[v3.1.0] Private DNS, virtual hub and Azure Monitor updates

Overview

The v3.1.0 release includes a number of updates as listed below. These focus primarily on private DNS zones for private endpoints, virtual hub, and Azure Monitor.

New features

• Added privatelink.kubernetesconfiguration.azure.com to list of private DNS zones for azure_arc private endpoints
• Added option to enable private DNS zone privatelink.blob.core.windows.net for Azure Managed Disks
• Added option to enable internet_security_enabled on azurerm_virtual_hub_connection resources for secure virtual hubs
• Added option to specify a list of virtual networks for linking to private DNS zones without association to a hub
• Added advanced option to specify existing resource group (by name) for Virtual WAN resources¹
• Added Wiki documentation and a working example showing how to segregate deployment of an Azure landing zone across multiple module instances for connectivity, management and core resources
• Added Wiki documentation for the custom_policy_roles input variable
• Added Wiki documentation for video guides relating to the module
• Added new settings for azurerm_log_analytics_workspace and azurerm_automation_account resources (via advanced input)
• Updated Deploy-Diagnostics-LogAnalytics policy set definition to use the latest built-in policy definitions for Azure Storage
• Updated parameters for the Deploy-ASC-Monitoring Policy Assignment
• Updated managed parameters set for the Deploy-Private-DNS-Zones Policy Assignment
• Updated logic for DNS zone virtual network links to prevent disabled hubs from being included
• Updated logic for hub virtual network mesh peering to prevent disabled hubs from being included
• Updated default values for optional() connectivity inputs
• Updated Wiki documentation to add new content to the FAQ page
• Removed the deprecated ActivityLog Azure Monitor solution
• Removed sensitive value filtering for Log Analytics workspace resources
• Removed location from azureBatchPrivateDnsZoneId parameter for Deploy-Private-DNS-Zones policy assignment

Fixed issues

• Fix #482 (Review and update private DNS zones for private endpoint #482)
• Fix #491 (Feature Request - vwan hub connections - Internet_Security_Enabled should be a variable. #491)
• Fix #492 (Feature Request - configure automation account in management subscription #492)
• Fix #528 (Validate parameters for Azure Security Benchmark in TF deployment #528)
• Fix #542 (Bug Report - enable_private_dns_zone_virtual_network_link_on_hubs = true failing on disabled hub #542)
• Fix #549 (Feature Request: Deploy private dns zones and link them to an existing vnet #549)
• Fix #552 (Feature Request: Multiple Hub scenario, 2 VWANS are getting deployed #552)
• Fix #553 (Remove Activity Log solution from Terraform RI #553)
• Fix #544 (Missing assignment parameter values for "Configure Azure PaaS services to use private DNS zones" #544)
• Fix #556 (Unexpected behaviour: Radius IP required when using AAD for VPN gateway #556)
• Close #176 (Create Wiki docs page - [Variables] custom_policy_roles #176)
• Close #378 (Feature Request - Pricing/costing estimates #378)
• Close #392 (Add documentation for deploying across multiple Terraform workspaces (Terraform state file segregation) #392)
• Close #499 (Bug Report Terraform plan fails due to sensitive values in azurerm_automation_account output #499)
• Close #567 (Feature Request - Videos to Assist Written Documentation #567)

Breaking changes

n/a

Input variable changes

The following non-breaking changes have been made to the input variables. Although these don't need to be changed for the module to work, please review to prevent unwanted resource changes and to remove code that is no-longer required.

• Added configure_connectivity_resources.settings.dns.config.enable_private_link_by_service.azure_managed_disks
• Added configure_connectivity_resources.settings.dns.config.virtual_network_resource_ids_to_link
• Added configure_connectivity_resources.settings.vwan_hub_networks.*.config.secure_spoke_virtual_network_resource_ids
• Added configure_connectivity_resources.advanced.existing_virtual_wan_resource_group_name
• Removed configure_management_resources.settings.log_analytics.config.enable_solution_for_azure_activity

For more information

Full Changelog: v3.0.0...v3.1.0

1. The ability to specify an existing resource group (by name) for Virtual WAN resources is to satisfy the preference of some customers to place all Virtual WAN resources in a single resource group, consistent with the Portal experience where this is a limitation. ↩

[v3.0.0] Simplify inputs with `optional()` support and more

The v3.0.0 release marks an important update to the module, aimed primarily at reducing code changes needed when upgrading to latest releases. Previously, any change to the schema of input variables with complex object types would result in a breaking change if not updated in the customer code. This has been made possible with the GA release of optional() types in Terraform v1.3.0.

As a result of this change and the required fix for issue #31844, we have increased the minimum supported Terraform version to v1.3.1.

To support other changes (as listed below), we have also bumped the minimum supported azurerm provider version to v3.19.0.

New features

• Added documentation for how to set parameters for Policy Assignments
• Updated GitHub Super-Linter to v4.9.7 for static code analysis
• Updated the list of private DNS zones created by the module for private endpoints
• Removed deprecated policies for Arc monitoring (now included within VM monitoring built-in initiative)
• Added ability to set sql_redirect_allowed and tls_certificate properties on Azure Firewall policies
• Update logic for Azure Firewall public IPs to ensure correct availability zone mapping when only 2 zones are specified
• Added support for optional() types in input variables
• Updated policies with the latest fixes from the upstream Azure/Enterprise-Scale repository
• Updated tag evaluation for connectivity and management resources, so default_tags are now merged with scope-specific tags
• Updated the module upgrade guidance
• Updated Deny-Public-IP policy assignment to use the built-in policy for Not allowed resource types

Fixed issues

• Fix #445 (azurerm v4 compatibility)
• Fix #359 (Specifying parameters in policy assignment loses Log Analytics ID)
• Fix #186 (Policies incompatible with Terraform)
• Fix #444 (Error received when running custom network connectivity deployment)
• Fix #508 (Bug Report: Advanced VPN revoke_certifcate fails to apply)
• Fix #513 (Feature Request: Azure Firewall: Specify TLS Certificate Location in Azure Keyvault)
• Fix #447 (Azure Firewall - Availability Zones)
• Fix #524 (Missing private DNS zone for private endpoint - Azure Data Health Data Services)
• Fix #521 (Feature Request - ExpressRoute Gateway VPN_Type is Hardcoded, parameterise.)

Breaking changes

• ⚠️ Updated the minimum supported Terraform version to 0.15.1
• ⚠️ Updated the minimum supported azurerm provider version to 3.0.2
• ⚠️ Terraform will replace the Deny-Public-IP policy assignment, resulting in loss of compliance history

IMPORTANT: Please also carefully review the planned changes following an upgrade, as the introduction of optional() settings may result in unexpected changes from your current configuration where recommended new features are enabled by default.

For more information

Please refer to the Upgrade from v2.4.1 to v3.0.0 page on our Wiki.

Full Changelog: v2.4.1...v3.0.0

[v2.4.1] Add diagnostic category for Azure Firewall

What's Changed

This release includes an update to the Deploy-Diagnostics-Firewall Policy Definition, adding a new category to capture AZFWFatFlow logs for Azure Firewall resources.

This fixes a corresponding issue raised on the upstream Enterprise-Scale repository.

Full Changelog: v2.4.0...v2.4.1

[v2.4.0] Update subnet creation logic and add linked automation account region mapping

What's Changed

This release contains a number of changes relating to the functionality of this module.

• Updated logic controlling whether to create GatewaySubnet and AzureFirewallSubnet subnets to fix #450
• Added new logic to automatically map the supported location for linked Automation Accounts when deploying to East US or East US 2 regions to fix #449
• Replaced more try() functions with lookup() as part of working towards #227
• Updated custom policies to include new ALZ-specific metadata
• Updated the deployment names in Deploy-VNET-HubSpoke policy definition

Breaking changes

• The fix for #450 may result in previously created subnets being removed. This will only be an issue if you have deployed resources into these subnets outside of this module. To ensure these subnets are created without creating any additional new resources, please use the subnets entry to add these back into your configuration as needed.

• The fix for #449 may result in the module wanting to re-create the Automation Account in the "correct" new region. This is only needed if you want to use any of Update Management, Change Tracking or Inventory solutions in Azure Monitor. If you are happy to continue using the previous region, you can override this change by adding the following configuration in the configure_connectivity_resources input variable:

  configure_management_settings= {
    # other settings removed for brevity
    advanced = {
      custom_settings_by_resource_type = {
        azurerm_automation_account = {
          management = {
            location = "eastus"
          }
        }
      }
    }
  }

Full Changelog: v2.3.1...v2.4.0

[v2.3.1] New region support for Azure Backup private DNS zones

What's Changed

• Added geo codes for new regions (used for generating private DNS zones for Azure Backup)

Full Changelog: v2.3.0...v2.3.1

[v2.3.0] Policy updates

This release is focused on adding the latest policy updates from the upstream Azure/Enterprise-Scale repository.

What's Changed

• Multiple policy definition updates:
  • Update Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess mode from Indexed to All
  • Add WebSocketConnectionLogs category to diagnostic settings in the DINE template for Deploy-Diagnostics-APIMgmt
  • Add new Deploy-Diagnostics-AVDScalingPlans policy definition
  • Add new Deploy-Diagnostics-Bastion policy definition
  • Add multiple new log categories for the Deploy-Diagnostics-Firewall policy definition to fix policy compliance issue
  • Add multiple new log categories and modified metrics for the Deploy-Diagnostics-MlWorkspace policy definition to fix policy compliance issue
  • Update displayName and description for Deploy-Diagnostics-WVDAppGroup policy definition to reflect rebranding from WVD to AVD
  • Update displayName and description for Deploy-Diagnostics-WVDHostPools policy definition to reflect rebranding from WVD to AVD
  • Add multiple new log categories for the Deploy-Diagnostics-WVDHostPools policy definition to fix policy compliance issue
  • Update displayName and description for Deploy-Diagnostics-WVDHostPools policy definition to reflect rebranding from WVD to AVD
  • Multiple fixes for Deploy-Storage-sslEnforcement policy definition
• Update Deploy-Diagnostics-LogAnalytics policy set definition to reflect diagnostics policy changes listed above

Full Changelog: v2.2.0...v2.3.0

[v2.2.0] Management group subscription association and hub network peering

This release adds two new requested features. The first allows the module to not manage the complete subscription membership list for each management group. This allows you to use external systems to add subscriptions to management groups without them being removed by this module.

The second feature is the ability to peer hub networks. There is a new parameter for each hub network that will allow you to create bi-directional network peerings for enabled hub networks.

What's Changed

• feat: add support for relaxed mg sub association by @matt-FFFFFF in #427
• feat!: implement hub network mesh peering by @matt-FFFFFF in #429

NOTE: BREAKING CHANGE

If you are deploying hub virtual networks using the module, please note the new configuration variable enable_hub_network_mesh_peering.
See the wiki for details.

NOTE: NON-IDEMPOTENCY

When switching strict_subscription_association from true to false. See wiki.

Full Changelog: v2.1.2...v2.2.0

[v2.1.2] Hotfix for regional private endpoint DNS zones

This PR includes an important hotfix for the regional private endpoint DNS zones to ensure the correct zones are created for the following services:

• azure_backup
• azure_site_recovery

IMPORTANT:
Please note that this hotfix may result in the removal of existing (invalid) DNS zones, and addition of new (correctly configured) DNS zones.
If you would like to keep the existing DNS zones, these can be added to your configuration using the configure_connectivity_resources.settings.dns.config.private_dns_zones input variable.

What's Changed

• Fix configure_management_resources value in Wiki example by @krowlandson in #422
• Patch regional private endpoint DNS zones by @krowlandson in #423
• Update docs for release v2.1.2 by @krowlandson in #424

Full Changelog: v2.1.1...v2.1.2

[v2.1.1] Hotfix for `custom_landing_zones`

What's Changed

This PR includes the following updates:

• Wiki updates by @krowlandson in #399
• Feature Request - Custom Setting Support for vnet peerings by @matt-FFFFFF in #401
• Add option to add identity block to an Automation Account by @matt-FFFFFF in #407
• Update Wiki docs for vwan by @krowlandson in #414
• Update validation for custom_landing_zones by @krowlandson in #416
• Update for release v2.1.1 by @krowlandson in #417

These are being bundled in a patch release as they are all no-impact changes to existing users of the module.

Full Changelog: v2.1.0...v2.1.1

[v2.1.0] Add Azure Monitor Solutions

What's changed?

The v2.1.0 release provides an update to the management resources, adding two new Azure Monitor solutions for SQL.

Additional changes are covered below:

New features

• Added two new Azure Monitor solutions for SQL:
  • SQLVulnerabilityAssessment
  • SQLAdvancedThreatProtection
• Added Wiki documentation for managing RBAC roles
• Updated code-review workflow to improve code quality through more comprehensive static code analysis

Fixed issues

• Fix #387 (Add 2 Required Log Analytics Solutions for SQL Assessments for MDFC)
• Fix #362 (Update policy_definition_es_deny_storage_mintls.json)
• Fix #384 (Incorrect bgp_settings value on azurerm_virtual_network_gateway.connectivity resource)

Breaking changes

• ⚠️ To address #387 whilst putting the customer in control of whether these are deployed, we have added two new inputs to the configure_management_resources input variable. Customers using this input must update their code to reflect these changes. For more information, please refer to the following:
  1. settings.log_analytics.config.enable_solution_for_sql_vulnerability_assessment
  2. settings.log_analytics.config.enable_solution_for_sql_advanced_threat_detection