Download and Install Missing Referenced Policies from Azure Landing Zone Repository

As described in the Post Deploy PolicySets from Azure Landing Zone Repository, PolicySets (Initiatives) can be installed directly from the Azure Landing Zone Repositiory. However, if these references other policies, they must already be installed beforehand. The following script is used to carry out this check and install the missing policies from the Azure Landing Zone repo.

The Get-MissingPoliciesOfPolicySet.ps1 script downloads the initiative in lines 10 and 11 (it is passed as a parameter) and determines the referenced policies in line 12. In addition, the path of the policy definitions is cleaned up in line 12.
In line 16, the script Get-AzGraphResult.ps1 is used to determine all installed policies and policy sets. It is using the KQL policyresources | where type == "microsoft.authorization/policydefinitions" or type == "microsoft.authorization/policysetdefinitions". Only the IDs of the installed policies/policy sets are required. ⚠️ Keep in mind, that the script requires the installation of the Az.ResourceGraph module.
In line 20, the comparison is made based on the IDs as to which policies are still missing. If all policies are available, the script is terminated (line 23).
Afterwards, the missing policies are downloaded. All URLs of the landing zone repo that contain policy definitions are first determined in lines 27 to 29. They are then downloaded in lines 31 to 41 and if the policy is missing (line 36), it is installed (line 38).

[CmdletBinding()]
param (
  [parameter(Mandatory = $true)]
  [ValidateNotNullOrEmpty()]
  [String]
  $PolicySetJsonUrl
)

Write-Host "Getting PolicySet..."
$set = Invoke-WebRequest $PolicySetJsonUrl
$jsonset = $set.Content | ConvertFrom-Json -Depth 20
$neededPolicies = $jsonset.properties.policyDefinitions.policyDefinitionId.Replace('${root_scope_resource_id}', '')
Write-Host "Found $($neededPolicies.Count) Policies in PolicySet"

Write-Host -NoNewline "Determine installed Policies in Tenant and Subscriptions..."
$installedPolicies = ./Get-AzGraphResult.ps1 -Query 'policyresources | where type == "microsoft.authorization/policydefinitions" or type == "microsoft.authorization/policysetdefinitions"'
$installedPolicies = $installedPolicies.id
Write-Host "$($installedPolicies.Count)"

$missingPolicies = $neededPolicies | ?{-not ($installedPolicies -match $_)}
Write-Host "Found $($missingPolicies.Count) not installed Policies that are needed in PolicySet"
if($missingPolicies.Count -eq 0){
  exit
}

Write-Host "Downloading missing Policies from GitHub..."
$gitresp = Invoke-WebRequest https://api.github.com/repos/Azure/terraform-azurerm-caf-enterprise-scale/git/trees/main?recursive=1
$gitfiles = ($gitresp.Content | ConvertFrom-Json -Depth 20).tree
$gitpolicies = $gitfiles | ? {$_.path.contains("/lib/policy_definitions/")}
$gitpolicies | % {
  $url = $_.path
  $resp = Invoke-WebRequest "https://raw.githubusercontent.com/Azure/terraform-azurerm-caf-enterprise-scale/main/$url"
  $plcy = $resp.Content
  $plcyObj = $plcy | ConvertFrom-Json -Depth 20
  Write-Host "$($plcyObj.Name)..." -ForegroundColor Gray -NoNewline
  if($missingPolicies -match $plcyObj.Name){
    Write-Host -ForegroundColor Green "INSTALLING"
    $plcyDef = New-AzPolicyDefinition -Name ($plcy | ConvertFrom-Json).Name -Policy $plcy
  }else{
    Write-Host -ForegroundColor Yellow "SKIP"
  }
}

Below you can see an example run with corresponding output:

.\Get-MissingPoliciesOfPolicySet.ps1 -PolicySetJsonUrl https://raw.githubusercontent.com/Azure/terraform-azurerm-caf-enterprise-scale/main/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json
Getting PolicySet...
Found 70 Policies in PolicySet
Determine installed Policies in Tenant and Subscriptions...3158
Found 53 not installed Policies that are needed in PolicySet
Downloading missing Policies from GitHub...
Append-AppService-httpsonly...SKIP
Append-AppService-latestTLS...SKIP
Append-KV-SoftDelete...SKIP
...
Deploy-DDoSProtection...SKIP                                                                                            
Deploy-Diagnostics-AA...INSTALLING                                                                                            
Deploy-Diagnostics-ACI...INSTALLING                                                                                     
Deploy-Diagnostics-ACR...INSTALLING                                                                                     
Deploy-Diagnostics-AnalysisService...INSTALLING
...
Deploy-Diagnostics-WVDHostPools...INSTALLING
Deploy-Diagnostics-WVDWorkspace...INSTALLING                                                                            
Deploy-FirewallPolicy...SKIP                                                                                            
...
Deploy-Windows-DomainJoin...SKIP   

If the script is run a second time, all missing policies should already be installed and it should exit immediately. The original PolicySet can then be installed.