v0.13.0

Summary

Our first release of 2023 (apologies), but we have been busy at work and are pleased to share a lot of great updates with you all 🥳

Highlights

• Added support to create Role Assignments at the Resource Group scope in #434
• Added support to create a Managed Identity for the Automation Account in #433
• Updated various API versions in various modules
• Added flag in a parameter to set Policy Assignment Enforcement Mode to Default or DoNotEnforce in alzDefaultPolicyAssignments.bicep module to allow you to easily set this for all Policy Assignments en masse in #453
• Added multiple new features to Virtual WAN module in #456
  • Added support for multiple Virtual Hubs in a single Virtual WAN
  • Added support for setting Virtual Hub Routing Preference
  • Added support for setting Virtual Hub Capacity/Routing Infrastructure Units
• Added NSG rules at priority 4096 for inbound and outbound flows on Azure Bastion Subnet NSG to deny anything to everywhere on any port in #455
• Added parameter to set RDP/SSH ports in NSG rules for outbound flows from Azure Bastion Subnet in #455
• Added parameter to allow capability to specify Management Group suffix on all IDs in #462
• Updated Azure Policy definitions from upstream from Azure/Enterprise-Scale repo in #459
  • Information on policy changes can be found in the Whats New Wiki Page in the Azure/Enterprise-Scale repo

Policy Changes

Information on policy changes can be found in the Whats New Wiki Page in the Azure/Enterprise-Scale repo

Breaking Changes

1. In #456 we added a new parameter of parVirtualWanHubs to the vwanConnectivity.bicep module to allow multiple Virtual WAN Hubs to be deployed in a single Virtual WAN, you should review the documentation for the parVirtualWanHubs parameter and ensure you correctly set the value in the parameters file as linked here
   2. We also removed the following parameters and these moved to become keys inside of the array of objects in the parameter parVirtualWanHubs - please update your parameter files
   - parVirtualHubAddressPrefix
   - parVpnGatewayEnabled
   - parExpressRouteGatewayEnabled
   - parAzFirewallEnabled
   3. In the following parameters we amended the default values to remove including the suffix of -${parLocation}, the location is now added as a suffix to each of the associated resources still, but is now part of the key/parameter input of parHubLocation in parVirtualWanHubs
   - parVpnGatewayName
   - parExpressRouteGatewayName
   - parAzFirewallName

Not technically breaking changes (but some action may be required)

1. In #415 we removed a deprecated Activity Log Solution from the Log Analytics Workspace module
   • You may chose to remove/uninstall the solution for the Log Analytics Workspace, but you can use the new built-in workbook as detailed here

What's Changed

• Add is it maintained badges by @jtracey93 in #418
• Removed Solution Activity Log from LAW by @lachaves in #415
• Issue #410 - Remove default values from parameter descriptions by @JamJarchitect in #421
• Issue #416 - Link description in policy definitions for China by @JamJarchitect in #419
• Bug: Generated Values in _policyAssignmentsBicepInput.txt are incorrect by @mbrat2005 in #427
• feat: Added role assignment support for RGs by @DaFitRobsta in #434
• Consistent punctuation and small typos by @bartlannoeye in #437
• added parAutomationAccountUseManagedIdentity parameter by @mbrat2005 in #433
• Update containerRegistry API version by @bartlannoeye in #440
• Updated references in the documents from docs.microsoft.com - to learn by @ElYusubov in #447
• Feature/param do not enforce default policies by @mbrat2005 in #453
• Add info to wiki to manually create docs by @jtracey93 in #460
• Add workflow for daily (weekday) Bicep Build & Issue Create if failure & Bump PSRule Version & Baseline by @jtracey93 in #461
• Update DeploymentFlow.md by @baartch in #463
• Adding deny all rule to Azure Bastion nsg by @sid2305 in #455
• CaseSensitiveDeploymentParameterNamesFound by @sangling in #457
• SSH/RDP rule name change by @sid2305 in #464
• Update Policy Library (automated) by @cae-pr-creator in #459
• Added Management Group Suffix Parameter parTopLevelManagementGroupSuffix by @mbrat2005 in #462
• Add support to deploy an additional VWAN hub to an existing Virtual WAN by @aarunraaj in #456

New Contributors

A huge thanks to all new contributors and we welcome many more contributions in the future 😎

• @mbrat2005 made their first contribution in #427
• @bartlannoeye made their first contribution in #437
• @ElYusubov made their first contribution in #447
• @baartch made their first contribution in #463
• @sid2305 made their first contribution in #455
• @sangling made their first contribution in #457
• @cae-pr-creator made their first contribution in #459
• @aarunraaj made their first contribution in #456

Full Changelog: v0.12.0...v0.13.0

v0.12.0

Summary

This release brings mainly lots of goodness in the Azure Policy space as well as improving our testing, thanks to PSRule for Azure, also updating the Private DNS Zones for Private Link that get deployed in the Private DNS Zones module, and finally changing our module docs to being programmatically generated, so you only need to update a .bicep module now and the docs get generated as part of your PR 🥳

Policy Changes

1. Converted Deny-Public-IP assignment to new assignment using built-in policy called Deny-Public-IP-Addresses as detailed in #398 & #386
2. Add new default assignment of Deploy-Private-DNS-Zones to corp MG fixing #137 and brining assignments into alignment across all ALZ implementation options (portal and Terraform)
3. Remove assignment of Deny-Public-IP in default assignments from corp to bring assignments into alignment across all ALZ implementation options (portal and Terraform)

Breaking Changes

Nothing technically breaking, however you will just need to remove the old policy assignments of Deny-Public-IP from corp and identity Management Groups and re-run/deploy the alzDefaultPolicyAssignments.bicep and this will put the assignment, using the built-in definition instead of the custom one, to the identity Management Group.

More on this process and instructions can be found here: How to migrate ALZ custom policies to Azure built-in policies

What's Changed

• 16989: Add bicep sample code by @khushal08 in #355
• Fix #388 - Incorrect variable reference by @oZakari in #390
• Fixed documentation on parLandingZoneMgChildren parameter description… by @lachaves in #394
• Replaced DDoS Standard with DDoS Network Protection by @lachaves in #396
• Resolve #386 & #330 by @jtracey93 in #398
• ALZ Bicep - Generate Markdown for Parameters by @JamJarchitect in #304
• Update Policy Library (automated) by @github-actions in #400
• Update Private DNS Zones by @jtracey93 in #403
• Change conditional source - Fix #406 by @jtracey93 in #407

New Contributors

• @khushal08 made their first contribution in #355
• @oZakari made their first contribution in #390

Full Changelog: v0.11.0...v0.12.0

v0.11.0

Summary

This release does bring a couple of slight "breaking changes" (see below section for details) however, aside from this there are a few key call outs to note:

• Updates around PowerShell & CLI deployment snippets from @JamJarchitect in #312
• Add support for Policy Set Definitions (Initiatives) Groups thanks to @vedagudipati in #364
• Fix issues with Azure Policies for China (Mooncake) thanks to @jtracey93 in #377 #378 #369
• Various documentation enhancements from @jfaurskov @johnlokerse @coolhome
• Changed mgDiagSettingsAll.bicep to be targeted to Management Groups instead of Tenant level deployment thanks to @lachaves in #372
• Fix bug with uniqueness of custom role definition GUIDs and names that is required when deploying multiple ALZs in the same tenant, for scenario like canary thanks to @DaFitRobsta in #379

Breaking Changes

As mentioned above there are a couple of "slight" breaking changes that are introduced with this release.

Breaking Change 1 - mgDiagSettingsAll.bicep deployment scope change from Tenant to Management Group

This change was made based on customer feedback around using least privileged access in #338, which we agreed was valid and the right thing to do, hence the change.

Handling this change is as simple as changing the deployment scoping from Tenant to Management Group e.g. from New-AzTenantDeployment to New-AzManagementGroupDeployment.

The module README in the module documents the commands to use for PowerShell or Az CLI

Breaking Change 2 - customRoleDefinitions.bicep now has more unique GUIDs and Role Names based on Management Group ID/Name

This change was reported as a bug in #362 which meant if you followed our canary guidance you would not have been able to create the custom role definitions in each of the Management Group hierarchies as the GUIDs and names for the custom role definitions were not based on the Management Group ID/Name they were being deployed on.

We have now changed this so they are based on the Management Group ID/Name so they can be deployed across as many Management Group hierarchies in the same AAD Tenant 👍

What is the breaking change?

If you redeploy the latest version of the customRoleDefinitons.bicep you will get a set of new roles based on the new GUID and Name uniqueness that is based on the Management Group ID/Name you deploy them to, as detailed in the module README

So, this will not break anything, but it will just create a duplicate set of role definitions on your Management Group.

You should look to migrate all assignments of the old custom role definitions to the newly created ones, in this release, to ensure you can adopt scenarios like canary later on in your ALZ journey 👍

What's Changed

• Azure China Cloud - Policy Refactoring by @JamJarchitect in #351
• Update Policy Library for Azure China (automated) by @github-actions in #352
• Fix bicep example for parLandingZoneMgChildren by @coolhome in #353
• Updated markdowns to correspond with the Bicep files by @johnlokerse in #331
• Update Policy Library for Azure China (automated) by @github-actions in #361
• Update Policy Library (automated) by @github-actions in #360
• Support for groups as part of policy Initiatives by @vedagudipati in #364
• Update Policy Library (automated) by @github-actions in #366
• Add metadata filtering to China .github/scripts/Invoke-PolicyToBicep-China.ps1 by @jtracey93 in #369
• Guidance Update - Policies to Built-In by @jfaurskov in #363
• Response to FRs - Issues #267 and #290 - POC in RG Name and Deployment Snippets by @JamJarchitect in #312
• Change deployment scope for MG Diagnostics #338 by @lachaves in #372
• Update Policy Library (automated) by @github-actions in #373
• Feature: Add ability to exclude policy set/initiative child definitions for China policies by @jtracey93 in #377
• Update Policy Library for Azure China (automated) by @github-actions in #378
• fix: Update role ID and name by @DaFitRobsta in #379
• Release v0.11.0 prep by @jtracey93 in #380

New Contributors

• @coolhome made their first contribution in #353
• @vedagudipati made their first contribution in #364

Full Changelog: v0.10.6...v0.11.0

v0.10.6

Summary

This is mainly a hygiene update on the ALZ-Bicep Core Team side focussed on policy where we have fixed our custom policy definition automation since the upstream enterprise-scale repo work was completed in PR 1022 and also some performance/optimization enhancements by moving to loadJsonContent() as a Bicep function across all our policy definition modules in this repo.

We have also therefore pulled in the latest policy changes from the upstream repo and made them available in the customPolicyDefinitions.bicep module. But there was only metadata changes from PR 1039 and also a new Azure Firewall Category from PR 1066. Thanks @JamJarchitect for your work here 👍

Also, as mentioned above, in PR #343 @KevinRabun has moved us to using loadJsonContent() across all our ALZ policy definitions modules which provides some very subtle but welcomed performance and optimization enhancements especially around max file sizes etc. Thanks @KevinRabun 👍

Breaking Changes

None

What's Changed

• Azure Commercial Cloud - Update Policy Library - ADO #22240 by @JamJarchitect in #345
• Update json file loading to use loadJsonContent by @KevinRabun in #343
• Update Policy Library (automated) by @github-actions & @jtracey93 in #346
• Prep for release of v0.10.6 by @jtracey93 in #349
• Azure Commercial Cloud - Policy Update Issue in Workflow by @JamJarchitect in #350

New Contributors

• @KevinRabun made their first contribution in #343 🥳🥳🥳🥳🥳

Full Changelog: v0.10.5...v0.10.6

v0.10.5

We only just cut version v0.10.4 but we found a bug and have fixed, hence the new release. Please still checkout the v0.10.4 release notes

Breaking Changes

None

However, please still review v0.10.0 release notes if using a version older than v0.10.0

What's Changed

• Fix #334 - fix deployment errors related to Network.DNS.Proxy in vwanConnectivity.bicep module by @jfaurskov in #335
• Bump PSRule.Azure Baseline to Azure.GA_2022_09 by @jtracey93 in #333

Full Changelog: v0.10.4...v0.10.5

v0.10.4

Breaking Changes

None

However, please still review v0.10.0 release notes if using a version older than v0.10.0

What's Changed

• doc: Added subnet disclaimer by @DaFitRobsta in #322
• capture definitionReferenceId that starts with number. by @eureka-gh in #324
• Add .editorconfig support by @jtracey93 in #325
• Add AZ Support for VPN & ER GW PIPs by @jhajduk-microsoft & @jtracey93 in #306
• Management Group Diagnostic Settings Enablement - New Module by @lachaves & @jtracey93 in #321

New Contributors

• @eureka-gh made their first contribution in #324
• @jhajduk-microsoft made their first contribution in #306
• @lachaves made their first contribution in #321

Full Changelog: v0.10.3...v0.10.4

v0.10.3

Breaking Changes

None

However, please still review v0.10.0 release notes if using a version older than v0.10.0

What's Changed

• Add Azure Enablement Show Videos to docs & Update FAQ RE #300 by @jtracey93 in #309
• fixed typo in subPlacementAl by @floschmsft in #310
• Add PSRule To ALZ Bicep Testing by @jtracey93 in #313
• Enable GitHub to ADO WIT Sync by @jtracey93 in #315
• chore: bicepconfig.json linter update by @DaFitRobsta in #318
  • bicepconfig.json files updated to use latest rules available in latest Bicep release v0.10.61
  • Please ensure you update to the latest Bicep release following the instructions here

New Contributors

• @floschmsft made their first contribution in #310
• @DaFitRobsta made their first contribution in #318

Thank you both 🥳

Full Changelog: v0.10.2...v0.10.3

v0.10.2

Breaking Changes

None

However, please still review v0.10.0 release notes if using a version older than v0.10.0

What's Changed

• Update geo codes for Azure Backup by @krowlandson in #305

New Contributors

• @krowlandson made their first contribution in #305

Full Changelog: v0.10.1...v0.10.2

v0.10.1

Breaking Changes

None

However, please still review v0.10.0 release notes if using a version older than v0.10.0

What's Changed

• New Orchestration Module: subPlacementAll by @jtracey93 in #298
  • Created from Feature Request #295
• Include encryption keySource for automation account to resolve what-if noise by @olljanat in #299

Full Changelog: v0.10.0...v0.10.1

v0.10.0

Breaking Changes

• In privateDnsZones module the Private DNS Zones vNet linking name has been made unique to ensure can be used multiple times for vNets with the same names.
  • Old name Bicep Code: name: '${privateDnsZoneName}/${privateDnsZoneName}'
  • New name Bicep Code: name: '${privateDnsZoneName}/${take('link-${uniqueString(parVirtualNetworkIdToLink)}', 80)}'
    • Link to the PR and line in module where changed
      

What should we do?

If possible, move to the new naming format as this enables easier future expansion into other regions etc., if planned. You will need to remove the existing vNet links on each Private DNS Zone for the hub vNet or other vNet you may have specified.

You may also choose not to pull in this latest change to this specific module if you wish. However, be aware that if trying to link another vNet to the Private DNS Zone using the privateDnsZones module you will be unable to with the Old name bicep code (as shown above) due to the vNet link name will be the same, irrespective of the vNet name; which the new code does now use to create the name for the vNet link 👍

Important: If you run the privateDnsZones module, or another module like hubNetworking that calls the privateDnsZones module, over the top without being aware of these changes, you will likely see a deployment failure for the Private DNS Zone vNet links as it will try to re-create new vNet links for the same vNet but with different Private DNS Zone vNet link names, which is not possible in the platform as it will create a duplicate config.

What's Changed

• Update Policy Library for Azure China (automated) by @github-actions in #289
• Use latest API versions in all modules by @olljanat & @jtracey93 in #293
  • Also updated tests in ADO to use location from Key Vault completely, isntead of hardcoded to eastus in some places
• Update docs and PR template to close #247 by @jtracey93 in #296
  • Added using latest API versions for resources to PR template and Contribution Guide

Full Changelog: v0.9.3...v0.10.0