feat(finops-hub): Add sovereign cloud support

[MSBrett]

Summary

Adds sovereign cloud support to FinOps Hubs, enabling deployment to Azure US Government, Azure China (21Vianet), and other sovereign environments.

Changes

Bicep template changes (src/templates/finops-hub/)

• Kusto DNS suffix: Replace hardcoded .kusto.windows.net with an environment-aware lookup map covering AzureCloud, AzureUSGovernment, and AzureChinaCloud, with a replace() fallback heuristic for unknown clouds. Fixes an incorrect China suffix (kusto.chinacloudapi.cn → kusto.windows.cn).
• Open data URL: Add openDataBaseUrl parameter (threaded through main.bicep → hub.bicep → Analytics/app.bicep) so sovereign environments without internet access can point to a local storage account instead of GitHub.
• Conditional ADF resources: Automatically skip ADF GitHub linked service and dataset when openDataBaseUrl points to the hub's own storage account.
• Storage URL validation: Update createUiDefinition.json regex to accept storage suffixes from all clouds (not just .windows.net).
• Dashboard portal links: Replace 27 hardcoded portal.azure.com URLs in dashboard.json with a build-time $$defined-portal-url$$ token.
• Dashboard cluster URI: Clear the hardcoded clusterUri — users configure it to their cluster after import.
• Build script: Add -PortalUrl parameter to Build-Toolkit.ps1 (defaults to https://portal.azure.com).
• Bug fix: Fix gitapp.hub.com typo in ADF linked service URL → github.com.

Documentation (docs-mslearn/toolkit/hubs/)

• deploy-sovereign.md: New Microsoft Learn how-to guide covering build, open-data preparation, deployment, and dashboard configuration for sovereign clouds. Follows deploy.md conventions (front matter, tab selectors, admonitions, related content).

Testing

• Bicep compiles clean (bicep build main.bicep)
• JSON validity verified
• Grep verification: no hardcoded .kusto.windows.net, portal.azure.com, logic.azure.com, or gitapp.hub.com in changed files
• Red-team audit: all DNS suffix claims verified against Azure Private Link DNS zone docs
• Blue-team validation: all code assertions verified against repo files
• ❎ Log not needed

Checklist

• Bicep changes scoped to src/templates/finops-hub/ only
• No changes to PowerShell module, Optimization Engine, or other templates
• Documentation follows Microsoft style guide (sentence casing, active voice, no end punctuation on headings)
• deploy-sovereign.md matches deploy.md format conventions

[flanakin]

Suggested change

	- Added sovereign cloud deployment support for Azure US Government, Azure China (21Vianet), and other sovereign environments ([#2072](https://github.com/microsoft/finops-toolkit/pull/2072)).
	- Added sovereign cloud deployment support for Azure Government, Azure China, and other [Microsoft Sovereign Cloud](/industry/sovereign-cloud/overview/microsoft-sovereign-cloud) environments ([#2072](https://github.com/microsoft/finops-toolkit/pull/2072)).

[flanakin]

Added should go above Changed

[flanakin]

Aligning to official terms...

Suggested change

This article explains how to deploy FinOps hubs to sovereign Azure clouds, including Azure US Government, Azure China (21Vianet), and other sovereign environments. Bicep's `environment()` function compiles to an ARM runtime expression that resolves in the target cloud, so templates built on any workstation deploy correctly to any cloud. No cross-compilation is needed. This article helps you:

This article explains how to deploy FinOps hubs to [Microsoft Sovereign Clouds](/industry/sovereign-cloud/overview/microsoft-sovereign-cloud), including Azure Government, Azure China, and other sovereign environments. Bicep's `environment()` function compiles to an ARM runtime expression that resolves in the target cloud, so templates built on any workstation deploy correctly to any cloud. No cross-compilation is needed. This article helps you:

[flanakin]

Given this is end user documentation, I don't think we need to call out the Bicep caveat.

[flanakin]

Where is the system of record for "Environment name"? We don't include "US" in Azure Gov, so I'm questioning that column. What is the purpose of that column at all? How will it be used? I would recomment getting rid of it unless we explicitly need it.

Suggested change

	| Cloud | Environment name | Portal URL | Status |
	|-------|-----------------|------------|--------|
	| Azure Commercial | `AzureCloud` | `portal.azure.com` | ✅ Fully supported |
	| Azure US Government | `AzureUSGovernment` | `portal.azure.us` | ✅ Fully supported |
	| Azure China (21Vianet) | `AzureChinaCloud` | `portal.azure.cn` | ✅ Fully supported |
	| Other sovereign clouds | *(verify with your environment)* | *(verify with your environment)* | ⚠️ Supported with parameter overrides |
	| Cloud | Portal URL | Status |
	|-------|------------|--------|
	| Azure Commercial | `portal.azure.com` | ✅ Fully supported |
	| Azure Government | `portal.azure.us` | ✅ Fully supported |
	| Azure China | `portal.azure.cn` | ✅ Fully supported |
	| Others | *(verify with your environment)* | ⚠️ Supported with parameter overrides |

Fwiw, I don't actually know what value this table brings. Everything is supported the same way, right?

[flanakin]

Let's simplify this. If we want to offer deploying to storage, then let's just make that a boolean. This just makes it more difficult to set it up by requiring people to find the URL.

[flanakin]

Roland has raise a concern about how these files aren't getting updated over time. We should consider that before we make a substantive change to how we ingest the data to ensure we're accounting for keeping them updated for people. Maybe a separate deployment/app?

[flanakin]

Should we just always push the files to storage rather than using GitHub as the source? I prefer not from a cost perspective, but that would simplify this by only offering one approach.

[flanakin]

nit: Do internal build script changes go into the changelog? 🤔 Not opposed to it. But it's a level of detail our customers generally shouldn't need.

[flanakin]

As far as I can tell, these changes sound like AI fixes within the PR, not fixing something that was already there.

Suggested change

	- Fixed incorrect China ADX DNS suffix derivation (`kusto.chinacloudapi.cn` → `kusto.windows.cn`).
	- Fixed `createUiDefinition.json` storage URL validation to accept all cloud storage suffixes.

[microsoft-github-policy-service]

@@MSBrett: you have some new feedback!

Please review and resolve all comments and I'll let reviewers know by removing the Needs: Attention label. If I miss anything, just reply with #needs-review and I'll update the status.

[flanakin]

🤖 [AI][Claude] PR Review

Summary: Well-structured sovereign cloud support with clean Kusto DNS suffix handling, proper conditional resource deployment, and thorough documentation. One minor suggestion below.

💡 Suggestions (1)

1. ftkGitTag variable is now only consumed by the conditional dataset_ftkReleaseFile resource — consider adding a comment noting this dependency.

[flanakin]

🤖 [AI][Claude] 💡 Suggestion

With the ftkReleaseUri refactor, ftkGitTag is now only consumed by dataset_ftkReleaseFile (line 667), which is gated behind !useLocalOpenData. When deploying with local open data, this variable becomes unused dead code. Consider adding a brief comment noting the conditional dependency, e.g.:

Suggested change

	var ftkGitTag = loadTextContent('../../fx/ftktag.txt') // cSpell:ignore ftktag
	var ftkGitTag = loadTextContent('../../fx/ftktag.txt') // cSpell:ignore ftktag // Only used by ftkReleaseFile dataset when !useLocalOpenData