Releases: Azure/terraform-azurerm-caf-enterprise-scale
Patch logic for Policy Assignments
This release provides the following updates:
parameters
specified by the customer for Policy Assignments will now take precedence over those managed by the module, providing a way to override parameter values set by themanagement
child module.enforcement_mode
settings from the Policy Assignment template will also take precedence over those managed by the module, providing a way to override the value set by themanagement
child module.- Provides seperation between the
management
settings controlled through theconfigure_management_resources
input variable, and thedeploy_management_resources
input variable which now only determines whether the management resources get deployed or not. This provides the ability to segregate the deployment ofcore
andmanagement
resources into seperate module blocks, or even seperate pipelines, whilst allowing correct settings on both. - Internal tests are updated to provide coverage for the above changes, including the ability to test the full resource creation process when
deploy_management_resources = true
Hotfix for #89
This release includes a critical hotfix to address issue #89 where users observed the errors:
The given value is not suitable for child module variable "archetype_config_overrides"
The given value is not suitable for child module variable "custom_landing_zones"
No customer changes should be needed when upgrading to this version from v0.3.0
.
Fix test framework and missing parameters
This release provides the following fixes:
- Update test framework to address issue #77
- Hotfix #84 to address issue relating to #48
- Fix for issue #85 to provide better integration between Log Analytics workspace and Policy Assignments
This release also introduces a couple of breaking changes from v0.2.1
:
- Update naming convention for Automation Account, as per #83
- Remove the need (and support for)
jsonencode()
to define parameters for Role Definitions, included in #77
Following this release, user-defined parameters must be updated to use native HCL values only, as per the following example:
##########################################
# Archetype config parameter snippet
# Pre v0.3.0 release
##########################################
archetype_config = {
archetype_id = "customer_online"
parameters = {
Deny-Resource-Locations = {
listOfAllowedLocations = jsonencode([
"eastus",
"westus",
"uksouth",
"ukwest",
])
}
}
access_control = {}
}
##########################################
# Archetype config parameter snippet
# Post v0.3.0 release
##########################################
archetype_config = {
archetype_id = "customer_online"
parameters = {
Deny-Resource-Locations = {
listOfAllowedLocations = [
"eastus",
"westus",
"uksouth",
"ukwest",
]
}
}
access_control = {}
}
Please note issue #109 if upgrading from
v0.2.0
as this may require you to manually delete solutions from Azure Monitor to complete the upgrade successfully
Patch Automation Account Name
Following the update to Azure/Enterprise-Scale PR#544, this release is intended to maintain consistency on the Automation Account deployed as part of the Management landing zone resources.
As this patch impacts a new feature which isn't fully documented (and was only released late last week), we don't expect this to cause any customer issues.
This update will cause the Automation Account to be re-provisioned in environments where the Management landing zone resources have been deployed.
Please note issue #109 if upgrading from
v0.2.0
as this may require you to manually delete solutions from Azure Monitor to complete the upgrade successfully
Management landing zone support
This release adds the following features:
- New feature:
Management landing zone
support, providing the ability to now deploy the following additional resources:- Log Analytics workspace
- Automation Account (integrated with Log Analytics workspace)
- Recommended Log Analytics solutions
- Automated integration of Log Analytics workspace config into Policy Assignments
- "Feature switches" to control additional Policy Assignment settings relating to the Management capabilities
- New feature: Define archetype definition templates to add or remove assets from the OOTB archetype definitions
- New feature: Configure manual overrides for Role Definitions associated with Policy Assignments using Managed Identity
- Remove
Deploy-Diagnostics-PublicIP
Policy Definition (now built-in) - Add multiple Policy Definitions for ASC Defender configuration
- Replace
Deploy-ASC-Standard
Policy Definition withDeploy-ASC-Config
Policy Set Definition - Update Log Analytics workspace configuration settings in
Deploy-Log-Analytics
Policy Definition - Fix incorrect logic for handling
enforcement_mode
setting for Policy Assignments - Remove deprecated
skip_service_principal_aad_check
setting from Role Assignments - Add support for Terraform
v0.15.0
- Update minimum supported AzureRM provider version to
v2.41.0
Improve policy processing
This release provides the following minor updates:
- Updates the library templates to use
root_scope_resource_id
for policies deployed by this module - Fix to remove incorrect Managed Identity from
Deploy-ASC-Monitoring
policy - Fix to address missing Role Assignments for Policy Assignments using internal Policy Set Definitions
- Improve logic when processing Role Assignments for Policy Assignments with Managed Identities
- Initial work towards #51 where duplicate Policy Assignments at different scopes cause a duplicate key error
- Fix a bug where changing the
archetype_id
for an existing Management Group fails during theplan
stage - Fix for #61 to ensure correct validation on
custom_landing_zones
keys - Adds provider block to ensure the minimum supported
required_providers
is enforced by the module - Update to the
EnterpriseScaleLibraryTools
module to ensure correct processing of fields using a customenum
for validation
Hotfix for missing Role Assignments
This release fixes an issue where the auto-generated Role Assignments are missing for Policy Assignments under the following condition:
- Using an MSI for DeployIfNotExists or Modify effects, where the assigned Policy Definition is provisioned by the module
Also includes the addition of full code base linting, and the fixes needed for this to pass.
Re-baseline policies against Azure/Enterprise-Scale
This release marks a major update to the Terraform Module for Cloud Adoption Framework Enterprise-scale, providing a full policy refresh to bring a more consistent experience between the Terraform and native ARM implementations of Enterprise-scale.
Policies are now updated to reflect the "foundation" policies as per the WingTip reference implementation, but also contains all policy definitions used as part of the AdventureWorks (Hub & Spoke) and Contoso (Azure vWAN) reference implementations.
⚠️ WARNING: Please note that this release contains a number of changes which may impact your deployment. Please review the Upgrade from v0.0.8 to v0.1.0 guidance before upgrading.
The following is a summary of the main changes being introduced:
- Introduce automated testing to ensure module quality and functionality when releasing future updates.
- Update Unit and E2E test pipelines to use YML templates and dynamic matrix generation.
- Add custom PS module for
Enterprise Scale Library Tools
to handle automated library template updates. - Add script and GitHub Action to enable automated library template updates from Azure/Enterprise-Scale repository using a CI pipeline.
- Add offline ProviderApiVersions cache in
Enterprise Scale Library Tools
to negate the need for Azure credentials. - Update Library Templates (automated) using new CI process.
- Manual remediations to updated library templates to ensure full compatibility with Terraform (needs to be fixed at source to prevent regression).
- Update Policy Assignments and archetypes to provide parity with WingTip reference Enterprise-Scale foundations.
- Update Resource definitions in base module to use
name
field instead ofproperties.displayName
to allow setting a more "human-friendly" displayName on policies and roles. - Fix bug where duplicate roles are created at the same scope for policy assignments with managed identity.
- Add customizable delay between deployment of different resource types to reduce deployment errors due to caching and replication in the Azure API (Improvement to help Fix #37).
- Update
root_parent_id
validation regex to include support for additional supported characters (Fix #43). - Update README as part of migrating documentation to the Wiki
- Update names for allowed location policies from
Allow
toDeny
for better consistency with other policies - Fix #47 assignableScope bug for Role Definitions
- Fix #34 by adding dedicated CONTRIBUTING.md page
Adding Role Assignments for Policies
This release includes a major feature update, providing automatic Role Assignment creation for Managed Identities generated for valid Policy Assignments with DeployIfNotExists
or Modify
effects.
It also includes a number of minor updates as listed below:
- Rename child module folder to reduce likelihood of file name lenght limits in Windows.
- BugFix: Support multiple parameter value types.
- Add templatefile() support for all
/lib/
artefacts. - Fix subfolder support in
/lib/
folder to allow better organisation of artefacts. - Fix incorrect case on Policy Definition name (NOTE: May require manual removal of referencing Policy Set Definition to allow re-deployment).
- Consolidate outputs to single
outputs.tf
file to simplify file structure in module. - Update to readme.md for 0.0.8 release.
Although we're still in preview, we are now also removing the -preview
suffix from the release version to make it easier to stay up to date with this module.
Fixes #16
Updates for 0.0.7-preview release
This release includes the following updates:
- Updates to documentation in README
- Add "default_empty" archetype definition to built-in library
- Fix to ensure unique Role Assignment ID
- Add support for defining Policy Assignment parameters in archetype definitions
- Add macOS support in gitignore
- Fix "policyDefinitionId" in "ES-Deploy-ASC-Monitoring" Policy Assignment