v5.0.0

Breaking changes

Strict subscription association no longer default

We have changed the default from true to false to better work with subscription vending.

Please see the module upgrade guide for more detail on this breaking change:
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v4.2.0-to-v5.0.0

What's Changed

• Docs: Fix documentation for recent policy updates by @jaredfholgate in #798
• Update Library Templates (automated) by @cae-pr-creator in #799
• Update ALZ Repo (Terraform) with Entra product names by @lachaves in #805
• docs: fix policy enforcement override example by @jaredfholgate in #808
• Bump actions/checkout from 3 to 4 by @dependabot in #807
• Bump tibdex/github-app-token from 1 to 2 by @dependabot in #813
• Add Routing Intent by @luke-taylor in #822
• Add Italy North and avoid casing issues by @jaredfholgate in #834
• Add support for user managed identity for policy assignments by @LaurentLesle in #806
• fix: revert user-assigned managed identity by @matt-FFFFFF in #844
• feat: strict subs no longer default by @matt-FFFFFF in #836
• Update dynamic overrides section for in and not_in by @MISO-mgriffin in #840
• fix: bug-vpn_client_config by @gogondi1 in #835
• Update Library Templates (automated) by @cae-pr-creator in #827
• Remove Basic SKU requirement on AzureFirewallManagementSubnet by @ryan-royals in #845
• Update Library Templates (automated) by @cae-pr-creator in #846

New Contributors

• @LaurentLesle made their first contribution in #806
• @MISO-mgriffin made their first contribution in #840
• @ryan-royals made their first contribution in #845
• @gogondi1 made their first contribution in #835

Full Changelog: v4.2.0...v5.0.0

v4.2.0

What's Changed

New policies and archetype updates from upstream + some bugs fixed.

• Add long region display names for backup DNS zones by @jtracey93 in #778
• Update Library Templates (automated) by @cae-pr-creator in #779
• bug-29716 by @pradorodriguez in #775
• feat: release 4.2.0 by @matt-FFFFFF in #782

New Contributors

• @pradorodriguez made their first contribution in #775

Full Changelog: v4.1.0...v4.2.0

v4.1.0

Summary

Policy definition updates and a number of fixes are the highlights of this release. Please see RELEASE.md.

Enhancements

• Update Library Templates (automated) by @cae-pr-creator in #739
• Update Library Templates (automated) by @cae-pr-creator in #704
• Update Library Templates (automated) by @cae-pr-creator in #739
• Microsoft defender for Cloud policy update by @steph409 in #709
• Feature Request - Update Policy Assignment Code to use parameters fro… by @rrnnrr in #725

Fixes

• fix: wiki broken link by @matt-FFFFFF in #767
• fix: #758 archetype config overrides conflicts by @matt-FFFFFF in #762
• fix: archetypesync by @matt-FFFFFF in #733
• Fix issue with SQL auditing policy casing by @jaredfholgate in #760
• fix: remove Character Limit of root_id and add additional regex for scope_id by @liamjvs in #754
• fix: #722 by @matt-FFFFFF in #738
• Bug: Duplicate Object Key Firewall PIP by @luke-taylor in #766
• fix: policy_assignment_es_deploy_log_analytics enforcementMode by @matt-FFFFFF in #741
• Bug 29784 - Policy Assignment Enforcement Mode from Upstream Policy Assignments by @jaredfholgate in #772

Documentation

• Update [User-Guide]-Upgrade-from-v3.3.0-to-v4.0.0.md by @cbezenco in #714
• Deploy with Zero Trust Networking Principles Guide by @brsteph in #745

Other

• FabricBot: Onboarding to GitOps.ResourceManagement because of FabricBot decommissioning by @microsoft-github-policy-service in #757

New Contributors

• @cbezenco made their first contribution in #714
• @brsteph made their first contribution in #745
• @rrnnrr made their first contribution in #725
• @microsoft-github-policy-service made their first contribution in #757

Full Changelog: v4.0.2...v4.1.0

v4.0.2

4.0.2 fix

• #700 allows longer naming for custom LZs
• #717 removed incorrect policy assignments from platform MG
• #713 bug where LA workspace id not passed to policy assignment

4.0.1 fix

• #699 idempotency issue with policy assignment parameter - thanks @jaredfholgate

v4.0.0 Key features

This is a big one, please refer to our upgrade guide

• Policy refresh - thanks @jaredfholgate
• Azure Firewall Basic - thanks @luke-taylor
• Policy definition group metadata - thanks @mofaizal
• Policy enforcement mode settable - thanks @steph409
• Container insights solution for Log Analytics - thanks @steph409

Breaking Changes

• Enforce-EncryptTransit definition parameter removal
• default_location variable now has no default value
• AzureRM provider version minimum raised to 3.54
• Service Map solution deployment default is now false

What's Changed

• Added [User Guide] Module Outputs to Wiki by @luke-taylor in #641
• feat: add container insights option by @steph409 in #671
• Add Azure Firewall Basic SKU Support by @luke-taylor in #677
• feat: disable service map and refactor by @matt-FFFFFF in #687
• Policy Definition Group #1271 by @mofaizal in #669
• lookup enforcement mode from overwrite config by @steph409 in #683
• feat!: remove default_location defaults by @matt-FFFFFF in #695
• Policy Refresh April 2023 by @jaredfholgate in #691

New Contributors

• @luke-taylor made their first contribution in #641
• @cae-pr-creator made their first contribution in #676
• @steph409 made their first contribution in #671
• @mofaizal made their first contribution in #669

Full Changelog: v3.3.0...v4.0.0

v4.0.1

4.0.1 fix

• #699 idempotency issue with policy assignment parameter - thanks @jaredfholgate

Key features

This is a big one, please refer to our upgrade guide

• Policy refresh - thanks @jaredfholgate
• Azure Firewall Basic - thanks @luke-taylor
• Policy definition group metadata - thanks @mofaizal
• Policy enforcement mode settable - thanks @steph409
• Container insights solution for Log Analytics - thanks @steph409

Breaking Changes

• Enforce-EncryptTransit definition parameter removal
• default_location variable now has no default value
• AzureRM provider version minimum raised to 3.54
• Service Map solution deployment default is now false

What's Changed

• Added [User Guide] Module Outputs to Wiki by @luke-taylor in #641
• feat: add container insights option by @steph409 in #671
• Add Azure Firewall Basic SKU Support by @luke-taylor in #677
• feat: disable service map and refactor by @matt-FFFFFF in #687
• Policy Definition Group #1271 by @mofaizal in #669
• lookup enforcement mode from overwrite config by @steph409 in #683
• feat!: remove default_location defaults by @matt-FFFFFF in #695
• Policy Refresh April 2023 by @jaredfholgate in #691

New Contributors

• @luke-taylor made their first contribution in #641
• @cae-pr-creator made their first contribution in #676
• @steph409 made their first contribution in #671
• @mofaizal made their first contribution in #669

Full Changelog: v3.3.0...v4.0.0

v4.0.0 Policy refresh

Key features

This is a big one, please refer to our upgrade guide

• Policy refresh - thanks @jaredfholgate
• Azure Firewall Basic - thanks @luke-taylor
• Policy definition group metadata - thanks @mofaizal
• Policy enforcement mode settable - thanks @steph409
• Container insights solution for Log Analytics - thanks @steph409

Breaking Changes

• Enforce-EncryptTransit definition parameter removal
• default_location variable now has no default value
• AzureRM provider version minimum raised to 3.54
• Service Map solution deployment default is now false

What's Changed

• Added [User Guide] Module Outputs to Wiki by @luke-taylor in #641
• feat: add container insights option by @steph409 in #671
• Add Azure Firewall Basic SKU Support by @luke-taylor in #677
• feat: disable service map and refactor by @matt-FFFFFF in #687
• Policy Definition Group #1271 by @mofaizal in #669
• lookup enforcement mode from overwrite config by @steph409 in #683
• feat!: remove default_location defaults by @matt-FFFFFF in #695
• Policy Refresh April 2023 by @jaredfholgate in #691

New Contributors

• @luke-taylor made their first contribution in #641
• @cae-pr-creator made their first contribution in #676
• @steph409 made their first contribution in #671
• @mofaizal made their first contribution in #669

Full Changelog: v3.3.0...v4.0.0

v3.3.0 Raise minimum azurerm version

Important

• ⚠️ To support a fix for #628, we have had to raise the minimum azurerm provider version to 3.35.0 (from 3.18.0)
• ⚠️ To support #603, we have had to include the azapi provider, this is open source and written and maintained by Microsoft in GitHub

New Features

• We now support diagnostic settings on management groups in #603, this will not be enabled by default (see deploy_diagnostics_for_mg variable)
• azurerm_firewall_policy resource now supports tags in #628

What's Changed

• Fix wiki links by @matt-FFFFFF in #629
• Azure Policy Policy Effect + Terraform Scenarios by @liamjvs in #631
• Diag settings mg by @lachaves in #603
• Support for default tags in azurerm_firewall_policy resource by @robertbrandso in #628
• fix: Broken links in Terraform Registry in release v3.2.0 #637 by @matt-FFFFFF in #638
• feat: release 3.3.0 by @matt-FFFFFF in #639

New Contributors

• @liamjvs made their first contribution in #631
• @robertbrandso made their first contribution in #628

Full Changelog: v3.2.0...v3.3.0

[v3.2.0] Thank you Kevin (& non-compliance messages)

Highlights

• #623 Fixes issues with policy deploy_diagnostocs_vpngw & deploy_diagnostics_website
• #601 and #621 Adds non-compliance messages for policy
• README is now automatically generated, removing the need for variable docs in the wiki

Thank you

Thank you to Kevin Rowlandson, this modules creator and principal maintainer. He has decided to pursue a career outside Microsoft and we wish him well and look forward to his continued involvement in the module.

What's Changed

• Update Library Templates (automated) by @github-actions in #581
• Update archetype_config_overrides description by @krowlandson in #591
• Update concurrency group logic by @krowlandson in #593
• Revert concurrency logic by @krowlandson in #594
• Update Library Templates (automated) by @github-actions in #598
• Update parameter merge logic by @krowlandson in #616
• Bump github.com/emicklei/go-restful from 2.15.0+incompatible to 2.16.0+incompatible in /tests/terratest by @dependabot in #617
• Updated references from docs.microsoft.com to learn.microsoft - Part 1 by @ElYusubov in #608
• Include optional non Compliance Messages for Policy Assignments by @jaredfholgate in #601
• Add ability to disable non-compliance messages and standardise variable naming by @jaredfholgate in #621
• Update Library Templates (automated) by @github-actions in #622
• Update [Examples]-Create-and-Assign-Custom-RBAC-Roles.md by @mbilalamjad in #623
• release 3.2.0 by @matt-FFFFFF in #624

New Contributors

• @dependabot made their first contribution in #617
• @ElYusubov made their first contribution in #608
• @jaredfholgate made their first contribution in #601
• @mbilalamjad made their first contribution in #623

Full Changelog: v3.1.2...v3.2.0

[v3.1.2] HOTFIX: Update VPN gateway defaults, and DNS logic

Overview

The v3.1.2 release includes an important update to the default values for azurerm_virtual_network_gateway resources.

New features

• Added logic to safely handle duplicate DNS zone values provided via the configure_connectivity_resources.settings.dns.config.public_dns_zones and configure_connectivity_resources.settings.dns.config.private_dns_zones inputs
• Updated default value for configure_connectivity_resources.settings.hub_networks.*.config.virtual_network_gateway.config.advanced_vpn_settings.vpn_client_configuration.*.vpn_client_protocols setting to null
• Updated default value for configure_connectivity_resources.settings.hub_networks.*.config.virtual_network_gateway.config.advanced_vpn_settings.vpn_client_configuration.*.vpn_auth_types setting to null
• Updated default value for configure_connectivity_resources.settings.hub_networks.*.config.virtual_network_gateway.config.advanced_vpn_settings.bgp_settings.*.peering_addresses.*.apipa_addresses setting to null

Fixed issues

• Fix 577 (duplicate key on private dns zones when upgrading Bug Report #577)

Breaking changes

n/a

Input variable changes

none

For more information

Full Changelog: v3.1.1...v3.1.2

[v3.1.1] HOTFIX: Add missing parameter to `Deploy-ASC-SecurityContacts`

Overview

The v3.1.1 release includes an important update to the Deploy-ASC-SecurityContacts Policy Definition to enable successful remediation.

New features

• Added missing minimalSeverity parameter to Deploy-ASC-SecurityContacts Policy Definition (with "defaultValue" = "high")

Fixed issues

• External issue Azure/Enterprise-Scale/issues/1162 (Policy definition Deploy-ASC-SecurityContacts missing parameter minimalSeverity in template definition #1162)

Breaking changes

n/a

Input variable changes

none

For more information

Full Changelog: v3.1.0...v3.1.1