From d33a0c9e6a94874291cc93ba10397eb72917c435 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Nov 2024 09:05:39 +0000 Subject: [PATCH 01/12] Bump github/codeql-action from 3.27.0 to 3.27.5 (#1846) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 4232556fe8..e44131a991 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: sarif_file: results.sarif From bde8db842914056ec45e0c7b4e2b28acbd4707b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20H=C3=A9zser?= Date: Thu, 21 Nov 2024 10:22:02 +0100 Subject: [PATCH 02/12] fix: subscription-vending Bicep (#1836) Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> --- docs/wiki/Create-Landingzones.md | 3 ++- docs/wiki/Whats-new.md | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/wiki/Create-Landingzones.md b/docs/wiki/Create-Landingzones.md index 4214fc8280..9e2f4cbcf8 100644 --- a/docs/wiki/Create-Landingzones.md +++ b/docs/wiki/Create-Landingzones.md @@ -3,12 +3,13 @@ The approach of "Subscription Vending", materializes and standardizes the ALZ "Subscription Democratization" Design Principle, by formulating a process for requesting, deploying and governing Azure Subscriptions, and by doing so enabling the Applications Teams to onboard their workloads in a fast, yet deterministic way. For further details, one can look into the following articles: + - [Deploy Azure landing zones (Subscription Vending)](https://learn.microsoft.com/azure/architecture/landing-zones/landing-zone-deploy#subscription-vending) - [Subscription vending implementation guidance](https://learn.microsoft.com/azure/architecture/landing-zones/subscription-vending) The respective Bicep and Terraform automation / IaC Modules for Subscription Vending, can be found in: -- [Bicep Subscription Vending](https://github.com/Azure/bicep-lz-vending) +- [Bicep Subscription Vending](https://github.com/Azure/bicep-registry-modules/tree/main/avm/ptn/lz/sub-vending) - [Terraform Subscription Vending](https://registry.terraform.io/modules/Azure/lz-vending/azurerm/latest) More broader information on programmatical creation of Azure Subscriptions (EA/MCA/MPA) via the latest APIs, can be found on the following articles: diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 4259b9f3e0..ec6f901b5a 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -56,6 +56,10 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - A bug was resolved in the Portal Accelerator that caused deployment validation to fail with the error message "The 'location' property must be specified for 'amba-id-amba-prod-001'". This event happened when a Log Analytics Workspace was not deployed, but Azure Monitor Baseline Alerts were enabled. This issue occurred because Azure Monitor Baseline Alerts depend on the management subscription, which is not provided if the Log Analytics Workspace is not deployed. To address this scenario, an additional section was implemented in the Baseline alerts and monitoring tab allowing the selection of a Management subscription when not deploying a Log Analytics Workspace. - Updated the ***Baseline alerts and monitoring*** integration section in the portal accelerator to deploy the latest release of AMBA (2024-11-01). To read more on the changes, see the [What's new](https://aka.ms/amba/alz/whatsnew) page in the AMBA documentation. +#### Documentation + +- Link for the Bicep Subscription Vending changed to AVM (Azure Verified Modules) + ### 🔃 Policy Refresh Q1 FY25 - Updated ALZ custom policies enforcing minimum TLS versions to properly evaluate the minimum TLS version, ensuring services configured to deploy TLS 1.3 will successfully evaluate. From 8ac359e8e835dc9037ca4ca3db8d63d5dc1d119b Mon Sep 17 00:00:00 2001 From: Paul <86801738+CRYP70N1X@users.noreply.github.com> Date: Thu, 28 Nov 2024 12:12:22 +0200 Subject: [PATCH 03/12] Updated message on root mgmgt group policy exclusion (#1850) Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> --- docs/wiki/ALZ-Policies.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md index 6dab86f385..04aeaede2c 100644 --- a/docs/wiki/ALZ-Policies.md +++ b/docs/wiki/ALZ-Policies.md @@ -44,6 +44,9 @@ AzAdvertizer also updates once per day! As part of a default deployment configuration, policy and policy set definitions are deployed at multiple levels within the Azure landing zone Management Group hierarchy as depicted within the below diagram. +> [!IMPORTANT] +> As part of the ALZ portal deployment/configuration, policy and policy set definitions are created only at the intermediate management group, e.g. `contoso` that is a child of the tenant root management group, created during the ALZ deployment. Our automation does not assign any policies to the tenant root management group scope, only the ALZ hierarchy it deploys and its children, e.g. `contoso` and below. This approach aligns with the Cloud Adoption Framework's best practices for Azure Policy assignment, ensuring clear delineation of policy application and avoiding unintended policy inheritance across the entire tenant. By placing policies only at the intermediary root and its child management groups, we maintain compliance, flexibility, and alignment with organizational governance requirements. And also allow multiple management groups hierarchies to exist in a single tenant such as the [canary approach](https://aka.ms/alz/canary#example-scenarios-and-outcomes) + ![image](./media/MgmtGroups_Policies_v0.1.svg) The subsequent sections will provide a summary of policy sets and policy set definitions applied at each level of the Management Group hierarchy. From b35cf2ebcc8784095e24dfc6a102ec31ab1edfde Mon Sep 17 00:00:00 2001 From: Paul Grimley <25264573+paulgrimley@users.noreply.github.com> Date: Fri, 29 Nov 2024 18:54:43 +0000 Subject: [PATCH 04/12] Updated FAQ to remove AMA statements (#1852) Co-authored-by: Arjen Huitema --- docs/wiki/FAQ.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/docs/wiki/FAQ.md b/docs/wiki/FAQ.md index efe22b8065..0ad78fc060 100644 --- a/docs/wiki/FAQ.md +++ b/docs/wiki/FAQ.md @@ -155,15 +155,13 @@ The Management Group Names/IDs created via the ALZ Portal Accelerator Deployment - `-decommissioned` - `-sandbox` -## Why hasn't Azure landing zones migrated to the Azure Monitor Agent yet? +## Azure Monitor Agent -**Update January 2024** We have been working on the removal of MMA from ALZ and the first step in the overall removal process is to update the ALZ Portal reference implementation (greenfield deployments) which has now been updated. Our next step is to work on the deployment to Terraform and Bicep reference implementations which requires significant investment to minimise impact to existing customers and providing clear guidance for the transition. For more details please see [Azure Monitor Agent Update](./ALZ-AMA-Update.md). +### What if we are not ready to make the switch (from MMA) and migrate to AMA, right now? -### What if we are not ready to make the switch and migrate, right now? +The log analytics agent (MMA) has retired as documented [here]( https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). Cloud ingestion services will gradually reduce support for MMA agents, which may result in compatibility issues over time. Ingestion for MMA will remain unchanged until February 1, 2025. You need to complete the migration to the Azure Monitor Agent before that date. -Another good question. You will need to plan, and complete, the migration to the Azure Monitor Agent before the Log Analytics Agent is retired as [documented here.](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/) - -### Where do I find more information about the Azure Monitor Baseline Alerts initiative included in the Azure landing zones Portal Accelerator? +## Where do I find more information about the Azure Monitor Baseline Alerts initiative included in the Azure landing zones Portal Accelerator? Great question! As this is maintained in a repository outside of the Azure landing zones repository please refer to [Azure Monitor Baseline Alerts wiki](https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz) for more details. From 9c89191e70db3fe626d50457c4b551b528213857 Mon Sep 17 00:00:00 2001 From: Bruno Gabrielli Date: Tue, 10 Dec 2024 09:06:46 +0100 Subject: [PATCH 05/12] Updating eslz with latest AMBA-ALZ release pointer and info (#1859) --- docs/wiki/Whats-new.md | 7 +++ eslzArm/eslzArm.json | 99 +++++++++++++++++++++--------------------- 2 files changed, 57 insertions(+), 49 deletions(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index ec6f901b5a..d88d9b5bb8 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -1,6 +1,7 @@ ## In this Section - [Updates](#updates) + - [December 2024](#december-2024) - [November 2024](#november-2024) - [🔃 Policy Refresh Q1 FY25](#-policy-refresh-q1-fy25) - [October 2024](#october-2024) @@ -49,6 +50,12 @@ This article will be updated as and when changes are made to the above and anyth Here's what's changed in Enterprise Scale/Azure Landing Zones: +### December 2024 + +#### Tooling + +- Updated the ***Baseline alerts and monitoring*** integration section in the portal accelerator to deploy the latest release of AMBA (2024-12-10). To read more on the changes, see the [What's new](https://aka.ms/amba/alz/whatsnew) page in the AMBA documentation. + ### November 2024 #### Tooling diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 0c3ed6760f..23c19d82e3 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1675,7 +1675,7 @@ }, // Declaring root uris for external dependency repositories. "rootUris": { - "monitorRepo": "https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/2024-11-01/" + "monitorRepo": "https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/2024-12-10/" }, // Declaring all required deployment uri's used for deployments of composite ARM templates for ESLZ "azPrivateDnsPolicyAssignmentMapping": { @@ -2264,6 +2264,30 @@ "enableAMBAServiceHealth": { "value": "[parameters('enableServiceHealth')]" }, + "enableAMBAHybridVM": { + "value": "[parameters('enableAMBAHybridVM')]" + }, + "enableAMBAKeyManagement": { + "value": "[parameters('enableAMBAKeyManagement')]" + }, + "enableAMBALoadBalancing": { + "value": "[parameters('enableAMBALoadBalancing')]" + }, + "enableAMBANetworkChanges": { + "value": "[parameters('enableAMBANetworkChanges')]" + }, + "enableAMBARecoveryServices": { + "value": "[parameters('enableAMBARecoveryServices')]" + }, + "enableAMBAStorage": { + "value": "[parameters('enableAMBAStorage')]" + }, + "enableAMBAVM": { + "value": "[parameters('enableAMBAVM')]" + }, + "enableAMBAWeb": { + "value": "[parameters('enableAMBAWeb')]" + }, "userAssignedManagedIdentityName": { "value": "[parameters('userAssignedManagedIdentityName')]" }, @@ -2273,9 +2297,6 @@ "ALZArmRoleId": { "value": "[array(parameters('ambaAgArmRole'))]" }, - "delayCount": { - "value": "[parameters('delayCount')]" - }, "ALZMonitorResourceGroupName": { "value": "[parameters('monitorAlertsResourceGroup')]" }, @@ -2288,30 +2309,6 @@ "managementSubscriptionId": { "value": "[parameters('managementSubscriptionId')]" }, - "enableAMBAHybridVM": { - "value": "[parameters('enableAMBAHybridVM')]" - }, - "enableAMBAKeyManagement": { - "value": "[parameters('enableAMBAKeyManagement')]" - }, - "enableAMBALoadBalancing": { - "value": "[parameters('enableAMBALoadBalancing')]" - }, - "enableAMBANetworkChanges": { - "value": "[parameters('enableAMBANetworkChanges')]" - }, - "enableAMBARecoveryServices": { - "value": "[parameters('enableAMBARecoveryServices')]" - }, - "enableAMBAStorage": { - "value": "[parameters('enableAMBAStorage')]" - }, - "enableAMBAVM": { - "value": "[parameters('enableAMBAVM')]" - }, - "enableAMBAWeb": { - "value": "[parameters('enableAMBAWeb')]" - }, "deployALZPortalAccelerator": { "value": "Yes" } @@ -2369,6 +2366,30 @@ "enableAMBAServiceHealth": { "value": "[parameters('enableServiceHealth')]" }, + "enableAMBAHybridVM": { + "value": "[parameters('enableAMBAHybridVM')]" + }, + "enableAMBAKeyManagement": { + "value": "[parameters('enableAMBAKeyManagement')]" + }, + "enableAMBALoadBalancing": { + "value": "[parameters('enableAMBALoadBalancing')]" + }, + "enableAMBANetworkChanges": { + "value": "[parameters('enableAMBANetworkChanges')]" + }, + "enableAMBARecoveryServices": { + "value": "[parameters('enableAMBARecoveryServices')]" + }, + "enableAMBAStorage": { + "value": "[parameters('enableAMBAStorage')]" + }, + "enableAMBAVM": { + "value": "[parameters('enableAMBAVM')]" + }, + "enableAMBAWeb": { + "value": "[parameters('enableAMBAWeb')]" + }, "userAssignedManagedIdentityName": { "value": "[parameters('userAssignedManagedIdentityName')]" }, @@ -2378,9 +2399,6 @@ "ALZArmRoleId": { "value": "[array(parameters('ambaAgArmRole'))]" }, - "delayCount": { - "value": "[parameters('delayCount')]" - }, "ALZMonitorResourceGroupName": { "value": "[parameters('monitorAlertsResourceGroup')]" }, @@ -2393,24 +2411,7 @@ "managementSubscriptionId": { "value": "[parameters('singlePlatformSubscriptionId')]" }, - "enableAMBALoadBalancing": { - "value": "[parameters('enableAMBALoadBalancing')]" - }, - "enableAMBANetworkChanges": { - "value": "[parameters('enableAMBANetworkChanges')]" - }, - "enableAMBARecoveryServices": { - "value": "[parameters('enableAMBARecoveryServices')]" - }, - "enableAMBAStorage": { - "value": "[parameters('enableAMBAStorage')]" - }, - "enableAMBAVM": { - "value": "[parameters('enableAMBAVM')]" - }, - "enableAMBAWeb": { - "value": "[parameters('enableAMBAWeb')]" - }, + "deployALZPortalAccelerator": { "value": "Yes" } From 51e0a7f52295bd7450ea5e94b0bfe33aeb0cd759 Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Thu, 12 Dec 2024 12:45:48 +0100 Subject: [PATCH 06/12] Update release URIs to point to the December 10, 2024 version (#1860) --- src/portal/release.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/portal/release.json b/src/portal/release.json index 57dda62662..bfb2220655 100644 --- a/src/portal/release.json +++ b/src/portal/release.json @@ -1,5 +1,5 @@ { - "azureLandingZoneTemplateDetailsUri": "https://github.com/Azure/Enterprise-Scale/tree/2024-11-05", - "templateUri": "https://raw.githubusercontent.com/Azure/Enterprise-Scale/2024-11-05/eslzArm/eslzArm.json", - "uiFormDefinitionUri": "https://raw.githubusercontent.com/Azure/Enterprise-Scale/2024-11-05/eslzArm/eslz-portal.json" + "azureLandingZoneTemplateDetailsUri": "https://github.com/Azure/Enterprise-Scale/tree/2024-12-10", + "templateUri": "https://raw.githubusercontent.com/Azure/Enterprise-Scale/2024-12-10/eslzArm/eslzArm.json", + "uiFormDefinitionUri": "https://raw.githubusercontent.com/Azure/Enterprise-Scale/2024-12-10/eslzArm/eslz-portal.json" } From c026e5b611f82b914ed02c5e4032043ea9275fab Mon Sep 17 00:00:00 2001 From: Martin Tausen <660166+tauzN@users.noreply.github.com> Date: Mon, 16 Dec 2024 15:49:47 +0100 Subject: [PATCH 07/12] Remove duplicate resource provider in Wiki: Microsoft.AlertsManagement (#1868) --- docs/wiki/ALZ-Resource-Provider-Recommendations.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/wiki/ALZ-Resource-Provider-Recommendations.md b/docs/wiki/ALZ-Resource-Provider-Recommendations.md index 4153d8a26a..1399e73f2c 100644 --- a/docs/wiki/ALZ-Resource-Provider-Recommendations.md +++ b/docs/wiki/ALZ-Resource-Provider-Recommendations.md @@ -21,7 +21,6 @@ To successfully deploy an Enterprise-Scale with a predefined [template](https:// * Microsoft.OperationalInsights * Microsoft.OperationsManagement * Microsoft.Automation -* Microsoft.AlertsManagement * Microsoft.Security * Microsoft.Network * Microsoft.EventGrid From bb302ae256560ec87ddb84e688547fa46ccc3ecc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 17 Dec 2024 10:30:06 +0000 Subject: [PATCH 08/12] Bump github/codeql-action from 3.27.5 to 3.27.9 (#1867) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index e44131a991..db8951f899 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 + uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 with: sarif_file: results.sarif From 2f3fd9540133ea7219458a2bdd1654f984ed6e96 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 17 Dec 2024 10:33:53 +0000 Subject: [PATCH 09/12] Bump actions/upload-artifact from 4.4.0 to 4.4.3 (#1794) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index db8951f899..9b6e4915d2 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -59,7 +59,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: SARIF file path: results.sarif From 27cc654e07ef46fc120847e141652f5b7ae58018 Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Thu, 19 Dec 2024 10:10:25 +0000 Subject: [PATCH 10/12] chore: Delete .github/workflows/gh-ado-sync.yml (#1872) --- .github/workflows/gh-ado-sync.yml | 27 --------------------------- 1 file changed, 27 deletions(-) delete mode 100644 .github/workflows/gh-ado-sync.yml diff --git a/.github/workflows/gh-ado-sync.yml b/.github/workflows/gh-ado-sync.yml deleted file mode 100644 index 898f2eff8d..0000000000 --- a/.github/workflows/gh-ado-sync.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Sync Issues to Azure DevOps Work Items - -on: - issues: - types: [opened, closed, deleted, reopened, edited, labeled, unlabeled, assigned, unassigned] - issue_comment: - types: [created] - -jobs: - alert: - runs-on: ubuntu-latest - name: Sync workflow - if: github.repository == 'Azure/Enterprise-Scale' - - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: GitHub/ADO Sync - uses: a11smiles/GitSync@v1.1.4 - env: - ado_token: '${{ secrets.ADO_PERSONAL_ACCESS_TOKEN }}' - config_file: './.github/actions-config/gh-ado-sync-config.json' - with: - ado: ${{ secrets.ADO_MAPPINGS_HANDLES }} From 1ef2893b33f32562049a20cecd5ac976262757d0 Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Fri, 20 Dec 2024 08:54:58 +0000 Subject: [PATCH 11/12] docs: Add explanation on User-Assigned Managed Identities in ALZ policies to FAQ (#1874) --- docs/wiki/ALZ-Policies-FAQ.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/wiki/ALZ-Policies-FAQ.md b/docs/wiki/ALZ-Policies-FAQ.md index d3eaabcf1f..14a7de43c3 100644 --- a/docs/wiki/ALZ-Policies-FAQ.md +++ b/docs/wiki/ALZ-Policies-FAQ.md @@ -12,6 +12,14 @@ We've had a number of issues and pull requests submitted specifically around the The reason for this is that the policies and initiatives in this repo are intended to be used as part of the ALZ deployment process, and are used to generate the ARM templates that are deployed to Azure. The leading `[` character is required to support the generation of the ARM templates. +### Why does ALZ not promote the usage of User-Assigned Managed Identities for Policy Assignments? + +Whilst User-Assigned Managed Identities for Policy Assignments are now supported, there are a number of reasons why ALZ does not promote the usage of them. + +The primary risk is that the User-Assigned Managed Identity created and used for one or more policy assignments is an over-permissioned identity; both in terms of RBAC roles it has assigned to it and also the scope/s that it has been assigned to. With the focus on least privilege and zero trust security principles, we believe in ALZ that the use of a User-Assigned Managed Identity for policy assignments is not the best practice and instead you should continue to use the system-assigned managed identity for your Azure policy assignments. + +Not only does using a system-assigned managed identity for policy assignments reduce the risk of over-permissioning, but it also reduces the complexity of managing the identity and its RBAC permissions and assignments as the lifecycle of the system-assigned managed identity is managed by Azure policy automatically with the lifecycle of the policy assignment it is associated with. + ### Diagnostic Settings v2 (December 2023) There are several issues raised around Diagnostic Settings, and we acknowledge that this is a complex area that is causing a lot of pain. From b47747b42122148707b4df962f15e7a5defdc08b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 9 Jan 2025 08:53:57 +0000 Subject: [PATCH 12/12] Bump github/codeql-action from 3.27.9 to 3.28.0 (#1875) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 9b6e4915d2..f82367b147 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 + uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 with: sarif_file: results.sarif