feat: Add NetworkConnectivity pre-flight check to Test-AcceleratorRequirement (#527)

- [x] Understand current state of checks in `Deploy-Accelerator.ps1` and
`Test-NetworkConnectivity.ps1`
- [x] Add `https://www.powershellgallery.com` endpoint to
`Test-NetworkConnectivity.ps1`
- [x] Add `NetworkConnectivity` to the checks in
`Deploy-Accelerator.ps1` (guarded by `skip_internet_checks`)
- [x] Update `Test-NetworkConnectivity.Tests.ps1` endpoint count
assertions: 5 → 6
- [x] All 47 unit tests pass

<!-- START COPILOT ORIGINAL PROMPT -->



<details>

<summary>Original prompt</summary>


## Summary

Add a new `NetworkConnectivity` check to `Test-AcceleratorRequirement`
(and the underlying `Test-Tooling` plumbing) that probes the external
URLs the module must reach during a Bicep deployment, before any
download or API call is attempted.

## Background

Currently the module has no pre-flight network reachability check. It
assumes connectivity is present and only surfaces failures at the point
of use (e.g. inside `Invoke-WebRequest`/`Invoke-RestMethod`). This makes
it hard for users in restricted environments to diagnose connectivity
issues early.

## Changes Required

### 1. New file:
`src/ALZ/Private/Tools/Checks/Test-NetworkConnectivity.ps1`

Create a new check function following the same pattern as the existing
checks (e.g. `Test-GitInstallation.ps1`). It should:

- Probe each of the external endpoints the module calls during a Bicep
deployment using `Invoke-WebRequest` with `-Method Head` (or a
lightweight GET where HEAD is not supported), with a short timeout (e.g.
10 seconds) and `-SkipHttpErrorCheck` / `-ErrorAction SilentlyContinue`
so it doesn't throw.
- Return a `Results` array and a `HasFailure` bool in the same shape as
all other checks.
- Treat any endpoint that **cannot be reached** (connection error /
timeout) as a **Failure**, and any reachable endpoint (even a non-200
status, which may just be auth) as a **Success** — the goal is
reachability, not authentication.
- The endpoints to check are:

| Endpoint | Purpose |
|---|---|
| `https://api.github.com` | GitHub API (release tag lookups) |
| `https://github.com` | Bootstrap & starter module downloads |
| `https://api.releases.hashicorp.com` | Terraform version resolution |
| `https://releases.hashicorp.com` | Terraform binary download |
| `https://management.azure.com` | Azure Management API |

Example skeleton (follow the pattern of `Test-GitInstallation.ps1`):

```powershell
function Test-NetworkConnectivity {
    [CmdletBinding()]
    param()

    $results = @()
    $hasFailure = $false

    $endpoints = @(
        @{ Uri = "https://api.github.com";                   Description = "GitHub API (release lookups)" },
        @{ Uri = "https://github.com";                       Description = "GitHub (module downloads)" },
        @{ Uri = "https://api.releases.hashicorp.com";       Description = "HashiCorp Releases API (Terraform version)" },
        @{ Uri = "https://releases.hashicorp.com";           Description = "HashiCorp Releases (Terraform binary download)" },
        @{ Uri = "https://management.azure.com";             Description = "Azure Management API" }
    )

    foreach ($endpoint in $endpoints) {
        Write-Verbose "Testing network connectivity to $($endpoint.Uri)"
        try {
            $response = Invoke-WebRequest -Uri $endpoint.Uri -Method Head -TimeoutSec 10 -SkipHttpErrorCheck -ErrorAction Stop -UseBasicParsing
            $results += @{
                message = "Network connectivity to $($endpoint.Description) ($($endpoint.Uri)) is available."
                result  = "Success"
            }
        } catch {
            $results += @{
                message = "Cannot reach $($endpoint.Description) ($($endpoint.Uri)). Check network/firewall settings. Error: $($_.Exception.Message)"
                result  = "Failure"
            }
            $hasFailure = $true
        }
    }

    return @{
        Results    = $results
        HasFailure = $hasFailure
    }
}
```

### 2. Update `src/ALZ/Private/Tools/Test-Tooling.ps1`

- Add `"NetworkConnectivity"` to the `[ValidateSet(...)]` on the
`$Checks` parameter.
- Add a new `if ($Checks -contains "NetworkConnectivity")` block that
calls `Test-NetworkConnectivity` and accumulates results, following the
same pattern as the other checks.

### 3. Update `src/ALZ/Public/Test-AcceleratorRequirement.ps1`

- Add `"NetworkConnectivity"` to the `[ValidateSet(...)]` on the
`$Checks` parameter.
- Add `"NetworkConnectivity"` to the **default** value of `$Checks` so
it runs automatically when `Test-AcceleratorRequirement` is called with
no arguments.
- Update the `.SYNOPSIS`/`.DESCRIPTION` doc comment to mention the
network connectivity check.

### 4. Add unit tests:
`src/Tests/Unit/Private/Test-NetworkConnectivity.Tests.ps1`

Add Pester unit tests for `Test-NetworkConnectivity` following the
pattern used by other tests in `src/Tests/Unit/`. Cover at minimum:
- All endpoints reachable → no failure, all Success results.
- One or more endpoints unreachable (mock `Invoke-WebRequest` to throw)
→ `HasFailure = $true`, correct Failure messages.

## Notes

- **Do not** add `NetworkConnectivity` to the default checks inside
`Deploy-Accelerator.ps1` — it already has its own
`$skip_internet_checks` bypass path and calling a network check there
would be redundant. The check belongs in `Test-AcceleratorRequirement`
only.
- Keep the check **non-blocking** in the sense that it should check all
endpoints and report all failures, not stop at the first unreachable
one.
- Follow t...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/Azure/ALZ-PowerShell-Module/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: jtracey93 <41163455+jtracey93@users.noreply.github.com>

Author: Copilot

src/ALZ/Private/Tools/Checks/Test-NetworkConnectivity.ps1

@@ -0,0 +1,38 @@
+function Test-NetworkConnectivity {
+    [CmdletBinding()]
+    param()
+
+    $results = @()
+    $hasFailure = $false
+
+    $endpoints = @(
+        @{ Uri = "https://api.github.com";             Description = "GitHub API (release lookups)" },
+        @{ Uri = "https://github.com";                 Description = "GitHub (module downloads)" },
+        @{ Uri = "https://api.releases.hashicorp.com"; Description = "HashiCorp Releases API (Terraform version)" },
+        @{ Uri = "https://releases.hashicorp.com";     Description = "HashiCorp Releases (Terraform binary download)" },
+        @{ Uri = "https://management.azure.com";       Description = "Azure Management API" },
+        @{ Uri = "https://www.powershellgallery.com";  Description = "PowerShell Gallery (module installs/updates)" }
+    )
+
+    foreach ($endpoint in $endpoints) {
+        Write-Verbose "Testing network connectivity to $($endpoint.Uri)"
+        try {
+            Invoke-WebRequest -Uri $endpoint.Uri -Method Head -TimeoutSec 10 -SkipHttpErrorCheck -ErrorAction Stop -UseBasicParsing | Out-Null
+            $results += @{
+                message = "Network connectivity to $($endpoint.Description) ($($endpoint.Uri)) is available."
+                result  = "Success"
+            }
+        } catch {
+            $results += @{
+                message = "Cannot reach $($endpoint.Description) ($($endpoint.Uri)). Check network/firewall settings. Error: $($_.Exception.Message)"
+                result  = "Failure"
+            }
+            $hasFailure = $true
+        }
+    }
+
+    return @{
+        Results    = $results
+        HasFailure = $hasFailure
+    }
+}

src/ALZ/Private/Tools/Test-Tooling.ps1

@@ -2,7 +2,7 @@ function Test-Tooling {
     [CmdletBinding(SupportsShouldProcess = $true)]
     param(
         [Parameter(Mandatory = $false)]
-        [ValidateSet("PowerShell", "Git", "AzureCli", "AzureEnvVars", "AzureCliOrEnvVars", "AzureLogin", "AlzModule", "AlzModuleVersion", "YamlModule", "YamlModuleAutoInstall", "GitHubCli", "AzureDevOpsCli")]
+        [ValidateSet("PowerShell", "Git", "AzureCli", "AzureEnvVars", "AzureCliOrEnvVars", "AzureLogin", "AlzModule", "AlzModuleVersion", "YamlModule", "YamlModuleAutoInstall", "GitHubCli", "AzureDevOpsCli", "NetworkConnectivity")]
         [string[]]$Checks = @("PowerShell", "Git", "AzureCliOrEnvVars", "AzureLogin", "AlzModule", "AlzModuleVersion"),
         [Parameter(Mandatory = $false)]
         [switch]$destroy
@@ -91,6 +91,13 @@ function Test-Tooling {
         if ($result.HasFailure) { $hasFailure = $true }
     }
 
+    # Check Network Connectivity
+    if ($Checks -contains "NetworkConnectivity") {
+        $result = Test-NetworkConnectivity
+        $checkResults += $result.Results
+        if ($result.HasFailure) { $hasFailure = $true }
+    }
+
     # Display results
     Write-Verbose "Showing check results"
     Write-Verbose $(ConvertTo-Json $checkResults -Depth 100)

src/ALZ/Public/Deploy-Accelerator.ps1

@@ -250,6 +250,9 @@ function Deploy-Accelerator {
                 $checks += "YamlModuleAutoInstall"
             }
         }
+        if (-not $skip_internet_checks.IsPresent) {
+            $checks += "NetworkConnectivity"
+        }
         $toolingResult = Test-Tooling -Checks $checks -destroy:$destroy.IsPresent
     }
 

src/ALZ/Public/Test-AcceleratorRequirement.ps1

@@ -3,7 +3,7 @@ function Test-AcceleratorRequirement {
     .SYNOPSIS
         Test that the Accelerator software requirements are met
     .DESCRIPTION
-        This will check for the pre-requisite software
+        This will check for the pre-requisite software and network connectivity to the external endpoints required by the Accelerator.
     .EXAMPLE
         C:\PS> Test-AcceleratorRequirement
     .EXAMPLE
@@ -20,10 +20,10 @@ function Test-AcceleratorRequirement {
     param (
         [Parameter(
             Mandatory = $false,
-            HelpMessage = "[OPTIONAL] Specifies which checks to run. Valid values: PowerShell, Git, AzureCli, AzureEnvVars, AzureCliOrEnvVars, AzureLogin, AlzModule, AlzModuleVersion, YamlModule, YamlModuleAutoInstall, GitHubCli, AzureDevOpsCli"
+            HelpMessage = "[OPTIONAL] Specifies which checks to run. Valid values: PowerShell, Git, AzureCli, AzureEnvVars, AzureCliOrEnvVars, AzureLogin, AlzModule, AlzModuleVersion, YamlModule, YamlModuleAutoInstall, GitHubCli, AzureDevOpsCli, NetworkConnectivity"
         )]
-        [ValidateSet("PowerShell", "Git", "AzureCli", "AzureEnvVars", "AzureCliOrEnvVars", "AzureLogin", "AlzModule", "AlzModuleVersion", "YamlModule", "YamlModuleAutoInstall", "GitHubCli", "AzureDevOpsCli")]
-        [string[]]$Checks = @("PowerShell", "Git", "AzureCliOrEnvVars", "AzureLogin", "AlzModule", "AlzModuleVersion")
+        [ValidateSet("PowerShell", "Git", "AzureCli", "AzureEnvVars", "AzureCliOrEnvVars", "AzureLogin", "AlzModule", "AlzModuleVersion", "YamlModule", "YamlModuleAutoInstall", "GitHubCli", "AzureDevOpsCli", "NetworkConnectivity")]
+        [string[]]$Checks = @("PowerShell", "Git", "AzureCliOrEnvVars", "AzureLogin", "AlzModule", "AlzModuleVersion", "NetworkConnectivity")
     )
     Test-Tooling -Checks $Checks
 }

src/Tests/Unit/Private/Test-NetworkConnectivity.Tests.ps1

@@ -0,0 +1,111 @@
+#-------------------------------------------------------------------------
+Set-Location -Path $PSScriptRoot
+#-------------------------------------------------------------------------
+$ModuleName = 'ALZ'
+$PathToManifest = [System.IO.Path]::Combine('..', '..', '..', $ModuleName, "$ModuleName.psd1")
+#-------------------------------------------------------------------------
+if (Get-Module -Name $ModuleName -ErrorAction 'SilentlyContinue') {
+    #if the module is already in memory, remove it
+    Remove-Module -Name $ModuleName -Force
+}
+Import-Module $PathToManifest -Force
+#-------------------------------------------------------------------------
+
+InModuleScope 'ALZ' {
+    Describe 'Test-NetworkConnectivity Private Function Tests' -Tag Unit {
+        BeforeAll {
+            $WarningPreference = 'SilentlyContinue'
+            $ErrorActionPreference = 'SilentlyContinue'
+        }
+
+        Context 'All endpoints are reachable' {
+            BeforeAll {
+                Mock -CommandName Invoke-WebRequest -MockWith {
+                    [PSCustomObject]@{ StatusCode = 200 }
+                }
+            }
+
+            It 'returns HasFailure = $false when all endpoints succeed' {
+                $result = Test-NetworkConnectivity
+                $result.HasFailure | Should -BeFalse
+            }
+
+            It 'returns a Success result for every endpoint' {
+                $result = Test-NetworkConnectivity
+                $result.Results | ForEach-Object {
+                    $_.result | Should -Be "Success"
+                }
+            }
+
+            It 'returns one result per endpoint (6 total)' {
+                $result = Test-NetworkConnectivity
+                $result.Results.Count | Should -Be 6
+            }
+        }
+
+        Context 'One endpoint is unreachable' {
+            BeforeAll {
+                Mock -CommandName Invoke-WebRequest -ParameterFilter { $Uri -eq "https://api.github.com" } -MockWith {
+                    throw "Unable to connect to the remote server"
+                }
+                Mock -CommandName Invoke-WebRequest -MockWith {
+                    [PSCustomObject]@{ StatusCode = 200 }
+                }
+            }
+
+            It 'returns HasFailure = $true' {
+                $result = Test-NetworkConnectivity
+                $result.HasFailure | Should -BeTrue
+            }
+
+            It 'returns a Failure result for the unreachable endpoint' {
+                $result = Test-NetworkConnectivity
+                $failureResults = @($result.Results | Where-Object { $_.result -eq "Failure" })
+                $failureResults.Count | Should -Be 1
+            }
+
+            It 'includes the error message in the Failure result' {
+                $result = Test-NetworkConnectivity
+                $failureResult = @($result.Results | Where-Object { $_.result -eq "Failure" })[0]
+                $failureResult.message | Should -Match "Cannot reach"
+                $failureResult.message | Should -Match "api.github.com"
+            }
+
+            It 'still returns Success results for the reachable endpoints' {
+                $result = Test-NetworkConnectivity
+                $successResults = @($result.Results | Where-Object { $_.result -eq "Success" })
+                $successResults.Count | Should -Be 5
+            }
+        }
+
+        Context 'All endpoints are unreachable' {
+            BeforeAll {
+                Mock -CommandName Invoke-WebRequest -MockWith {
+                    throw "Network unreachable"
+                }
+            }
+
+            It 'returns HasFailure = $true' {
+                $result = Test-NetworkConnectivity
+                $result.HasFailure | Should -BeTrue
+            }
+
+            It 'returns a Failure result for every endpoint' {
+                $result = Test-NetworkConnectivity
+                $result.Results | ForEach-Object {
+                    $_.result | Should -Be "Failure"
+                }
+            }
+
+            It 'returns one result per endpoint (6 total)' {
+                $result = Test-NetworkConnectivity
+                $result.Results.Count | Should -Be 6
+            }
+
+            It 'checks all endpoints and does not stop at the first failure' {
+                $result = Test-NetworkConnectivity
+                Should -Invoke -CommandName Invoke-WebRequest -Times 6 -Scope It
+            }
+        }
+    }
+}