v0.16.0

Summary

This release incorporates the ability to preview changes prior to deploying to your environment for the Accelerator. There are also some improvements to the Bicep Linter and associated configurations, bug fixes, and general improvements to the modules.

We have also pulled in the latest upstream policy changes from the Azure/Enterprise-Scale repo. See the What's New? for more info on what.

See the below "What's Changed" section for more information on the enhancements we have made

Highlights

• Accelerator: This release introduces the Azure Bicep What-If operation within the Accelerator deployment scripts to be able to evaluate and analyze changes to your environment during a pull-request.
• Relaxed linting rules and reduce maintenance overhead as part of #568
• Added support for the new Sentinel simplified pricing tier in #582

Breaking Changes

As part of #582 we have introduced a very minor/small "breaking change", technically you don't need to do anything and you will just move to the new pricing model, however if you want to stay on your current/the old pricing model you need to do the following once upgrading to v0.16.0:

1. Set parUseSentinelClassicPricingTiers to true

What's Changed

• Enhance Use of Bicep Linter & Simplify Config by @jtracey93 in #568
• Issue forms by @jhajduk-microsoft in #562
• Documentation: Added release process diagram by @oZakari in #569
• FabricBot: Onboarding to GitOps.ResourceManagement because of FabricBot decommissioning by @microsoft-github-policy-service in #570
• Update Policy Library (automated) by @cae-pr-creator in #572
• Add if (parAzBastionEnabled) to nsg create bastion by @woutermation in #575
• Update Azure resources APIs to recent versions before they are too old over 2 years by @VeronicaSea in #577
• Enhance Accelerator documentation for Git by @oZakari in #580
• Feature addvalidation by @MilesCameron-DMs in #539
• PR for Feature #537: Simplify workflow names in Accelerator by @oZakari in #578
• Add CODEOWNERS & Fix Sentinel Simplified Pricing by @jtracey93 in #582
• Update Policy Library (automated) by @cae-pr-creator in #584

New Contributors

• @microsoft-github-policy-service made their first contribution in #570
• @woutermation made their first contribution in #575
• @VeronicaSea made their first contribution in #577
• @MilesCameron-DMs made their first contribution in #539

Full Changelog: v0.15.0...v0.16.0

v0.16.0-pre

This is a pre-release. Please carry on using v0.15.0 for production deployments.

v0.15.0

Summary

This release mainly bring Azure DevOps Support to the Accelerator. However, we have also fixed a number of other pieces and made a good amount of nice, simple, enhancements to existing modules (none of which are breaking changes 👍)

We have also pulled in the latest upstream policy changes from the Azure/Enterprise-Scale repo as part of our quarterly policy refresh work. 🥳

See the below "What's Changed" section for more information on the enhancements we have made

Highlights

• Accelerator: There is now support for Azure DevOps Pipelines. See Getting Started if you're using Azure DevOps Pipelines

What's Changed

• Update Policy Library (automated) by @cae-pr-creator in #525
• Update parameter descriptions and typos by @picccard in #524
• Update Policy Library (automated) by @cae-pr-creator in #532
• Accelerator Pipelines for Azure Devops by @picccard in #503
• Fix doc for module outputs by @picccard in #542
• Update Policy Library (automated) by @cae-pr-creator in #538
• Increase api version for LAW by @jtracey93 in #546
• Option for subnet delegations by @picccard in #526
• Update PSRule Baseline and Version by @jtracey93 in #552
• Add parPlatformMgAlzDefaultsEnable parameter to policy assignment by @sachabruttin in #551
• Improved control of PrivateDnsZones beeing deployed by @picccard in #543
• Added ZT Deployment Guide by @brsteph in #554
• Remove old dependsOn by @picccard in #556
• Unlink log analytics workspace and automation account by @picccard in #555
• Update README.md for alzDefaults module by @picccard in #557
• Feature: Add LZ Child MG Flex for ALZ Default Policy Assignments & Add Release Checks by @jtracey93 in #559
• Feature: Added documentation changes for Accelerator and Azure DevOps support by @oZakari in #563
• Update Policy Library (automated) by @cae-pr-creator in #564
• Prep for v0.15.0 by @jtracey93 in #566

New Contributors

• @sachabruttin made their first contribution in #551
• @brsteph made their first contribution in #554

Full Changelog: v0.14.0...v0.15.0

v0.15.0-pre

This is a pre-release. Please carry on using v0.14.0 for production deployments.

v0.15.0 will be out shortly, with the addition of Azure DevOps support for the Accelerator. Watch this space... 👍

v0.14.0

Summary

This release includes our recent policy refresh work from the upstream repo and also the launch of our ALZ Bicep Accelerator 🥳

Highlights

• Updated policy definitions, initiatives and assignments from upstream ALZ repo - as documented here
• Launch of the ALZ Bicep Accelerator - thanks @oZakari, @lovelysandwich, @Nepomuceno for your work and efforts here 👍(also thanks to @stalejohnsen for testing and providing feedback)
  • Recommended way to consume ALZ Bicep
  • GitHub Actions support only today, but will add Azure DevOps and others other time - please raise issues/feature requests
  • Guidance on staying up-to-date and customizing modules
• Added support for Azure Firewall Basic SKU - thanks @JamJarchitect
• Added policy assignment exclusion feature - thanks @stalejohnsen
• Added platform child Management Group flexibility - thanks @JamJarchitect
• Private DNS Zone Linking in hubPeeredSpoke.bicep orchestration module - thanks @JamJarchitect
• In the Logging module we have removed the Service Map solution from being deployed as per guidance here.

Policy Changes

Information on policy changes can be found in the Whats New Wiki Page in the Azure Landing Zones/Enterprise-Scale repo

Deny-RDP-From-Internet replacement with Deny-MgmtPorts-Internet

The Deny-RDP-From-Internet policy assignment has been replaced with the assignment of the new policy Deny-MgmtPorts-Internet. The alzDefaultPolicyAssignments.bicep has been updated with this change, so to clean up the old `Deny-RDP-From-Internet assignment use the below PowerShell code snippet.

$mgPrefix = "alz" # UPDATE ME
$mgSuffix = "" # UPDATE ME

Get-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-landingzones$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet"
Get-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-platform-identity$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet"

Remove-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-landingzones$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet"
Remove-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-platform-identity$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet"

You are welcome to continue using the Deny-RDP-From-Internet if you wish, it is still valid and works as desired, we have just enhanced the control with the new policy and would advise reviewing and migrating to it for better controls preventing the exposure of Management Ports to the internet

Breaking Changes

1. There is a policy initiative Enforce-TLS-SSL that has had a parameter removed, on purpose, that means a breaking change unfortunately. To resolve this follow the below guidance:
   • Run the following PowerShell commands to remove the policy assignment and initiative, then redeploy the latest versions of:
     a. customPolicyDefinitions.bicep
     b. alzDefaultPolicyAssignments.bicep

$mgPrefix = "alz" # UPDATE ME
$mgSuffix = "" # UPDATE ME

Get-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-landingzones$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL"

Remove-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-landingzones$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL"

Remove-AzPolicySetDefinition -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix$mgSuffix/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit" -Force

Further info can be found in Update Azure landing zone custom policies

What's Changed / Pull Requests

• Remove unrequired parameters from mgDiagSettings - Fix #473 by @jtracey93 in #474
• Removing second VWan Hub as per conversation with jtracey93 by @lovelysandwich in #480
• 26294 - Feature - Accelerator Pipelines and Scripts by @oZakari in #479
• 26740 - Feature - Generated Parameter Markdowns for Orchestration by @JamJarchitect in #466
• Deploy-VM-Backup optional parameters for exclusion tag by @stalejohnsen in #482
• 26294 - Feature - Accelerator Pipeline Adjustments by @oZakari in #483
• Update RSG API version & workflow to only run on this repo by @jtracey93 in #486
• 26294: Accelerator Pipeline Adjustments by @oZakari in #487
• 26294: Accelerator - Add ability to import env file and minor fixes by @oZakari in #488
• hubNetwork: Dynamic prefix and suffix for Public IPs by @picccard in #493
• New parameter for Alzdefaults exclusions by @stalejohnsen in #494
• Fix doc link for parameter description by @stalejohnsen in #495
• 26016 - Feature - Child Landing Zone Management Groups Flexibility by @JamJarchitect in #496
• Remove Service map from LogAnalyticsWorskpace Solutions by @lachaves in #501
• 26808 - Feature - Add support to allow Private DNS Zone VNet Linking for Spoke VNets by @JamJarchitect in #500
• Accelerator Documentation and remove hard-coded rg values by @oZakari in #497
• Remove accelerator doc temporarily by @oZakari in #506
• Update Policy Library (automated) - Policy Refresh FY23 Q3 by @cae-pr-creator in #499
• Nested deployments should get passed the value for parTelemetryOptOut by @picccard in #502
• ADO 27172 - Add Zero Trust Networking Telemetry - Phase 1 by @jtracey93 in #508
• remove unused duplicate asn property by @picccard in #511
• Update Policy Library (automated) by @cae-pr-creator in #514
• 25520 - Azfw Basic SKU by @JamJarchitect in #510
• Fixes #517 by making the deployment name for the recently added module unique on the zones resource ID by @jtracey93 in #518
• Fix deployment double loop in #519 by @jtracey93 in #520
• add option to set NSG and UDR on subnets in hub-vnet by @picccard in #513
• Accelerator documentation for v0.14.0 release by @oZakari in #507
• Minor Tweaks by @jtracey93 in #521

New Contributors

A huge thanks to all new contributors and we welcome many more contributions in the future 😎

• @lovelysandwich made their first contribution in #480
• @stalejohnsen made their first contribution in #482
• @picccard made their first contribution in #493

Full Changelog: v0.13.0...v0.14.0

v0.14.1-pre

This is a pre-release. Please carry on using v0.13.0 for production deployments.

v0.14.0 will be out in a few weeks, hopefully, with the preview of our new accelerator to help you get your deployment bootstrapped with pipelines etc. and fill in all those parameter files based on a single set of inputs. Watch this space... 👍

v0.14.0-pre

This is a pre-release. Please carry on using v0.13.0 for production deployments.

v0.14.0 will be out in a few weeks, hopefully, with the preview of our new accelerator to help you get your deployment bootstrapped with pipelines etc. and fill in all those parameter files based on a single set of inputs. Watch this space... 👍

v0.13.0

Summary

Our first release of 2023 (apologies), but we have been busy at work and are pleased to share a lot of great updates with you all 🥳

Highlights

• Added support to create Role Assignments at the Resource Group scope in #434
• Added support to create a Managed Identity for the Automation Account in #433
• Updated various API versions in various modules
• Added flag in a parameter to set Policy Assignment Enforcement Mode to Default or DoNotEnforce in alzDefaultPolicyAssignments.bicep module to allow you to easily set this for all Policy Assignments en masse in #453
• Added multiple new features to Virtual WAN module in #456
  • Added support for multiple Virtual Hubs in a single Virtual WAN
  • Added support for setting Virtual Hub Routing Preference
  • Added support for setting Virtual Hub Capacity/Routing Infrastructure Units
• Added NSG rules at priority 4096 for inbound and outbound flows on Azure Bastion Subnet NSG to deny anything to everywhere on any port in #455
• Added parameter to set RDP/SSH ports in NSG rules for outbound flows from Azure Bastion Subnet in #455
• Added parameter to allow capability to specify Management Group suffix on all IDs in #462
• Updated Azure Policy definitions from upstream from Azure/Enterprise-Scale repo in #459
  • Information on policy changes can be found in the Whats New Wiki Page in the Azure/Enterprise-Scale repo

Policy Changes

Information on policy changes can be found in the Whats New Wiki Page in the Azure/Enterprise-Scale repo

Breaking Changes

1. In #456 we added a new parameter of parVirtualWanHubs to the vwanConnectivity.bicep module to allow multiple Virtual WAN Hubs to be deployed in a single Virtual WAN, you should review the documentation for the parVirtualWanHubs parameter and ensure you correctly set the value in the parameters file as linked here
   2. We also removed the following parameters and these moved to become keys inside of the array of objects in the parameter parVirtualWanHubs - please update your parameter files
   - parVirtualHubAddressPrefix
   - parVpnGatewayEnabled
   - parExpressRouteGatewayEnabled
   - parAzFirewallEnabled
   3. In the following parameters we amended the default values to remove including the suffix of -${parLocation}, the location is now added as a suffix to each of the associated resources still, but is now part of the key/parameter input of parHubLocation in parVirtualWanHubs
   - parVpnGatewayName
   - parExpressRouteGatewayName
   - parAzFirewallName

Not technically breaking changes (but some action may be required)

1. In #415 we removed a deprecated Activity Log Solution from the Log Analytics Workspace module
   • You may chose to remove/uninstall the solution for the Log Analytics Workspace, but you can use the new built-in workbook as detailed here

What's Changed

• Add is it maintained badges by @jtracey93 in #418
• Removed Solution Activity Log from LAW by @lachaves in #415
• Issue #410 - Remove default values from parameter descriptions by @JamJarchitect in #421
• Issue #416 - Link description in policy definitions for China by @JamJarchitect in #419
• Bug: Generated Values in _policyAssignmentsBicepInput.txt are incorrect by @mbrat2005 in #427
• feat: Added role assignment support for RGs by @DaFitRobsta in #434
• Consistent punctuation and small typos by @bartlannoeye in #437
• added parAutomationAccountUseManagedIdentity parameter by @mbrat2005 in #433
• Update containerRegistry API version by @bartlannoeye in #440
• Updated references in the documents from docs.microsoft.com - to learn by @ElYusubov in #447
• Feature/param do not enforce default policies by @mbrat2005 in #453
• Add info to wiki to manually create docs by @jtracey93 in #460
• Add workflow for daily (weekday) Bicep Build & Issue Create if failure & Bump PSRule Version & Baseline by @jtracey93 in #461
• Update DeploymentFlow.md by @baartch in #463
• Adding deny all rule to Azure Bastion nsg by @sid2305 in #455
• CaseSensitiveDeploymentParameterNamesFound by @sangling in #457
• SSH/RDP rule name change by @sid2305 in #464
• Update Policy Library (automated) by @cae-pr-creator in #459
• Added Management Group Suffix Parameter parTopLevelManagementGroupSuffix by @mbrat2005 in #462
• Add support to deploy an additional VWAN hub to an existing Virtual WAN by @aarunraaj in #456

New Contributors

A huge thanks to all new contributors and we welcome many more contributions in the future 😎

• @mbrat2005 made their first contribution in #427
• @bartlannoeye made their first contribution in #437
• @ElYusubov made their first contribution in #447
• @baartch made their first contribution in #463
• @sid2305 made their first contribution in #455
• @sangling made their first contribution in #457
• @cae-pr-creator made their first contribution in #459
• @aarunraaj made their first contribution in #456

Full Changelog: v0.12.0...v0.13.0

v0.12.0

Summary

This release brings mainly lots of goodness in the Azure Policy space as well as improving our testing, thanks to PSRule for Azure, also updating the Private DNS Zones for Private Link that get deployed in the Private DNS Zones module, and finally changing our module docs to being programmatically generated, so you only need to update a .bicep module now and the docs get generated as part of your PR 🥳

Policy Changes

1. Converted Deny-Public-IP assignment to new assignment using built-in policy called Deny-Public-IP-Addresses as detailed in #398 & #386
2. Add new default assignment of Deploy-Private-DNS-Zones to corp MG fixing #137 and brining assignments into alignment across all ALZ implementation options (portal and Terraform)
3. Remove assignment of Deny-Public-IP in default assignments from corp to bring assignments into alignment across all ALZ implementation options (portal and Terraform)

Breaking Changes

Nothing technically breaking, however you will just need to remove the old policy assignments of Deny-Public-IP from corp and identity Management Groups and re-run/deploy the alzDefaultPolicyAssignments.bicep and this will put the assignment, using the built-in definition instead of the custom one, to the identity Management Group.

More on this process and instructions can be found here: How to migrate ALZ custom policies to Azure built-in policies

What's Changed

• 16989: Add bicep sample code by @khushal08 in #355
• Fix #388 - Incorrect variable reference by @oZakari in #390
• Fixed documentation on parLandingZoneMgChildren parameter description… by @lachaves in #394
• Replaced DDoS Standard with DDoS Network Protection by @lachaves in #396
• Resolve #386 & #330 by @jtracey93 in #398
• ALZ Bicep - Generate Markdown for Parameters by @JamJarchitect in #304
• Update Policy Library (automated) by @github-actions in #400
• Update Private DNS Zones by @jtracey93 in #403
• Change conditional source - Fix #406 by @jtracey93 in #407

New Contributors

• @khushal08 made their first contribution in #355
• @oZakari made their first contribution in #390

Full Changelog: v0.11.0...v0.12.0

v0.11.0

Summary

This release does bring a couple of slight "breaking changes" (see below section for details) however, aside from this there are a few key call outs to note:

• Updates around PowerShell & CLI deployment snippets from @JamJarchitect in #312
• Add support for Policy Set Definitions (Initiatives) Groups thanks to @vedagudipati in #364
• Fix issues with Azure Policies for China (Mooncake) thanks to @jtracey93 in #377 #378 #369
• Various documentation enhancements from @jfaurskov @johnlokerse @coolhome
• Changed mgDiagSettingsAll.bicep to be targeted to Management Groups instead of Tenant level deployment thanks to @lachaves in #372
• Fix bug with uniqueness of custom role definition GUIDs and names that is required when deploying multiple ALZs in the same tenant, for scenario like canary thanks to @DaFitRobsta in #379

Breaking Changes

As mentioned above there are a couple of "slight" breaking changes that are introduced with this release.

Breaking Change 1 - mgDiagSettingsAll.bicep deployment scope change from Tenant to Management Group

This change was made based on customer feedback around using least privileged access in #338, which we agreed was valid and the right thing to do, hence the change.

Handling this change is as simple as changing the deployment scoping from Tenant to Management Group e.g. from New-AzTenantDeployment to New-AzManagementGroupDeployment.

The module README in the module documents the commands to use for PowerShell or Az CLI

Breaking Change 2 - customRoleDefinitions.bicep now has more unique GUIDs and Role Names based on Management Group ID/Name

This change was reported as a bug in #362 which meant if you followed our canary guidance you would not have been able to create the custom role definitions in each of the Management Group hierarchies as the GUIDs and names for the custom role definitions were not based on the Management Group ID/Name they were being deployed on.

We have now changed this so they are based on the Management Group ID/Name so they can be deployed across as many Management Group hierarchies in the same AAD Tenant 👍

What is the breaking change?

If you redeploy the latest version of the customRoleDefinitons.bicep you will get a set of new roles based on the new GUID and Name uniqueness that is based on the Management Group ID/Name you deploy them to, as detailed in the module README

So, this will not break anything, but it will just create a duplicate set of role definitions on your Management Group.

You should look to migrate all assignments of the old custom role definitions to the newly created ones, in this release, to ensure you can adopt scenarios like canary later on in your ALZ journey 👍

What's Changed

• Azure China Cloud - Policy Refactoring by @JamJarchitect in #351
• Update Policy Library for Azure China (automated) by @github-actions in #352
• Fix bicep example for parLandingZoneMgChildren by @coolhome in #353
• Updated markdowns to correspond with the Bicep files by @johnlokerse in #331
• Update Policy Library for Azure China (automated) by @github-actions in #361
• Update Policy Library (automated) by @github-actions in #360
• Support for groups as part of policy Initiatives by @vedagudipati in #364
• Update Policy Library (automated) by @github-actions in #366
• Add metadata filtering to China .github/scripts/Invoke-PolicyToBicep-China.ps1 by @jtracey93 in #369
• Guidance Update - Policies to Built-In by @jfaurskov in #363
• Response to FRs - Issues #267 and #290 - POC in RG Name and Deployment Snippets by @JamJarchitect in #312
• Change deployment scope for MG Diagnostics #338 by @lachaves in #372
• Update Policy Library (automated) by @github-actions in #373
• Feature: Add ability to exclude policy set/initiative child definitions for China policies by @jtracey93 in #377
• Update Policy Library for Azure China (automated) by @github-actions in #378
• fix: Update role ID and name by @DaFitRobsta in #379
• Release v0.11.0 prep by @jtracey93 in #380

New Contributors

• @coolhome made their first contribution in #353
• @vedagudipati made their first contribution in #364

Full Changelog: v0.10.6...v0.11.0