tier3 deploy policy Azure#727

Tier 3 does not deploy policy.

Note: The Scope is dependent on issue Azure#724 as it will reference the the resource group in the tier3 subscription

src/bicep/add-ons/tier3/tier3.bicep

@@ -42,6 +42,11 @@ param hubVirtualNetworkResourceId string = mlzDeploymentVariables.hub.Value.virt
 param logAnalyticsWorkspaceResourceId string = mlzDeploymentVariables.logAnalyticsWorkspaceResourceId.Value
 param logAnalyticsWorkspaceName string = mlzDeploymentVariables.logAnalyticsWorkspaceName.Value
 param firewallPrivateIPAddress string = mlzDeploymentVariables.firewallPrivateIPAddress.Value
+@description('[NIST/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NIST". IL5 is only available for AzureUsGovernment and will switch to NIST if tried in AzureCloud.')
+param policy string = mlzDeploymentVariables.policyName.Value
+@description('When set to "true", deploys the Azure Policy set defined at by the parameter "policy" to the resource groups generated in the deployment. It defaults to "false".')
+param deployPolicy bool = mlzDeploymentVariables.deployPolicy.Value
+
 
 @description('The address prefix for the network spoke vnet.')
 param virtualNetworkAddressPrefix string = '10.0.125.0/26'
@@ -79,7 +84,10 @@ param subnetServiceEndpoints array = []
 param logStorageSkuName string = 'Standard_GRS'
 
 @description('A string dictionary of tags to add to deployed resources. See https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json#arm-templates for valid settings.')
-param tags object = {}
+param tags object = {} 
+
+@description('A suffix to use for naming deployments uniquely. It defaults to the Bicep resolution of the "utcNow()" function.')
+param deploymentNameSuffix string = utcNow()
 
 /*
 
@@ -190,6 +198,20 @@ module workloadSubscriptionActivityLogging '../../modules/central-logging.bicep'
   ]
 }
 
+var logAnalyticsWorkspaceResourceId_split = split(logAnalyticsWorkspaceResourceId, '/')
+
+module workloadPolicyAssignment '../../modules/policy-assignment.bicep' = if (deployPolicy) {
+  name: 'assign-policy-${workloadName}-${deploymentNameSuffix}'
+  scope:  az.resourceGroup(workloadSubscriptionId, resourceGroup.name)
+  params: {
+    builtInAssignment: policy
+    logAnalyticsWorkspaceName: logAnalyticsWorkspaceResourceId_split[8]
+    logAnalyticsWorkspaceResourceGroupName: logAnalyticsWorkspaceResourceId_split[4]
+    location: location
+    operationsSubscriptionId: logAnalyticsWorkspaceResourceId_split[2]
+  }
+}
+
 output resourceGroupName string = resourceGroup.outputs.name
 output location string = resourceGroup.outputs.location
 output tags object = resourceGroup.outputs.tags

src/bicep/mlz.bicep

@@ -1054,6 +1054,10 @@ output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.outputs.id
 
 output diagnosticStorageAccountName string = operationsLogStorageAccountName
 
+output policyName string = policy
+
+output deployPolicy bool = deployPolicy
+
 output spokes array = [for (spoke, i) in spokes: {
   name: spoke.name
   subscriptionId: spoke.subscriptionId