v6.0.0

Overview/Summary

This will be in the next major release, following the update of Azure Landing Zones with it's major policy refresh and move to Azure Monitoring Agent from Microsoft Monitoring Agent.

See the AMA blog.

Incorporates the following changes from upstream

1. Policy refresh H2 FY24
2. AMA Updates

Changes from our awesome community

1. #918 (thanks @chrsundermann!)
2. #925 (thanks @nyanhp!)
3. #952 (thanks @Keetika-Yogendra!)

‼️ Breaking Changes

1. Minimum AzureRM provider version now 3.107.0
2. Minimum AzAPI provider version now 1.13.1
3. Minimum Terraform version now 1.7.0
4. Minimum AzAPI verison now 1.13.1
5. var.configure_management_resources schema change, removing legacy components and adding support for AMA resources

Upgrade guide

https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v5.2.1-to-v6.0.0

Acknowledgements

Thanks to:

• @JamesDLD for providing a helpful contribution for the DCRs
• @jaredfholgate for the policy sync process work and code review
• @arjenhuitema for his awesome work on the AMA design
• @Springstone for an awesome policy refresh effort
• @jtracey93 for his technical assurance and oversight

v5.2.1

Patch Release

This patch release includes an update to resolve the bug raised in #794.

What's Changed

The issue relates to the managed identity created as part of policy assignment deploy-private-dns-zones not having adequate permissions to add/update Host A records within the private DNS zone in the connectivity subscription. This change adds a role assignment for the policy MI principal ID with Private DNS Zone Contributor to the connectivity management group.

• updates to resolve issue #794 by @ATuckwell in #919

New Contributors

@ATuckwell made their first contribution in #919

Full Changelog: v5.2.0...v5.2.1

v5.2.0

Minor version release

This release is a minor version release.

Breaking Changes

Since pushing this release we discovered a breaking change for some users. The threat_intelligence_allowlist variable has change from list to map type. The default empty value in our examples should now be {}. If you are using this variable, you will need to update to the new data structure.

More details here: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v5.1.0-to-v5.2.0

What's Changed

• chore(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /tests/terratest by @dependabot in #899
• fix: threat_intelligence_allowlist by @matt-FFFFFF in #907
• fix(outputs): set Log Analytics workspaces and Automation Accounts as senstive outputs by @Laudenlaruto in #901
• Add support for user managed identity for policy assignments (re-submission) by @LaurentLesle in #867
• fix: updating Private DNS Zone resource ID from dnszones to dnsZones by @tobiasehlert in #910
• feat(connectivity): Add option to set allow_non_virtual_wan_traffic in express route gateway. by @Slapper in #914

New Contributors

• @Laudenlaruto made their first contribution in #901
• @tobiasehlert made their first contribution in #910
• @Slapper made their first contribution in #914

Full Changelog: v5.1.0...v5.2.0

v5.1.0

What's Changed

• feat(connectivity): custom Settings for Virtual Hub connection names by @birdnathan in #885

New Contributors

• @birdnathan made their first contribution in #885

Full Changelog: v5.0.3...v5.1.0

v5.0.3

What's Changed

• Fix routing intent deployment issue in virtual wan by @LaurentLesle in #870

Full Changelog: v5.0.2...v5.0.3

v5.0.2

What's Changed

• Fix: DNS Proxy Removal on FW whilst Upgrading by @luke-taylor in #859

Full Changelog: v5.0.1...v5.0.2

v5.0.1

What's Changed

• fix: #855 by @matt-FFFFFF in #857

Full Changelog: v5.0.0...v5.0.1

v5.0.0

Breaking changes

Strict subscription association no longer default

We have changed the default from true to false to better work with subscription vending.

Please see the module upgrade guide for more detail on this breaking change:
https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v4.2.0-to-v5.0.0

What's Changed

• Docs: Fix documentation for recent policy updates by @jaredfholgate in #798
• Update Library Templates (automated) by @cae-pr-creator in #799
• Update ALZ Repo (Terraform) with Entra product names by @lachaves in #805
• docs: fix policy enforcement override example by @jaredfholgate in #808
• Bump actions/checkout from 3 to 4 by @dependabot in #807
• Bump tibdex/github-app-token from 1 to 2 by @dependabot in #813
• Add Routing Intent by @luke-taylor in #822
• Add Italy North and avoid casing issues by @jaredfholgate in #834
• Add support for user managed identity for policy assignments by @LaurentLesle in #806
• fix: revert user-assigned managed identity by @matt-FFFFFF in #844
• feat: strict subs no longer default by @matt-FFFFFF in #836
• Update dynamic overrides section for in and not_in by @MISO-mgriffin in #840
• fix: bug-vpn_client_config by @gogondi1 in #835
• Update Library Templates (automated) by @cae-pr-creator in #827
• Remove Basic SKU requirement on AzureFirewallManagementSubnet by @ryan-royals in #845
• Update Library Templates (automated) by @cae-pr-creator in #846

New Contributors

• @LaurentLesle made their first contribution in #806
• @MISO-mgriffin made their first contribution in #840
• @ryan-royals made their first contribution in #845
• @gogondi1 made their first contribution in #835

Full Changelog: v4.2.0...v5.0.0

v4.2.0

What's Changed

New policies and archetype updates from upstream + some bugs fixed.

• Add long region display names for backup DNS zones by @jtracey93 in #778
• Update Library Templates (automated) by @cae-pr-creator in #779
• bug-29716 by @pradorodriguez in #775
• feat: release 4.2.0 by @matt-FFFFFF in #782

New Contributors

• @pradorodriguez made their first contribution in #775

Full Changelog: v4.1.0...v4.2.0

v4.1.0

Summary

Policy definition updates and a number of fixes are the highlights of this release. Please see RELEASE.md.

Enhancements

• Update Library Templates (automated) by @cae-pr-creator in #739
• Update Library Templates (automated) by @cae-pr-creator in #704
• Update Library Templates (automated) by @cae-pr-creator in #739
• Microsoft defender for Cloud policy update by @steph409 in #709
• Feature Request - Update Policy Assignment Code to use parameters fro… by @rrnnrr in #725

Fixes

• fix: wiki broken link by @matt-FFFFFF in #767
• fix: #758 archetype config overrides conflicts by @matt-FFFFFF in #762
• fix: archetypesync by @matt-FFFFFF in #733
• Fix issue with SQL auditing policy casing by @jaredfholgate in #760
• fix: remove Character Limit of root_id and add additional regex for scope_id by @liamjvs in #754
• fix: #722 by @matt-FFFFFF in #738
• Bug: Duplicate Object Key Firewall PIP by @luke-taylor in #766
• fix: policy_assignment_es_deploy_log_analytics enforcementMode by @matt-FFFFFF in #741
• Bug 29784 - Policy Assignment Enforcement Mode from Upstream Policy Assignments by @jaredfholgate in #772

Documentation

• Update [User-Guide]-Upgrade-from-v3.3.0-to-v4.0.0.md by @cbezenco in #714
• Deploy with Zero Trust Networking Principles Guide by @brsteph in #745

Other

• FabricBot: Onboarding to GitOps.ResourceManagement because of FabricBot decommissioning by @microsoft-github-policy-service in #757

New Contributors

• @cbezenco made their first contribution in #714
• @brsteph made their first contribution in #745
• @rrnnrr made their first contribution in #725
• @microsoft-github-policy-service made their first contribution in #757

Full Changelog: v4.0.2...v4.1.0