BuiltIn Policy for App Service should enable vnet routing fails for newer api-version

[picccard]

First reported in Azure/Enterprise-Scale#2050.

Built in Policy Definition 801543d1-1953-4a90-b8b0-8cf6d41473a5 (Deny-AppService-Vnet-Routing) fails when using a newer api-version to build App Services.

The policy alias Microsoft.Web/sites/vnetContentShareEnabled maps to resource properties.vnetContentShareEnabled, but this property is not included in the api-version Microsoft.Web/sites@2024-11-01. The property is now properties.outboundVnetRouting.contentShareTraffic and it is mapped to the policy alias Microsoft.Web/sites/outboundVnetRouting.contentShareTraffic. All policy aliases.

https://github.com/Azure/Enterprise-Scale/blob/a64a6cb7066e267e6a7294164486f6c1f3927b43/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json#L218-L228

Steps to reproduce

module appServicePlan 'br/public:avm/res/web/serverfarm:0.5.0' = {
  scope: rg
  params: {
    name: 'example-asp'
    skuName: 'S1'
    skuCapacity: 1
    zoneRedundant: false
    kind: 'linux'
    reserved: true
  }
}

var subnetId = '/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<virtual-network-name>/subnets/<subnet-name>'

module webApp 'br/public:avm/res/web/site:0.19.3' = {
  scope: rg
  params: {
    name: 'example-app'
    kind: 'app,linux,container'
    serverFarmResourceId: appServicePlan.outputs.resourceId
    virtualNetworkSubnetResourceId: subnetId
    outboundVnetRouting: { imagePullTraffic: true, contentShareTraffic: true, allTraffic: true }
    publicNetworkAccess: 'Enabled' 
    siteConfig: {
      linuxFxVersion: 'DOCKER|nginx:1.28.0-alpine'
    }
  }
}

Screenshots