Skip to content

Releases: Azure/terraform-azurerm-caf-enterprise-scale

Patch logic for Policy Assignments

24 May 11:28
4211133
Compare
Choose a tag to compare

This release provides the following updates:

  • parameters specified by the customer for Policy Assignments will now take precedence over those managed by the module, providing a way to override parameter values set by the management child module.
  • enforcement_mode settings from the Policy Assignment template will also take precedence over those managed by the module, providing a way to override the value set by the management child module.
  • Provides seperation between the management settings controlled through the configure_management_resources input variable, and the deploy_management_resources input variable which now only determines whether the management resources get deployed or not. This provides the ability to segregate the deployment of core and management resources into seperate module blocks, or even seperate pipelines, whilst allowing correct settings on both.
  • Internal tests are updated to provide coverage for the above changes, including the ability to test the full resource creation process when deploy_management_resources = true

Hotfix for #89

11 May 08:50
8a1dbcd
Compare
Choose a tag to compare

This release includes a critical hotfix to address issue #89 where users observed the errors:

  • The given value is not suitable for child module variable "archetype_config_overrides"
  • The given value is not suitable for child module variable "custom_landing_zones"

No customer changes should be needed when upgrading to this version from v0.3.0.

Fix test framework and missing parameters

06 May 15:30
4d85461
Compare
Choose a tag to compare

This release provides the following fixes:

  • Update test framework to address issue #77
  • Hotfix #84 to address issue relating to #48
  • Fix for issue #85 to provide better integration between Log Analytics workspace and Policy Assignments

This release also introduces a couple of breaking changes from v0.2.1:

  • Update naming convention for Automation Account, as per #83
  • Remove the need (and support for) jsonencode() to define parameters for Role Definitions, included in #77

Following this release, user-defined parameters must be updated to use native HCL values only, as per the following example:

##########################################
# Archetype config parameter snippet
# Pre v0.3.0 release
##########################################

      archetype_config = {
        archetype_id = "customer_online"
        parameters = {
          Deny-Resource-Locations = {
            listOfAllowedLocations = jsonencode([
              "eastus",
              "westus",
              "uksouth",
              "ukwest",
            ])
          }
        }
        access_control = {}
      }

##########################################
# Archetype config parameter snippet
# Post v0.3.0 release
##########################################

      archetype_config = {
        archetype_id = "customer_online"
        parameters = {
          Deny-Resource-Locations = {
            listOfAllowedLocations = [
              "eastus",
              "westus",
              "uksouth",
              "ukwest",
            ]
          }
        }
        access_control = {}
      }

Please note issue #109 if upgrading from v0.2.0 as this may require you to manually delete solutions from Azure Monitor to complete the upgrade successfully

Patch Automation Account Name

04 May 20:27
98f329f
Compare
Choose a tag to compare

Following the update to Azure/Enterprise-Scale PR#544, this release is intended to maintain consistency on the Automation Account deployed as part of the Management landing zone resources.

As this patch impacts a new feature which isn't fully documented (and was only released late last week), we don't expect this to cause any customer issues.

This update will cause the Automation Account to be re-provisioned in environments where the Management landing zone resources have been deployed.

Please note issue #109 if upgrading from v0.2.0 as this may require you to manually delete solutions from Azure Monitor to complete the upgrade successfully

Management landing zone support

28 Apr 21:14
e5d7b67
Compare
Choose a tag to compare

This release adds the following features:

  • New feature: Management landing zone support, providing the ability to now deploy the following additional resources:
    • Log Analytics workspace
    • Automation Account (integrated with Log Analytics workspace)
    • Recommended Log Analytics solutions
    • Automated integration of Log Analytics workspace config into Policy Assignments
    • "Feature switches" to control additional Policy Assignment settings relating to the Management capabilities
  • New feature: Define archetype definition templates to add or remove assets from the OOTB archetype definitions
  • New feature: Configure manual overrides for Role Definitions associated with Policy Assignments using Managed Identity
  • Remove Deploy-Diagnostics-PublicIP Policy Definition (now built-in)
  • Add multiple Policy Definitions for ASC Defender configuration
  • Replace Deploy-ASC-Standard Policy Definition with Deploy-ASC-Config Policy Set Definition
  • Update Log Analytics workspace configuration settings in Deploy-Log-Analytics Policy Definition
  • Fix incorrect logic for handling enforcement_mode setting for Policy Assignments
  • Remove deprecated skip_service_principal_aad_check setting from Role Assignments
  • Add support for Terraform v0.15.0
  • Update minimum supported AzureRM provider version to v2.41.0

Improve policy processing

31 Mar 20:53
96be8a1
Compare
Choose a tag to compare

This release provides the following minor updates:

  • Updates the library templates to use root_scope_resource_id for policies deployed by this module
  • Fix to remove incorrect Managed Identity from Deploy-ASC-Monitoring policy
  • Fix to address missing Role Assignments for Policy Assignments using internal Policy Set Definitions
  • Improve logic when processing Role Assignments for Policy Assignments with Managed Identities
  • Initial work towards #51 where duplicate Policy Assignments at different scopes cause a duplicate key error
  • Fix a bug where changing the archetype_id for an existing Management Group fails during the plan stage
  • Fix for #61 to ensure correct validation on custom_landing_zones keys
  • Adds provider block to ensure the minimum supported required_providers is enforced by the module
  • Update to the EnterpriseScaleLibraryTools module to ensure correct processing of fields using a custom enum for validation

Hotfix for missing Role Assignments

17 Mar 21:03
9f659c9
Compare
Choose a tag to compare

This release fixes an issue where the auto-generated Role Assignments are missing for Policy Assignments under the following condition:

  • Using an MSI for DeployIfNotExists or Modify effects, where the assigned Policy Definition is provisioned by the module

Also includes the addition of full code base linting, and the fixes needed for this to pass.

Re-baseline policies against Azure/Enterprise-Scale

10 Mar 21:20
945bfc8
Compare
Choose a tag to compare

This release marks a major update to the Terraform Module for Cloud Adoption Framework Enterprise-scale, providing a full policy refresh to bring a more consistent experience between the Terraform and native ARM implementations of Enterprise-scale.

Policies are now updated to reflect the "foundation" policies as per the WingTip reference implementation, but also contains all policy definitions used as part of the AdventureWorks (Hub & Spoke) and Contoso (Azure vWAN) reference implementations.

⚠️ WARNING: Please note that this release contains a number of changes which may impact your deployment. Please review the Upgrade from v0.0.8 to v0.1.0 guidance before upgrading.

The following is a summary of the main changes being introduced:

  • Introduce automated testing to ensure module quality and functionality when releasing future updates.
  • Update Unit and E2E test pipelines to use YML templates and dynamic matrix generation.
  • Add custom PS module for Enterprise Scale Library Tools to handle automated library template updates.
  • Add script and GitHub Action to enable automated library template updates from Azure/Enterprise-Scale repository using a CI pipeline.
  • Add offline ProviderApiVersions cache in Enterprise Scale Library Tools to negate the need for Azure credentials.
  • Update Library Templates (automated) using new CI process.
  • Manual remediations to updated library templates to ensure full compatibility with Terraform (needs to be fixed at source to prevent regression).
  • Update Policy Assignments and archetypes to provide parity with WingTip reference Enterprise-Scale foundations.
  • Update Resource definitions in base module to use name field instead of properties.displayName to allow setting a more "human-friendly" displayName on policies and roles.
  • Fix bug where duplicate roles are created at the same scope for policy assignments with managed identity.
  • Add customizable delay between deployment of different resource types to reduce deployment errors due to caching and replication in the Azure API (Improvement to help Fix #37).
  • Update root_parent_id validation regex to include support for additional supported characters (Fix #43).
  • Update README as part of migrating documentation to the Wiki
  • Update names for allowed location policies from Allow to Deny for better consistency with other policies
  • Fix #47 assignableScope bug for Role Definitions
  • Fix #34 by adding dedicated CONTRIBUTING.md page

Adding Role Assignments for Policies

27 Nov 14:55
fe4ad5b
Compare
Choose a tag to compare
Pre-release

This release includes a major feature update, providing automatic Role Assignment creation for Managed Identities generated for valid Policy Assignments with DeployIfNotExists or Modify effects.

It also includes a number of minor updates as listed below:

  • Rename child module folder to reduce likelihood of file name lenght limits in Windows.
  • BugFix: Support multiple parameter value types.
  • Add templatefile() support for all /lib/ artefacts.
  • Fix subfolder support in /lib/ folder to allow better organisation of artefacts.
  • Fix incorrect case on Policy Definition name (NOTE: May require manual removal of referencing Policy Set Definition to allow re-deployment).
  • Consolidate outputs to single outputs.tf file to simplify file structure in module.
  • Update to readme.md for 0.0.8 release.

Although we're still in preview, we are now also removing the -preview suffix from the release version to make it easier to stay up to date with this module.

Fixes #16

Updates for 0.0.7-preview release

09 Nov 12:15
6bab697
Compare
Choose a tag to compare
Pre-release

This release includes the following updates:

  • Updates to documentation in README
  • Add "default_empty" archetype definition to built-in library
  • Fix to ensure unique Role Assignment ID
  • Add support for defining Policy Assignment parameters in archetype definitions
  • Add macOS support in gitignore
  • Fix "policyDefinitionId" in "ES-Deploy-ASC-Monitoring" Policy Assignment