[v3.0.0] Simplify inputs with `optional()` support and more

The v3.0.0 release marks an important update to the module, aimed primarily at reducing code changes needed when upgrading to latest releases. Previously, any change to the schema of input variables with complex object types would result in a breaking change if not updated in the customer code. This has been made possible with the GA release of optional() types in Terraform v1.3.0.

As a result of this change and the required fix for issue #31844, we have increased the minimum supported Terraform version to v1.3.1.

To support other changes (as listed below), we have also bumped the minimum supported azurerm provider version to v3.19.0.

New features

• Added documentation for how to set parameters for Policy Assignments
• Updated GitHub Super-Linter to v4.9.7 for static code analysis
• Updated the list of private DNS zones created by the module for private endpoints
• Removed deprecated policies for Arc monitoring (now included within VM monitoring built-in initiative)
• Added ability to set sql_redirect_allowed and tls_certificate properties on Azure Firewall policies
• Update logic for Azure Firewall public IPs to ensure correct availability zone mapping when only 2 zones are specified
• Added support for optional() types in input variables
• Updated policies with the latest fixes from the upstream Azure/Enterprise-Scale repository
• Updated tag evaluation for connectivity and management resources, so default_tags are now merged with scope-specific tags
• Updated the module upgrade guidance
• Updated Deny-Public-IP policy assignment to use the built-in policy for Not allowed resource types

Fixed issues

• Fix #445 (azurerm v4 compatibility)
• Fix #359 (Specifying parameters in policy assignment loses Log Analytics ID)
• Fix #186 (Policies incompatible with Terraform)
• Fix #444 (Error received when running custom network connectivity deployment)
• Fix #508 (Bug Report: Advanced VPN revoke_certifcate fails to apply)
• Fix #513 (Feature Request: Azure Firewall: Specify TLS Certificate Location in Azure Keyvault)
• Fix #447 (Azure Firewall - Availability Zones)
• Fix #524 (Missing private DNS zone for private endpoint - Azure Data Health Data Services)
• Fix #521 (Feature Request - ExpressRoute Gateway VPN_Type is Hardcoded, parameterise.)

Breaking changes

• ⚠️ Updated the minimum supported Terraform version to 0.15.1
• ⚠️ Updated the minimum supported azurerm provider version to 3.0.2
• ⚠️ Terraform will replace the Deny-Public-IP policy assignment, resulting in loss of compliance history

IMPORTANT: Please also carefully review the planned changes following an upgrade, as the introduction of optional() settings may result in unexpected changes from your current configuration where recommended new features are enabled by default.

For more information

Please refer to the Upgrade from v2.4.1 to v3.0.0 page on our Wiki.

Full Changelog: v2.4.1...v3.0.0

[v2.4.1] Add diagnostic category for Azure Firewall

What's Changed

This release includes an update to the Deploy-Diagnostics-Firewall Policy Definition, adding a new category to capture AZFWFatFlow logs for Azure Firewall resources.

This fixes a corresponding issue raised on the upstream Enterprise-Scale repository.

Full Changelog: v2.4.0...v2.4.1

[v2.4.0] Update subnet creation logic and add linked automation account region mapping

What's Changed

This release contains a number of changes relating to the functionality of this module.

• Updated logic controlling whether to create GatewaySubnet and AzureFirewallSubnet subnets to fix #450
• Added new logic to automatically map the supported location for linked Automation Accounts when deploying to East US or East US 2 regions to fix #449
• Replaced more try() functions with lookup() as part of working towards #227
• Updated custom policies to include new ALZ-specific metadata
• Updated the deployment names in Deploy-VNET-HubSpoke policy definition

Breaking changes

• The fix for #450 may result in previously created subnets being removed. This will only be an issue if you have deployed resources into these subnets outside of this module. To ensure these subnets are created without creating any additional new resources, please use the subnets entry to add these back into your configuration as needed.

• The fix for #449 may result in the module wanting to re-create the Automation Account in the "correct" new region. This is only needed if you want to use any of Update Management, Change Tracking or Inventory solutions in Azure Monitor. If you are happy to continue using the previous region, you can override this change by adding the following configuration in the configure_connectivity_resources input variable:

  configure_management_settings= {
    # other settings removed for brevity
    advanced = {
      custom_settings_by_resource_type = {
        azurerm_automation_account = {
          management = {
            location = "eastus"
          }
        }
      }
    }
  }

Full Changelog: v2.3.1...v2.4.0

[v2.3.1] New region support for Azure Backup private DNS zones

What's Changed

• Added geo codes for new regions (used for generating private DNS zones for Azure Backup)

Full Changelog: v2.3.0...v2.3.1

[v2.3.0] Policy updates

This release is focused on adding the latest policy updates from the upstream Azure/Enterprise-Scale repository.

What's Changed

• Multiple policy definition updates:
  • Update Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess mode from Indexed to All
  • Add WebSocketConnectionLogs category to diagnostic settings in the DINE template for Deploy-Diagnostics-APIMgmt
  • Add new Deploy-Diagnostics-AVDScalingPlans policy definition
  • Add new Deploy-Diagnostics-Bastion policy definition
  • Add multiple new log categories for the Deploy-Diagnostics-Firewall policy definition to fix policy compliance issue
  • Add multiple new log categories and modified metrics for the Deploy-Diagnostics-MlWorkspace policy definition to fix policy compliance issue
  • Update displayName and description for Deploy-Diagnostics-WVDAppGroup policy definition to reflect rebranding from WVD to AVD
  • Update displayName and description for Deploy-Diagnostics-WVDHostPools policy definition to reflect rebranding from WVD to AVD
  • Add multiple new log categories for the Deploy-Diagnostics-WVDHostPools policy definition to fix policy compliance issue
  • Update displayName and description for Deploy-Diagnostics-WVDHostPools policy definition to reflect rebranding from WVD to AVD
  • Multiple fixes for Deploy-Storage-sslEnforcement policy definition
• Update Deploy-Diagnostics-LogAnalytics policy set definition to reflect diagnostics policy changes listed above

Full Changelog: v2.2.0...v2.3.0

[v2.2.0] Management group subscription association and hub network peering

This release adds two new requested features. The first allows the module to not manage the complete subscription membership list for each management group. This allows you to use external systems to add subscriptions to management groups without them being removed by this module.

The second feature is the ability to peer hub networks. There is a new parameter for each hub network that will allow you to create bi-directional network peerings for enabled hub networks.

What's Changed

• feat: add support for relaxed mg sub association by @matt-FFFFFF in #427
• feat!: implement hub network mesh peering by @matt-FFFFFF in #429

NOTE: BREAKING CHANGE

If you are deploying hub virtual networks using the module, please note the new configuration variable enable_hub_network_mesh_peering.
See the wiki for details.

NOTE: NON-IDEMPOTENCY

When switching strict_subscription_association from true to false. See wiki.

Full Changelog: v2.1.2...v2.2.0

[v2.1.2] Hotfix for regional private endpoint DNS zones

This PR includes an important hotfix for the regional private endpoint DNS zones to ensure the correct zones are created for the following services:

• azure_backup
• azure_site_recovery

IMPORTANT:
Please note that this hotfix may result in the removal of existing (invalid) DNS zones, and addition of new (correctly configured) DNS zones.
If you would like to keep the existing DNS zones, these can be added to your configuration using the configure_connectivity_resources.settings.dns.config.private_dns_zones input variable.

What's Changed

• Fix configure_management_resources value in Wiki example by @krowlandson in #422
• Patch regional private endpoint DNS zones by @krowlandson in #423
• Update docs for release v2.1.2 by @krowlandson in #424

Full Changelog: v2.1.1...v2.1.2

[v2.1.1] Hotfix for `custom_landing_zones`

What's Changed

This PR includes the following updates:

• Wiki updates by @krowlandson in #399
• Feature Request - Custom Setting Support for vnet peerings by @matt-FFFFFF in #401
• Add option to add identity block to an Automation Account by @matt-FFFFFF in #407
• Update Wiki docs for vwan by @krowlandson in #414
• Update validation for custom_landing_zones by @krowlandson in #416
• Update for release v2.1.1 by @krowlandson in #417

These are being bundled in a patch release as they are all no-impact changes to existing users of the module.

Full Changelog: v2.1.0...v2.1.1

[v2.1.0] Add Azure Monitor Solutions

What's changed?

The v2.1.0 release provides an update to the management resources, adding two new Azure Monitor solutions for SQL.

Additional changes are covered below:

New features

• Added two new Azure Monitor solutions for SQL:
  • SQLVulnerabilityAssessment
  • SQLAdvancedThreatProtection
• Added Wiki documentation for managing RBAC roles
• Updated code-review workflow to improve code quality through more comprehensive static code analysis

Fixed issues

• Fix #387 (Add 2 Required Log Analytics Solutions for SQL Assessments for MDFC)
• Fix #362 (Update policy_definition_es_deny_storage_mintls.json)
• Fix #384 (Incorrect bgp_settings value on azurerm_virtual_network_gateway.connectivity resource)

Breaking changes

• ⚠️ To address #387 whilst putting the customer in control of whether these are deployed, we have added two new inputs to the configure_management_resources input variable. Customers using this input must update their code to reflect these changes. For more information, please refer to the following:
  1. settings.log_analytics.config.enable_solution_for_sql_vulnerability_assessment
  2. settings.log_analytics.config.enable_solution_for_sql_advanced_threat_detection

[v2.0.2] minor bugfix release

What's Changed

• Documentation fixes due to missing variable attributes by @jonclyde in #356
• Release/v2.0.2 by @matt-FFFFFF in #377

  • Update module version to 2.0.2

  • Add enable_bgp condition for Basic VPNGW SKU (#376)

  • Fix incorrect object lookup (#375)

  • Remove module version from base_module_tags/deployedBy (#374)

New Contributors

• @jonclyde made their first contribution in #356

Full Changelog: v2.0.1...v2.0.2