• Deny-KeyVaultPaasPublicIP
• Deny-AFSPaasPublicIP
• Deploy-Private-DNS-Azure-File-Sync
• Deploy-Private-DNS-Azure-Web
• Deploy-Private-DNS-Azure-KeyVault
• Deploy-ActivityLogs-to-LA-workspace

5. Removed the following policy definitions because the services are not available in Mooncake

• HealthcareAPIsCMKEffect - Healthcare API not available in Mooncake
• Deny-PostgreSQLFlexPublicIP - Flexible server not available in Mooncake
• Deny-MySQLFlexPublicIP - Flexible server not available in Mooncake

6. Added "DINE-VMBackupPolicyAssignment-mooncake.json" for policy assignment in landingzone management group. The issue described below was only encountered when deploying in Mooncake, not in Azure global regions. Fix - removed "identity" within the concat of roleAssignmentNames meant for principalId.

• New-AzManagementGroupDeployment: 4:46:00 PM - The deployment 'McEslz-vm-lz-backup' failed with error(s). Showing 1 out of 1 error(s).
  Status Message: Tenant ID, application ID, principal ID, and scope are not allowed to be updated. (Code:RoleAssignmentUpdateNotPermitted)
  CorrelationId: 8e622673-6286-407f-85b3-b70aa1bead12

7. Added a new section for DIY instructions for deploying in Mooncake in https://github.com/Azure/Enterprise-Scale/tree/main/eslzArm#readme. This is due to having separate ARM templates for Mooncake to put the fixes described in item 1 - 6.

Breaking Changes

1. N/A

Testing Evidence

DIY instructions in deploying all ESLZ ARM templates were all successful. See attached screen shots.

As part of this Pull Request I have

• Checked for duplicate Pull Requests
• Associated it with relevant issues, for tracking and closure.
• Ensured my code/branch is up-to-date with the latest changes in the main branch
• Performed testing and provided evidence.
• Updated relevant and associated documentation.
• Updated the "What's New?" wiki page (located: /docs/wiki/whats-new.md)

[krnese]

Thanks for submitting this PR, and validating.

There's ongoing validation work happening for ESLZ in mooncake, and we have a lighter implementation detail that will avoid duplicating/adding/removing any of the policy files that you have currently edited, by determining the environment endpoints during runtime using [environment()]. We will like to hold this for now until further validation is done, and then implement this function to avoid additional files to manage and maintain as part of ESLZ.

[faister]

@krnese please review latest commit. Thank you for your feedback. I have incorporated this into a lighter implementation for mooncake deployment. Just 3 separate policy definition files to address disparity in mooncake, and a separate readme file for DIY instructions in eslzArm referenced in the original README.md. Used prefix "mc" for mooncake for the policy definition json files.