[v2.0.1] Fix advanced connectivity settings

What's Changed

• This is a patch release to provide a workable solution to the issues raised in #348

• Add additional resource types to variable validaiton by @matt-FFFFFF in #361

Full Changelog: v2.0.0...v2.0.1

[v2.0.0] Add `Virtual WAN` and more

The v2.0.0 release marks another significant milestone in development of the Azure landing zones Terraform module (formerly Terraform Module for Cloud Adoption Framework Enterprise-scale).
The re-branding of this module reflects adoption of Enterprise-scale as the recommended architecture for Azure landing zones.

This release provides the ability to deploy and configure Virtual WAN resources as part of the connectivity capability of the module.
We have also included a number of fixes for other issues, and extended the existing connectivity capabilities for customers creating Hub and Spoke networks.

New features

• Added support to create hub networks using Azure Virtual WAN in the connectivity Subscription
• Updated the policies included within the module based on those in the upstream Enterprise-scale repository
• Improved Wiki documentation, providing more examples and clearer guidance
• Added module telemetry to help us better understand where to focus development efforts and improve customer experience
• Update branding from Enterprise-scale to Azure landing zones (further work required to complete this transition)
• Added Azure Firewall Policy resources to enable the DNS Proxy settings for Azure Firewall and simplify the configuration experience
• Extended configuration options for the Virtual Network Gateway resources used for hub and spoke networks
• The threat_intel_mode value for azurerm_firewall resources is now explicitly set with a default value of Alert to support the latest provider versions. This matches the previous "default" value of the old provider.
• Added new variable asc_export_resource_group_name to fix #342
• Added logic to automatically configure the generation value for VPN gateways without using the advanced object to fix #333
• Added input variables and logic to simplify configuring active-active mode for VPN gateways without using the advanced object to fix #232
• Added logic to suppress creation of Public IP resource(s) when a custom ip_configuration input is specified via the advanced block for the following resource types:
  • azurerm_virtual_network_gateway (ExpressRoute and VPN)
  • azurerm_firewall
• Added input variables for BGP configuration settings without using the advanced object to fix #334
• Added missing vpn_auth_types attribute for the vpn_client_configuration block on Virtual Network Gateway resources
• Updated Wiki docs to reflect the included changes where covered in documentation
• Updated test framework to provide coverage of the included fixes
• Updated test strategy to ensure working versions are included from v0.15.1 (new minimum required to fix Error: Output refers to sensitive values) to latest v1.1.x

Fixed issues

• Fix #226 (Add capability for "Virtual WAN Networking" resources - Connectivity Subscription)
• Fix #232 (can't create active-active vpngw)
• Fix #254 (Create Wiki docs page for custom policy definition, set definition (initiative) and assignment)
• Fix #264 (Update Policies For v1.2.0 Release From Upstream)
• Fix #266 (Adding a new policy assignment forces the existing policy role assignments to be recreated)
• Fix #271 (Error: deleting Azure Firewall)
• Fix #272 (Argument management_group_name deprecated in favour of management_group_id)
• Fix #273 (azurerm_role_assignment.policy_assignment resources outputs missing)
• Fix #274 (Add Firewall Policy resources for the Azure Firewall resources deployed by the module)
• Fix #293 (Move FabricBot to Config-as-Code)
• Fix #295 (Missing data policies)
• Fix #305 (Add vwan settings to outputs)
• Fix #309 (Bug Report - AzureRM provider 3.0.0 availability zones error)
• Fix #319 (azurerm_public_ip prevents support of azurerm provider >= 3.0.0)
• Fix #333 (VPN Gateway Generations)
• Fix #334 (BGP configuration on VPN gateways)
• Fix #336 (Feature Request - Add AZ Support for Azure Firewall in Secure vHub Model)
• Fix #340 (Call to function "coalesce" failed: all arguments must have the same type.)
• Fix #342 (Ability to rename ASC export resource group name)
• Work towards #227 (Replace try() with lookup() where possible)

Breaking changes

• ⚠️ Updated the minimum supported Terraform version to 0.15.1

• ⚠️ Updated the minimum supported azurerm provider version to 3.0.2

• ⚠️ Updated the required attributes for the configure_management_resources input variable to reflect recent policy updates for Microsoft Defender for Cloud

• ⚠️ Extended the required attributes for the configure_connectivity_resources input variable to enable new functionality

  This will result in an error at plan until users update the input for configure_connectivity_resources.
  Longer term objective is to reduce the number of mandatory attributes within the schema using the optional() type wrapper once released as GA.

• ⚠️ Updated preference to Generation2 for supported VPN gateway SKUs, so some customers may have their VPN gateway redeployed to the new version. Instructions for how to override this added below.

IMPORTANT: If you are using the advanced input for configure_connectivity_resources please take extra care to note the changes listed in PR: Fix multiple issues #345.

For more information

Please refer to the Upgrade from v1.1.4 to v2.0.0 page on our Wiki.

[v1.1.4] Hotfix for #309

This is a hotfix release to address changes in v3.0.0 of the azurerm provider, reported in issue #309

• Add additional version constraint in the required_providers configuration of < 3.0.0 to prevent this module being used with the new provider until we can update the module to support the new resource schemas.

Hotfix for #278

Release v1.1.3 introduces the following changes:

• Update function from jsondecode() to yamldecode() when working with YAML files for archetype extensions and exclusions (Fixes #278).
• Update Wiki Sync automation to trigger on release instead of push.

No breaking changes identified.

Improve template file support

Release v1.1.2 introduces the following changes:

• Update module to provide full support for templatefile() functionality (Fixes #253)
• Extend built-in template file variables for use with template files in module library (Fixes #255 and #207)

Hotfix for #241

Release v1.1.1 introduces the following changes:

• Update regex logic for root_id and scope_id input variables on archetypes child module (Fixes #241)
• Add requried_version to Terraform configuration to ensure only supported version of Terraform is used
• Add documentation to Wiki for the configure_connectivity_resources and configure_management_resources input variables

No breaking changes identified.

Policy updates and bug fixes

Release v1.1.0 introduces the following changes:

• BREAKING CHANGE: Replaced Deploy-ASC-Configuration Policy Assignment with Deploy-ASCDF-Config, utilizing built-in policies and also adds support for Microsoft Defender for open-source relational databases.
  • Fixing Add Defender support for Open-source relational databases #131.
  • Note: Will result in loss of policy compliance history.
  • Consider making a copy of the removed policy templates to a custom lib folder and using the archetype extension capability if you wish to retain the old Assignment to keep policy compliance history.
  • Requires an update to the configure_management_resources input variable:

{
  settings = {
    # (1 unchanged element hidden)
    security_center = {
      # (1 unchanged element hidden)
      config = {
        # (7 unchanged elements hidden)
        enable_defender_for_oss_databases  = true
        # (4 unchanged elements hidden)
      }
    }
  }
  # (3 unchanged elements hidden)
}

• Updates to Wiki documentation
• Multiple bug fixes covering:
  • Fix "managed parameters" for Enable-DDoS-VNET Policy Assignment at landing-zones scope (no issue logged)
  • Changing root_parent_id results in Management Groups not being deployed #190
  • Bug Report: Private DNS zone link in setting.connectivity.tf #204
  • Incorrect enforcementMode setting on Enable-DDoS-VNET Policy Assignment #216

General availability (GA) release

This release represents a significant milestone in the development of this module, as we aim to increase stability on the input variables and minimize breaking changes when adding new features.

This release fixes/adds/changes/removes

1. Updates the minimum supported azurerm provider version to 2.77.0.
2. Added new Policy Definitions to keep in sync with the Azure/Enterprise-scale source.
3. Added new Policy Assignment template for Deny-Private-DNS-Zones.
4. Added documentation for the Wiki covering additional examples, and details for how to customize the deployment.
5. The Management resources module now has an explicit dependency to ensure azurerm_log_analytics_solution resources have a dependency on azurerm_log_analytics_linked_service resources.
6. The Connectivity resources module has been updated to provide management for the Deploy-Private-DNS-Zones Policy Assignment.
7. The Connectivity resources module has also been updated to fix a bug when setting registration_enabled on a DNS zones.

For more information about these changes and how to perform an upgrade from the previous release, please refer to the Upgrade from v0.4.0 to v1.0.0 page on our Wiki.

Connectivity and identity landing zone support

This release includes a number of changes to bring the module up to date with the latest from the Azure/Enterprise-scale repository, introduces new capabilities for deploying resources in the Connectivity landing zone, and additional configuration options for the Identity landing zone.

As part of these updates, this release also introduces provider configuraiton in the module, allowing deployment of resources to multiple Subscriptions from a single module block.

This release fixes/adds/changes/removes

1. Updated Enterprise Scale Library Tools to pull policy updates from the new eslzArm deployment in Azure/Enterprise-scale
2. Updated API Versions cache
3. Updated Wiki Sync to enable workflow dispatch and forked repository support
4. Updated documentation in README.md and Wiki, including improved coverage of variables and examples (Fixes #118)
5. Added the ability to deploy Connectivity resources into the Connectivity Subscription
6. Added the ability to configure Identity policies through input variables
7. Updated test framework to provide coverage for latest updates
8. Standardised naming convention for advanced settings in management and connectivity modules
9. Added "module tags" for resources to identify them as deployed by the module - these will be appended to any user-defined tags and can be disabled or overridden as required
10. Added the ability to deploy "non-demo" versions of the SAP, Corp and Online landing zones using feature flags
11. Consolidated the archetypes for connectivity to use a single common archetype named es_connectivity
12. Added logic to map Platform Subscriptions to their respective Management Groups using the subscription_id_{connectivity|identity|management} input variables, including logic to allow the same Subscription to be used for multiple roles. (Fixes #127)
13. Updated display names for "Demo" landing zones to indicate that they are for demo purposes only
14. Updated Role Assignments to create clear seperation between those created for user access vs. for Policy Assignments with Managed Identity
15. Fixed RegEx bug in logic used to determine the Management Group name when determining Role Assignments used for Policy Assignments with Managed Identity
16. Policy update to Deny-Subnets-Without-NSG fixes #38
17. Updates to logic may help with #51 but requires further testing

Breaking Changes

1. Added provider configuration requirement in module block (Fixes #102)
2. Updated the deprecated azurerm_policy_assignment resource type to azurerm_management_group_policy_assignment (will cause resployment of these resources)
3. Multiple policy updates will cause reployment of many policies
4. Renamed Management resources to enable deployment to specified Subscription using provider blocks

For more information on the changes introduced by this release please refer to the new Upgrade from v0.3.3 to v0.4.0 documentation.

Patch dependencies and fix tags error

This release introduces the following non-breaking changes:

• Update github/super-linter to use latest version
• Add github/super-linter output files to .gitignore
• Add explicit dependency between azurerm_log_analytics_solution.enterprise_scale and azurerm_automation_account.enterprise_scale to fix #109
• Remove tags from azurerm_log_analytics_linked_service.enterprise_scale to fix #121
• Fix workflow bug for SPN Generator when multiple Subscriptions are available
• Update docs for v0.3.3 release