v4.1.0

Summary

Policy definition updates and a number of fixes are the highlights of this release. Please see RELEASE.md.

Enhancements

• Update Library Templates (automated) by @cae-pr-creator in #739
• Update Library Templates (automated) by @cae-pr-creator in #704
• Update Library Templates (automated) by @cae-pr-creator in #739
• Microsoft defender for Cloud policy update by @steph409 in #709
• Feature Request - Update Policy Assignment Code to use parameters fro… by @rrnnrr in #725

Fixes

• fix: wiki broken link by @matt-FFFFFF in #767
• fix: #758 archetype config overrides conflicts by @matt-FFFFFF in #762
• fix: archetypesync by @matt-FFFFFF in #733
• Fix issue with SQL auditing policy casing by @jaredfholgate in #760
• fix: remove Character Limit of root_id and add additional regex for scope_id by @liamjvs in #754
• fix: #722 by @matt-FFFFFF in #738
• Bug: Duplicate Object Key Firewall PIP by @luke-taylor in #766
• fix: policy_assignment_es_deploy_log_analytics enforcementMode by @matt-FFFFFF in #741
• Bug 29784 - Policy Assignment Enforcement Mode from Upstream Policy Assignments by @jaredfholgate in #772

Documentation

• Update [User-Guide]-Upgrade-from-v3.3.0-to-v4.0.0.md by @cbezenco in #714
• Deploy with Zero Trust Networking Principles Guide by @brsteph in #745

Other

• FabricBot: Onboarding to GitOps.ResourceManagement because of FabricBot decommissioning by @microsoft-github-policy-service in #757

New Contributors

• @cbezenco made their first contribution in #714
• @brsteph made their first contribution in #745
• @rrnnrr made their first contribution in #725
• @microsoft-github-policy-service made their first contribution in #757

Full Changelog: v4.0.2...v4.1.0

v4.0.2

4.0.2 fix

• #700 allows longer naming for custom LZs
• #717 removed incorrect policy assignments from platform MG
• #713 bug where LA workspace id not passed to policy assignment

4.0.1 fix

• #699 idempotency issue with policy assignment parameter - thanks @jaredfholgate

v4.0.0 Key features

This is a big one, please refer to our upgrade guide

• Policy refresh - thanks @jaredfholgate
• Azure Firewall Basic - thanks @luke-taylor
• Policy definition group metadata - thanks @mofaizal
• Policy enforcement mode settable - thanks @steph409
• Container insights solution for Log Analytics - thanks @steph409

Breaking Changes

• Enforce-EncryptTransit definition parameter removal
• default_location variable now has no default value
• AzureRM provider version minimum raised to 3.54
• Service Map solution deployment default is now false

What's Changed

• Added [User Guide] Module Outputs to Wiki by @luke-taylor in #641
• feat: add container insights option by @steph409 in #671
• Add Azure Firewall Basic SKU Support by @luke-taylor in #677
• feat: disable service map and refactor by @matt-FFFFFF in #687
• Policy Definition Group #1271 by @mofaizal in #669
• lookup enforcement mode from overwrite config by @steph409 in #683
• feat!: remove default_location defaults by @matt-FFFFFF in #695
• Policy Refresh April 2023 by @jaredfholgate in #691

New Contributors

• @luke-taylor made their first contribution in #641
• @cae-pr-creator made their first contribution in #676
• @steph409 made their first contribution in #671
• @mofaizal made their first contribution in #669

Full Changelog: v3.3.0...v4.0.0

v4.0.1

4.0.1 fix

• #699 idempotency issue with policy assignment parameter - thanks @jaredfholgate

Key features

This is a big one, please refer to our upgrade guide

• Policy refresh - thanks @jaredfholgate
• Azure Firewall Basic - thanks @luke-taylor
• Policy definition group metadata - thanks @mofaizal
• Policy enforcement mode settable - thanks @steph409
• Container insights solution for Log Analytics - thanks @steph409

Breaking Changes

• Enforce-EncryptTransit definition parameter removal
• default_location variable now has no default value
• AzureRM provider version minimum raised to 3.54
• Service Map solution deployment default is now false

What's Changed

• Added [User Guide] Module Outputs to Wiki by @luke-taylor in #641
• feat: add container insights option by @steph409 in #671
• Add Azure Firewall Basic SKU Support by @luke-taylor in #677
• feat: disable service map and refactor by @matt-FFFFFF in #687
• Policy Definition Group #1271 by @mofaizal in #669
• lookup enforcement mode from overwrite config by @steph409 in #683
• feat!: remove default_location defaults by @matt-FFFFFF in #695
• Policy Refresh April 2023 by @jaredfholgate in #691

New Contributors

• @luke-taylor made their first contribution in #641
• @cae-pr-creator made their first contribution in #676
• @steph409 made their first contribution in #671
• @mofaizal made their first contribution in #669

Full Changelog: v3.3.0...v4.0.0

v4.0.0 Policy refresh

Key features

This is a big one, please refer to our upgrade guide

• Policy refresh - thanks @jaredfholgate
• Azure Firewall Basic - thanks @luke-taylor
• Policy definition group metadata - thanks @mofaizal
• Policy enforcement mode settable - thanks @steph409
• Container insights solution for Log Analytics - thanks @steph409

Breaking Changes

• Enforce-EncryptTransit definition parameter removal
• default_location variable now has no default value
• AzureRM provider version minimum raised to 3.54
• Service Map solution deployment default is now false

What's Changed

• Added [User Guide] Module Outputs to Wiki by @luke-taylor in #641
• feat: add container insights option by @steph409 in #671
• Add Azure Firewall Basic SKU Support by @luke-taylor in #677
• feat: disable service map and refactor by @matt-FFFFFF in #687
• Policy Definition Group #1271 by @mofaizal in #669
• lookup enforcement mode from overwrite config by @steph409 in #683
• feat!: remove default_location defaults by @matt-FFFFFF in #695
• Policy Refresh April 2023 by @jaredfholgate in #691

New Contributors

• @luke-taylor made their first contribution in #641
• @cae-pr-creator made their first contribution in #676
• @steph409 made their first contribution in #671
• @mofaizal made their first contribution in #669

Full Changelog: v3.3.0...v4.0.0

v3.3.0 Raise minimum azurerm version

Important

• ⚠️ To support a fix for #628, we have had to raise the minimum azurerm provider version to 3.35.0 (from 3.18.0)
• ⚠️ To support #603, we have had to include the azapi provider, this is open source and written and maintained by Microsoft in GitHub

New Features

• We now support diagnostic settings on management groups in #603, this will not be enabled by default (see deploy_diagnostics_for_mg variable)
• azurerm_firewall_policy resource now supports tags in #628

What's Changed

• Fix wiki links by @matt-FFFFFF in #629
• Azure Policy Policy Effect + Terraform Scenarios by @liamjvs in #631
• Diag settings mg by @lachaves in #603
• Support for default tags in azurerm_firewall_policy resource by @robertbrandso in #628
• fix: Broken links in Terraform Registry in release v3.2.0 #637 by @matt-FFFFFF in #638
• feat: release 3.3.0 by @matt-FFFFFF in #639

New Contributors

• @liamjvs made their first contribution in #631
• @robertbrandso made their first contribution in #628

Full Changelog: v3.2.0...v3.3.0

[v3.2.0] Thank you Kevin (& non-compliance messages)

Highlights

• #623 Fixes issues with policy deploy_diagnostocs_vpngw & deploy_diagnostics_website
• #601 and #621 Adds non-compliance messages for policy
• README is now automatically generated, removing the need for variable docs in the wiki

Thank you

Thank you to Kevin Rowlandson, this modules creator and principal maintainer. He has decided to pursue a career outside Microsoft and we wish him well and look forward to his continued involvement in the module.

What's Changed

• Update Library Templates (automated) by @github-actions in #581
• Update archetype_config_overrides description by @krowlandson in #591
• Update concurrency group logic by @krowlandson in #593
• Revert concurrency logic by @krowlandson in #594
• Update Library Templates (automated) by @github-actions in #598
• Update parameter merge logic by @krowlandson in #616
• Bump github.com/emicklei/go-restful from 2.15.0+incompatible to 2.16.0+incompatible in /tests/terratest by @dependabot in #617
• Updated references from docs.microsoft.com to learn.microsoft - Part 1 by @ElYusubov in #608
• Include optional non Compliance Messages for Policy Assignments by @jaredfholgate in #601
• Add ability to disable non-compliance messages and standardise variable naming by @jaredfholgate in #621
• Update Library Templates (automated) by @github-actions in #622
• Update [Examples]-Create-and-Assign-Custom-RBAC-Roles.md by @mbilalamjad in #623
• release 3.2.0 by @matt-FFFFFF in #624

New Contributors

• @dependabot made their first contribution in #617
• @ElYusubov made their first contribution in #608
• @jaredfholgate made their first contribution in #601
• @mbilalamjad made their first contribution in #623

Full Changelog: v3.1.2...v3.2.0

[v3.1.2] HOTFIX: Update VPN gateway defaults, and DNS logic

Overview

The v3.1.2 release includes an important update to the default values for azurerm_virtual_network_gateway resources.

New features

• Added logic to safely handle duplicate DNS zone values provided via the configure_connectivity_resources.settings.dns.config.public_dns_zones and configure_connectivity_resources.settings.dns.config.private_dns_zones inputs
• Updated default value for configure_connectivity_resources.settings.hub_networks.*.config.virtual_network_gateway.config.advanced_vpn_settings.vpn_client_configuration.*.vpn_client_protocols setting to null
• Updated default value for configure_connectivity_resources.settings.hub_networks.*.config.virtual_network_gateway.config.advanced_vpn_settings.vpn_client_configuration.*.vpn_auth_types setting to null
• Updated default value for configure_connectivity_resources.settings.hub_networks.*.config.virtual_network_gateway.config.advanced_vpn_settings.bgp_settings.*.peering_addresses.*.apipa_addresses setting to null

Fixed issues

• Fix 577 (duplicate key on private dns zones when upgrading Bug Report #577)

Breaking changes

n/a

Input variable changes

none

For more information

Full Changelog: v3.1.1...v3.1.2

[v3.1.1] HOTFIX: Add missing parameter to `Deploy-ASC-SecurityContacts`

Overview

The v3.1.1 release includes an important update to the Deploy-ASC-SecurityContacts Policy Definition to enable successful remediation.

New features

• Added missing minimalSeverity parameter to Deploy-ASC-SecurityContacts Policy Definition (with "defaultValue" = "high")

Fixed issues

• External issue Azure/Enterprise-Scale/issues/1162 (Policy definition Deploy-ASC-SecurityContacts missing parameter minimalSeverity in template definition #1162)

Breaking changes

n/a

Input variable changes

none

For more information

Full Changelog: v3.1.0...v3.1.1

[v3.1.0] Private DNS, virtual hub and Azure Monitor updates

Overview

The v3.1.0 release includes a number of updates as listed below. These focus primarily on private DNS zones for private endpoints, virtual hub, and Azure Monitor.

New features

• Added privatelink.kubernetesconfiguration.azure.com to list of private DNS zones for azure_arc private endpoints
• Added option to enable private DNS zone privatelink.blob.core.windows.net for Azure Managed Disks
• Added option to enable internet_security_enabled on azurerm_virtual_hub_connection resources for secure virtual hubs
• Added option to specify a list of virtual networks for linking to private DNS zones without association to a hub
• Added advanced option to specify existing resource group (by name) for Virtual WAN resources¹
• Added Wiki documentation and a working example showing how to segregate deployment of an Azure landing zone across multiple module instances for connectivity, management and core resources
• Added Wiki documentation for the custom_policy_roles input variable
• Added Wiki documentation for video guides relating to the module
• Added new settings for azurerm_log_analytics_workspace and azurerm_automation_account resources (via advanced input)
• Updated Deploy-Diagnostics-LogAnalytics policy set definition to use the latest built-in policy definitions for Azure Storage
• Updated parameters for the Deploy-ASC-Monitoring Policy Assignment
• Updated managed parameters set for the Deploy-Private-DNS-Zones Policy Assignment
• Updated logic for DNS zone virtual network links to prevent disabled hubs from being included
• Updated logic for hub virtual network mesh peering to prevent disabled hubs from being included
• Updated default values for optional() connectivity inputs
• Updated Wiki documentation to add new content to the FAQ page
• Removed the deprecated ActivityLog Azure Monitor solution
• Removed sensitive value filtering for Log Analytics workspace resources
• Removed location from azureBatchPrivateDnsZoneId parameter for Deploy-Private-DNS-Zones policy assignment

Fixed issues

• Fix #482 (Review and update private DNS zones for private endpoint #482)
• Fix #491 (Feature Request - vwan hub connections - Internet_Security_Enabled should be a variable. #491)
• Fix #492 (Feature Request - configure automation account in management subscription #492)
• Fix #528 (Validate parameters for Azure Security Benchmark in TF deployment #528)
• Fix #542 (Bug Report - enable_private_dns_zone_virtual_network_link_on_hubs = true failing on disabled hub #542)
• Fix #549 (Feature Request: Deploy private dns zones and link them to an existing vnet #549)
• Fix #552 (Feature Request: Multiple Hub scenario, 2 VWANS are getting deployed #552)
• Fix #553 (Remove Activity Log solution from Terraform RI #553)
• Fix #544 (Missing assignment parameter values for "Configure Azure PaaS services to use private DNS zones" #544)
• Fix #556 (Unexpected behaviour: Radius IP required when using AAD for VPN gateway #556)
• Close #176 (Create Wiki docs page - [Variables] custom_policy_roles #176)
• Close #378 (Feature Request - Pricing/costing estimates #378)
• Close #392 (Add documentation for deploying across multiple Terraform workspaces (Terraform state file segregation) #392)
• Close #499 (Bug Report Terraform plan fails due to sensitive values in azurerm_automation_account output #499)
• Close #567 (Feature Request - Videos to Assist Written Documentation #567)

Breaking changes

n/a

Input variable changes

The following non-breaking changes have been made to the input variables. Although these don't need to be changed for the module to work, please review to prevent unwanted resource changes and to remove code that is no-longer required.

• Added configure_connectivity_resources.settings.dns.config.enable_private_link_by_service.azure_managed_disks
• Added configure_connectivity_resources.settings.dns.config.virtual_network_resource_ids_to_link
• Added configure_connectivity_resources.settings.vwan_hub_networks.*.config.secure_spoke_virtual_network_resource_ids
• Added configure_connectivity_resources.advanced.existing_virtual_wan_resource_group_name
• Removed configure_management_resources.settings.log_analytics.config.enable_solution_for_azure_activity

For more information

Full Changelog: v3.0.0...v3.1.0

1. The ability to specify an existing resource group (by name) for Virtual WAN resources is to satisfy the preference of some customers to place all Virtual WAN resources in a single resource group, consistent with the Portal experience where this is a limitation. ↩

[v3.0.0] Simplify inputs with `optional()` support and more

The v3.0.0 release marks an important update to the module, aimed primarily at reducing code changes needed when upgrading to latest releases. Previously, any change to the schema of input variables with complex object types would result in a breaking change if not updated in the customer code. This has been made possible with the GA release of optional() types in Terraform v1.3.0.

As a result of this change and the required fix for issue #31844, we have increased the minimum supported Terraform version to v1.3.1.

To support other changes (as listed below), we have also bumped the minimum supported azurerm provider version to v3.19.0.

New features

• Added documentation for how to set parameters for Policy Assignments
• Updated GitHub Super-Linter to v4.9.7 for static code analysis
• Updated the list of private DNS zones created by the module for private endpoints
• Removed deprecated policies for Arc monitoring (now included within VM monitoring built-in initiative)
• Added ability to set sql_redirect_allowed and tls_certificate properties on Azure Firewall policies
• Update logic for Azure Firewall public IPs to ensure correct availability zone mapping when only 2 zones are specified
• Added support for optional() types in input variables
• Updated policies with the latest fixes from the upstream Azure/Enterprise-Scale repository
• Updated tag evaluation for connectivity and management resources, so default_tags are now merged with scope-specific tags
• Updated the module upgrade guidance
• Updated Deny-Public-IP policy assignment to use the built-in policy for Not allowed resource types

Fixed issues

• Fix #445 (azurerm v4 compatibility)
• Fix #359 (Specifying parameters in policy assignment loses Log Analytics ID)
• Fix #186 (Policies incompatible with Terraform)
• Fix #444 (Error received when running custom network connectivity deployment)
• Fix #508 (Bug Report: Advanced VPN revoke_certifcate fails to apply)
• Fix #513 (Feature Request: Azure Firewall: Specify TLS Certificate Location in Azure Keyvault)
• Fix #447 (Azure Firewall - Availability Zones)
• Fix #524 (Missing private DNS zone for private endpoint - Azure Data Health Data Services)
• Fix #521 (Feature Request - ExpressRoute Gateway VPN_Type is Hardcoded, parameterise.)

Breaking changes

• ⚠️ Updated the minimum supported Terraform version to 0.15.1
• ⚠️ Updated the minimum supported azurerm provider version to 3.0.2
• ⚠️ Terraform will replace the Deny-Public-IP policy assignment, resulting in loss of compliance history

IMPORTANT: Please also carefully review the planned changes following an upgrade, as the introduction of optional() settings may result in unexpected changes from your current configuration where recommended new features are enabled by default.

For more information

Please refer to the Upgrade from v2.4.1 to v3.0.0 page on our Wiki.

Full Changelog: v2.4.1...v3.0.0