v0.12.0

Summary

This release brings mainly lots of goodness in the Azure Policy space as well as improving our testing, thanks to PSRule for Azure, also updating the Private DNS Zones for Private Link that get deployed in the Private DNS Zones module, and finally changing our module docs to being programmatically generated, so you only need to update a .bicep module now and the docs get generated as part of your PR 🥳

Policy Changes

1. Converted Deny-Public-IP assignment to new assignment using built-in policy called Deny-Public-IP-Addresses as detailed in #398 & #386
2. Add new default assignment of Deploy-Private-DNS-Zones to corp MG fixing #137 and brining assignments into alignment across all ALZ implementation options (portal and Terraform)
3. Remove assignment of Deny-Public-IP in default assignments from corp to bring assignments into alignment across all ALZ implementation options (portal and Terraform)

Breaking Changes

Nothing technically breaking, however you will just need to remove the old policy assignments of Deny-Public-IP from corp and identity Management Groups and re-run/deploy the alzDefaultPolicyAssignments.bicep and this will put the assignment, using the built-in definition instead of the custom one, to the identity Management Group.

More on this process and instructions can be found here: How to migrate ALZ custom policies to Azure built-in policies

What's Changed

• 16989: Add bicep sample code by @khushal08 in #355
• Fix #388 - Incorrect variable reference by @oZakari in #390
• Fixed documentation on parLandingZoneMgChildren parameter description… by @lachaves in #394
• Replaced DDoS Standard with DDoS Network Protection by @lachaves in #396
• Resolve #386 & #330 by @jtracey93 in #398
• ALZ Bicep - Generate Markdown for Parameters by @JamJarchitect in #304
• Update Policy Library (automated) by @github-actions in #400
• Update Private DNS Zones by @jtracey93 in #403
• Change conditional source - Fix #406 by @jtracey93 in #407

New Contributors

• @khushal08 made their first contribution in #355
• @oZakari made their first contribution in #390

Full Changelog: v0.11.0...v0.12.0

v0.11.0

Summary

This release does bring a couple of slight "breaking changes" (see below section for details) however, aside from this there are a few key call outs to note:

• Updates around PowerShell & CLI deployment snippets from @JamJarchitect in #312
• Add support for Policy Set Definitions (Initiatives) Groups thanks to @vedagudipati in #364
• Fix issues with Azure Policies for China (Mooncake) thanks to @jtracey93 in #377 #378 #369
• Various documentation enhancements from @jfaurskov @johnlokerse @coolhome
• Changed mgDiagSettingsAll.bicep to be targeted to Management Groups instead of Tenant level deployment thanks to @lachaves in #372
• Fix bug with uniqueness of custom role definition GUIDs and names that is required when deploying multiple ALZs in the same tenant, for scenario like canary thanks to @DaFitRobsta in #379

Breaking Changes

As mentioned above there are a couple of "slight" breaking changes that are introduced with this release.

Breaking Change 1 - mgDiagSettingsAll.bicep deployment scope change from Tenant to Management Group

This change was made based on customer feedback around using least privileged access in #338, which we agreed was valid and the right thing to do, hence the change.

Handling this change is as simple as changing the deployment scoping from Tenant to Management Group e.g. from New-AzTenantDeployment to New-AzManagementGroupDeployment.

The module README in the module documents the commands to use for PowerShell or Az CLI

Breaking Change 2 - customRoleDefinitions.bicep now has more unique GUIDs and Role Names based on Management Group ID/Name

This change was reported as a bug in #362 which meant if you followed our canary guidance you would not have been able to create the custom role definitions in each of the Management Group hierarchies as the GUIDs and names for the custom role definitions were not based on the Management Group ID/Name they were being deployed on.

We have now changed this so they are based on the Management Group ID/Name so they can be deployed across as many Management Group hierarchies in the same AAD Tenant 👍

What is the breaking change?

If you redeploy the latest version of the customRoleDefinitons.bicep you will get a set of new roles based on the new GUID and Name uniqueness that is based on the Management Group ID/Name you deploy them to, as detailed in the module README

So, this will not break anything, but it will just create a duplicate set of role definitions on your Management Group.

You should look to migrate all assignments of the old custom role definitions to the newly created ones, in this release, to ensure you can adopt scenarios like canary later on in your ALZ journey 👍

What's Changed

• Azure China Cloud - Policy Refactoring by @JamJarchitect in #351
• Update Policy Library for Azure China (automated) by @github-actions in #352
• Fix bicep example for parLandingZoneMgChildren by @coolhome in #353
• Updated markdowns to correspond with the Bicep files by @johnlokerse in #331
• Update Policy Library for Azure China (automated) by @github-actions in #361
• Update Policy Library (automated) by @github-actions in #360
• Support for groups as part of policy Initiatives by @vedagudipati in #364
• Update Policy Library (automated) by @github-actions in #366
• Add metadata filtering to China .github/scripts/Invoke-PolicyToBicep-China.ps1 by @jtracey93 in #369
• Guidance Update - Policies to Built-In by @jfaurskov in #363
• Response to FRs - Issues #267 and #290 - POC in RG Name and Deployment Snippets by @JamJarchitect in #312
• Change deployment scope for MG Diagnostics #338 by @lachaves in #372
• Update Policy Library (automated) by @github-actions in #373
• Feature: Add ability to exclude policy set/initiative child definitions for China policies by @jtracey93 in #377
• Update Policy Library for Azure China (automated) by @github-actions in #378
• fix: Update role ID and name by @DaFitRobsta in #379
• Release v0.11.0 prep by @jtracey93 in #380

New Contributors

• @coolhome made their first contribution in #353
• @vedagudipati made their first contribution in #364

Full Changelog: v0.10.6...v0.11.0

v0.10.6

Summary

This is mainly a hygiene update on the ALZ-Bicep Core Team side focussed on policy where we have fixed our custom policy definition automation since the upstream enterprise-scale repo work was completed in PR 1022 and also some performance/optimization enhancements by moving to loadJsonContent() as a Bicep function across all our policy definition modules in this repo.

We have also therefore pulled in the latest policy changes from the upstream repo and made them available in the customPolicyDefinitions.bicep module. But there was only metadata changes from PR 1039 and also a new Azure Firewall Category from PR 1066. Thanks @JamJarchitect for your work here 👍

Also, as mentioned above, in PR #343 @KevinRabun has moved us to using loadJsonContent() across all our ALZ policy definitions modules which provides some very subtle but welcomed performance and optimization enhancements especially around max file sizes etc. Thanks @KevinRabun 👍

Breaking Changes

None

What's Changed

• Azure Commercial Cloud - Update Policy Library - ADO #22240 by @JamJarchitect in #345
• Update json file loading to use loadJsonContent by @KevinRabun in #343
• Update Policy Library (automated) by @github-actions & @jtracey93 in #346
• Prep for release of v0.10.6 by @jtracey93 in #349
• Azure Commercial Cloud - Policy Update Issue in Workflow by @JamJarchitect in #350

New Contributors

• @KevinRabun made their first contribution in #343 🥳🥳🥳🥳🥳

Full Changelog: v0.10.5...v0.10.6

v0.10.5

We only just cut version v0.10.4 but we found a bug and have fixed, hence the new release. Please still checkout the v0.10.4 release notes

Breaking Changes

None

However, please still review v0.10.0 release notes if using a version older than v0.10.0

What's Changed

• Fix #334 - fix deployment errors related to Network.DNS.Proxy in vwanConnectivity.bicep module by @jfaurskov in #335
• Bump PSRule.Azure Baseline to Azure.GA_2022_09 by @jtracey93 in #333

Full Changelog: v0.10.4...v0.10.5

v0.10.4

Breaking Changes

None

However, please still review v0.10.0 release notes if using a version older than v0.10.0

What's Changed

• doc: Added subnet disclaimer by @DaFitRobsta in #322
• capture definitionReferenceId that starts with number. by @eureka-gh in #324
• Add .editorconfig support by @jtracey93 in #325
• Add AZ Support for VPN & ER GW PIPs by @jhajduk-microsoft & @jtracey93 in #306
• Management Group Diagnostic Settings Enablement - New Module by @lachaves & @jtracey93 in #321

New Contributors

• @eureka-gh made their first contribution in #324
• @jhajduk-microsoft made their first contribution in #306
• @lachaves made their first contribution in #321

Full Changelog: v0.10.3...v0.10.4

v0.10.3

Breaking Changes

None

However, please still review v0.10.0 release notes if using a version older than v0.10.0

What's Changed

• Add Azure Enablement Show Videos to docs & Update FAQ RE #300 by @jtracey93 in #309
• fixed typo in subPlacementAl by @floschmsft in #310
• Add PSRule To ALZ Bicep Testing by @jtracey93 in #313
• Enable GitHub to ADO WIT Sync by @jtracey93 in #315
• chore: bicepconfig.json linter update by @DaFitRobsta in #318
  • bicepconfig.json files updated to use latest rules available in latest Bicep release v0.10.61
  • Please ensure you update to the latest Bicep release following the instructions here

New Contributors

• @floschmsft made their first contribution in #310
• @DaFitRobsta made their first contribution in #318

Thank you both 🥳

Full Changelog: v0.10.2...v0.10.3

v0.10.2

Breaking Changes

None

However, please still review v0.10.0 release notes if using a version older than v0.10.0

What's Changed

• Update geo codes for Azure Backup by @krowlandson in #305

New Contributors

• @krowlandson made their first contribution in #305

Full Changelog: v0.10.1...v0.10.2

v0.10.1

Breaking Changes

None

However, please still review v0.10.0 release notes if using a version older than v0.10.0

What's Changed

• New Orchestration Module: subPlacementAll by @jtracey93 in #298
  • Created from Feature Request #295
• Include encryption keySource for automation account to resolve what-if noise by @olljanat in #299

Full Changelog: v0.10.0...v0.10.1

v0.10.0

Breaking Changes

• In privateDnsZones module the Private DNS Zones vNet linking name has been made unique to ensure can be used multiple times for vNets with the same names.
  • Old name Bicep Code: name: '${privateDnsZoneName}/${privateDnsZoneName}'
  • New name Bicep Code: name: '${privateDnsZoneName}/${take('link-${uniqueString(parVirtualNetworkIdToLink)}', 80)}'
    • Link to the PR and line in module where changed
      

What should we do?

If possible, move to the new naming format as this enables easier future expansion into other regions etc., if planned. You will need to remove the existing vNet links on each Private DNS Zone for the hub vNet or other vNet you may have specified.

You may also choose not to pull in this latest change to this specific module if you wish. However, be aware that if trying to link another vNet to the Private DNS Zone using the privateDnsZones module you will be unable to with the Old name bicep code (as shown above) due to the vNet link name will be the same, irrespective of the vNet name; which the new code does now use to create the name for the vNet link 👍

Important: If you run the privateDnsZones module, or another module like hubNetworking that calls the privateDnsZones module, over the top without being aware of these changes, you will likely see a deployment failure for the Private DNS Zone vNet links as it will try to re-create new vNet links for the same vNet but with different Private DNS Zone vNet link names, which is not possible in the platform as it will create a duplicate config.

What's Changed

• Update Policy Library for Azure China (automated) by @github-actions in #289
• Use latest API versions in all modules by @olljanat & @jtracey93 in #293
  • Also updated tests in ADO to use location from Key Vault completely, isntead of hardcoded to eastus in some places
• Update docs and PR template to close #247 by @jtracey93 in #296
  • Added using latest API versions for resources to PR template and Contribution Guide

Full Changelog: v0.9.3...v0.10.0

v0.9.3

Breaking Changes

None

What's Changed

• Update Invoke-PolicyToBicep.ps1 Scripts to Handle -'s, 's (spaces) & ' apostrophes + Fix #254 by @jtracey93 in #288

  • A number of changes to the Invoke-PolicyToBicep.ps1 script to support more characters in inputs based on some customer scenarios seen recently
  • This PR reduces the size of the generated ARM template for the customPolicyDefinitions.bicep from 2.8 MB to around 800 KB by optimizing how we load parameters for Policy Imitative Definitions as highlighted in #254
  • Important: No changes to policies are made

• Various Docs Enhancements, Typo Fixes & Updates by @jtracey93 in #286

• Add Azure function to remove used subscriptions by @jfaurskov in #287

  • Used internally for test clean-ups

New Contributors

• @SeSeicht made their first contribution in #288

Full Changelog: v0.9.2...v0.9.3