v0.19.1

Summary

This update introduces the ability to use constrained delegation, adds new linter rules, updates API versions, and includes several bug fixes.

What's Changed

• fix: rename private DNS zone privatelink.dp.kubernetesconfiguration.azure.com by @baartch in #814
• Adding RBAC constrained delegation parameters and guidance in the roleAssignment modules by @sebassem in #816
• Fix safe access linter warnings by @picccard in #827
• Added newer linter-rules by @picccard in #826
• Updated api version for automation account by @picccard in #829
• Bump github/codeql-action from 3.24.9 to 3.26.5 by @dependabot in #840
• Bump gaurav-nelson/github-action-markdown-link-check from 1.0.13 to 1.0.15 by @dependabot in #839
• Bump actions/upload-artifact from 3.pre.node20 to 4.3.6 by @dependabot in #838
• Bump github/super-linter from 4 to 6 by @dependabot in #836
• Bump azure/powershell from 1 to 2 by @dependabot in #837
• Bump ossf/scorecard-action from 2.3.1 to 2.4.0 by @dependabot in #842
• Bump github/codeql-action from 3.26.5 to 3.26.6 by @dependabot in #844
• Bump a11smiles/GitSync from 1.1.4 to 1.2.3 by @dependabot in #843
• Adding a link to RBAC constrained delegation limitations by @sebassem in #847
• fix: Condensed descriptions and add known issue for ALZ Default Policy Assignments Module by @oZakari in #831
• Bump github/super-linter from 6 to 7 by @dependabot in #846
• hygiene: Add semantic versioning by @oZakari in #849
• Bump actions/upload-artifact from 4.3.6 to 4.4.0 by @dependabot in #848

Breaking Changes

None 👍🏼

Full Changelog: v0.19.0...v0.19.1

v0.19.0

Summary

This update brings multi-region support along with guidance for deploying networking components across multiple regions.

We are also excited to introduce V2 of the ALZ-Bicep Accelerator! Expanding on the features of the V1 Accelerator, V2 provides complete automation for setting up continuous integration and deployment environments in both Azure DevOps and GitHub.
New Features and Improvements:

• Support for self-hosted container instances for GitHub Runners and Azure DevOps Agents.
• Templatized pipelines with options to toggle module deployments.
• Group/member approval processes for deployments.
• And many more enhancements!

Note: The classic version of the ALZ Bicep Accelerator will be maintained for a limited time. We recommend migrating to the new version as soon as possible.

What's Changed

• Add DdosEnabled toggle and fix logic modPolicyAssignmentConnEnableDdos by @oZakari in #810
• Bug: Several hygiene fixes and/or cleanup by @oZakari in #809
• bug: Fix deploymentnames in pipeline-scripts to max 64 char by @picccard in #801
• Sentinel onboarding via OnboardingStates API by @cloudchristoph in #811
• [vwanConnectivity] Refactor to support multi-region hubs by @sebassem in #805
• Enhancement: Remove secret references for login by @oZakari in #793
• ALZ bicep modules multi-region guidance by @sebassem in #804
• Implement bicep bootstrap by @jaredfholgate in #799

Breaking Changes

With PR #805, the following parameters were moved into the user-defined type of virtualWanOptionsType to allow for different firewall configurations per hub/region

• parAzFirewallDnsServers
• parAzFirewallIntelMode
• parAzFirewallDnsProxyEnabled
• parAzFirewallTier
• parAzFirewallAvailabilityZones

Full Changelog: v0.18.0...v0.19.0

v0.18.0

Summary

This is a major release, following the update of Azure Landing Zones with its major policy refresh and the transition from Microsoft Monitoring Agent (MMA) to Azure Monitoring Agent (AMA), you can read more in the "What's New" wiki page in the Enterprise-Scale repo. This release incorporates the following changes from the upstream Enterprise Scale repo:

1. Policy Refresh H2 FY24

• Transition to built-in policies for the deployment of diagnostic settings (original assignments will be moved to new definitions).
• Transition to built-in policies for the deployment of Azure Monitor Agent.

Tip

See here for the updated list of all ALZ Default Policy Assignments

Policy Refresh H2 FY24 Cleanup

Existing consumers of ALZ will notice that some "assigned by default" initiative assignments from the ALZ Default Policy Assignment Module have been replaced/renamed to avoid breaking changes to existing assignments.

• Therefore, the original assignments listed below will need to be deleted within your Azure environments:

  Initiative	Display Name	Original Assignment Name	New Assignment Name	Scope of Assignment
  Deploy-VM-Monitor	Legacy - Enable Azure Monitor for VMs	Deploy-VM-Monitoring	Deploy-VM-Monitor-24	Landing Zones Management Group
  Deploy-VMSS-Monitor	Legacy - Enable Azure Monitor for Virtual Machine Scale Sets	Deploy-VMSS-Monitoring	Deploy-VMSS-Monitor-24	Landing Zones Management Group
  Deploy-MDFC-Config	Deploy Microsoft Defender for Cloud configuration	Deploy-MDFC-Config	Deploy-MDFC-Config-H224	Intermediate Root Management Group
  Deploy-EncryptTransit	Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit	Enforce-TLS-SSL	Enforce-TLS-SSL-H224	Landing Zones Management Group
  Deploy-Diagnostics-LogAnalytics	Deploy Diagnostic Settings to Azure Services	Deploy-Resource-Diag	Deploy-Diag-Logs	Intermediate Root Management Group

| Deploy-VM-Monitor | Deploy

2. AMA Updates

The Microsoft Monitoring Agent (MMA) is deprecated, and all related assignment files have been removed, though the policy definitions files remain. We now assign policies that deploy the Azure Monitor Agent (AMA) instead of MMA.

The ALZ team have a number of pieces of guidance you can utilise to understand the MMA deprecation (aka AMA migration) steps: aka.ms/alz/ama/blog

New resources

• A user-assigned managed identity (UAMI) for the AMA agent to authenticate with Azure Monitor (this requires no special role assignments; any valid identity will suffice)
• Data collection rule for VM Insights
• Data collection rule for Change Tracking
• Data collection rule for Defender for SQ

Microsoft Monitoring Agent (MMA) Cleanup

As MMA resources were deployed using Azure Policy (DeployIfNotExists), they will not be cleaned up automatically. Manual cleanup of these resources is required. Please refer to the product group guidance on how to clean up the MMA resources.

Legacy Policy Cleanup

Existing consumers of ALZ will notice that some "assigned by default" initiative assignments from the ALZ Default Policy Assignment Module have been replaced/renamed to avoid breaking changes to existing assignments.

• Therefore, the original assignments listed below will need to be deleted within your Azure environments:

  Assignment Name	Display Name	Scope of Assignment
  Deploy-MDFC-DefenSQL-AMA	Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace	Platform Management Group Landing Zones Management Group
  Deploy-UAMI-VMInsights	Deploy User Assigned Managed Identity for VM Insights	Landing Zones Management Group

Important

Going forward, this ALZ Default Policy Assignments Module and Logging Module will not support MMA and will only support AMA. If you wish to continue using MMA, you will need to manage it outside of these modules.

What's Changed

• Add OpenSSF Scorecard by @jaredfholgate in #789
• Enhancement: Policy Refresh H2 FY24 and Changes for AMA by @oZakari in #785
• bug: Fix invalid allowed value for hubRoutingPreference by @oZakari #797

Breaking Changes

1. With the fix for #780, we changed the allowed value within the param to specify the hub routing preference from ASN to AsPath

Full Changelog: v0.17.5...v0.18.0

v0.17.5

Summary

Just a very small release to fix a bug for Sovereign Landing Zone deployments.

What's Changed

• Fix the parAzFirewallCustomPublicIps' allowed list. by @VeronicaSea in #790

Breaking Changes

None 👍🏼

Full Changelog: v0.17.4...v0.17.5

v0.17.4

Note

This release does not add any new features for customers for ALZ Bicep, it is purely for the ALZ Bicep core team to progress some work that is ongoing to the accelerator. Please review the v0.17.3 release

What's Changed

• [Bug - vwanConnectivity] outAzFwPrivateIps output index error by @sebassem in #787
• chore: add release action to generate artifacts for accelerator by @jaredfholgate in #788

Full Changelog: v0.17.3...v0.17.4

v0.17.3

Summary

This update introduces several enhancements, bugs fixes, and documentation improvements. Key changes include the addition of documentation to incorporate Azure Monitor Baseline Alerts into the Accelerator framework, support availability zones by default for the Accelerator, and the addition of a policy exemption module utilized for Sovereign Landing Zone deployments. There are no breaking changes in this release. Additionally, three new contributors have joined the project!

What's Changed

• Enhancement: Add availability zones information in the config file by @sebassem in #736
• Docs: add build validation guidance Azure DevOps by @MarcoJanse in #742
• Bug: Update vwanConnectivity.bicep by @DavidLHannah in #744
• Enhancement: update docs for refactor by @jaredfholgate in #747
• Bug: Adding conditional statements for subnet references by @oZakari in #748
• Bug: Change Enforce-GR-KeyVault policy assignment from platform management to platform scope by @achechen in #752
• Docs: Known issues by @oZakari in #757
• Docs: Update Known Issue Guidance by @oZakari in #758
• Docs: Enhancements and adjustments to documentation by @oZakari in #770
• Docs: Add documentation for integrating AMBA by @oZakari in #776
• Feature: Parameterize Route Table Entry Names by @alisakina99 in #777
• Docs: Amba documentation disclaimer and fix links in Accelerator by @oZakari in #781
• Feature: Policy Baseline Exemption Logic Needs to Live in ALZ Repo and a Flag for Azure Firewall Policy by @VeronicaSea in #762

Breaking Changes

None 👍🏼

New Contributors

• @DavidLHannah made their first contribution in #744
• @achechen made their first contribution in #752
• @alisakina99 made their first contribution in #777

Full Changelog: v0.17.2...v0.17.3

v0.17.2

Summary

This GitHub release provides a few minor changes primarily focused on updating API versions, adding clarity to param descriptions, and enhancing flexibility in SLZ policy assignments.

What's Changed

• Enhancement: Update api versions for policy defs and subscription resources and add clarity for resource lock param desc. by @oZakari in #730
• Update: alzDefaultPolicyAssignments.bicep changes for SLZ Policy Assignments by @VeronicaSea in #729
• Update release version by @oZakari in #732

Breaking Changes

None 👍🏼

Full Changelog: V0.17.1...v0.17.2

v0.17.1

Summary

In this series of updates, we'd like to highlight the first-time contributors who participated in this release. We sincerely appreciate your contributions! Additionally, we've introduced the following new features:

• Introduced Resource Locks to ALZ Bicep Modules to enhance security and governance capabilities. Thank you, @DaFitRobsta!
• Added parameter files and associated wiki for connectivity modules to incorporate resources with availability zones configured by default. Thank you, @sebassem and @bobanda87!
• Implemented new deployment toggles in hub-spoke configurations, providing users with increased flexibility and control over deployment of the VPN and ExpressRoute Gateways.
• Add support for new Azure Regions (Israel Central, Italy North, and Poland Central). Thank you, @jtracey93!

We've also incorporated the policy refresh for Q2 FY24, to see all of the changes, please take a look at the release notes from the Enterprise-Scale repository.
 

What's Changed

• Docs: update for new accelerator update process by @jaredfholgate in #692
• Feature: Incorporate availability zone param file for hubNetworking module by @bobanda87 in #690
• Feature: Add support for new Azure Regions by @jtracey93 in #693
• Docs: General Accelerator doc updates by @oZakari in #696
• Bug: Added missing parTags to the private zone links by @sergey-netdev in #698
• Bug: Fix deployment toggle to hub-spoke by adding AzBastionEnabled boolean to resBastionSubnetRef by @FallenHoot in #700
• Docs: Additional Accelerator upgrade guidance by @stalejohnsen in #708
• Feature: Added new deployment toggles to hub-spoke by @oZakari in #699
• Bug: Use GITHUB_OUTPUT envvar instead of set-output command by @arunsathiya in #713
• Docs: Documenting minimal network deployment, and fix about modified Modules by @marcosgm in #711
• Docs: Accelerator minimal network deployment updates by @picccard in #715
• Enhancement: AB#31944 Bicep - MDFC VM Vulnerability Assessment provider update to mdeTVM by @marcosgm in #716
• Feature: Add Resource Locking to ALZ Bicep Modules by @DaFitRobsta in #712
• Update: Update Policy Library (automated) by @cae-pr-creator in #717
• Feature: Assign additional built-in Sovereign landing zone policy initiatives by @oZakari in #718
• Docs: Alz resiliency guidance by @sebassem in #722
• Bug: Updates to workflows versions and fix permissions of workflows by @oZakari in #724
• Bug: Fix dead resiliency wiki link by @oZakari in #725
• Update: Update Policy Library (automated) by @cae-pr-creator in #719
• Update: Release-V0.17.1 Updated version.json by @oZakari in #726

Breaking Changes

None 👍

New Contributors

• @bobanda87 made their first contribution in #690
• @sergey-netdev made their first contribution in #698
• @FallenHoot made their first contribution in #700
• @arunsathiya made their first contribution in #713
• @marcosgm made their first contribution in #711

Full Changelog: v0.17.0...V0.17.1

v0.17.0

Summary

This series of updates in the Azure/ALZ-Bicep repository includes various contributions that provide configuration enhancements, documentation improvements, and resolves a variety of bugs.

The following capabilities have been added:

• Adds ability to use custom resource names and/or properties for the following module parameters (Thank you, @johnlokerse!):
  • Logging module - parLogAnalyticsLinkedServiceAutomationAccountName
  • VWAN module - Optional: parVpnGatewayCustomName, parExpressRouteGatewayCustomName, parAzFirewallCustomName, and parVirtualWanHubCustomName,
  • Diagnostic settings modules - parDiagnosticSettingsName
• Enhanced parameter validation with multiple user-defined types for the following module parameters (Thank you, @johnlokerse!):
  • Hub module - parSubnets
  • Policy Assignments module - parPolicyAssignmentNonComplianceMessages
  • VWAN module - virtualWanOptionsType
• Automation Account - Adds parameter to logging module to disable public network access (Thank you, @picccard!)

Breaking Changes

None 👍

What's Changed

• chore: update accelerator release process by @jaredfholgate in #663
• Update alz-bicep-pr2-lint.yml by @baartch in #665
• Update policy_assignment_es_enforce_alz_sandbox.tmpl.json by @chrisking81 in #667
• Update the release version for accelerator config by @oZakari in #668
• Update pester test and workflow triggers by @oZakari in #669
• Accelerator.md fix parameter and version by @stalejohnsen in #670
• Wiki: fix Accelerator Azdevops instructions by @MarcoJanse in #672
• Add type element to contributing-wiki by @picccard in #674
• Fix #680 by @jtracey93 in #681
• Automation account public network access option by @picccard in #677
• chore: remove un-required version number and tidy docs by @jaredfholgate in #685
• Add installation of ALZ Powershell module for policy scripts by @oZakari in #679
• Added several user defined types, ability for custom resources names in vwanConnectivity and mgDiagSettings by @johnlokerse in #656

New Contributors

• @chrisking81 made their first contribution in #667
• @MarcoJanse made their first contribution in #672

Full Changelog: v0.16.6...v0.16,7

v0.16.6

Summary

This is a fairly minor release, fixing a bug for case handling (thanks @baartch) and also some release process improvements for the Accelerator (thanks @jaredfholgate)

What's Changed

• chore: de-couple accelerator releases from alz powershell module releaes by @jaredfholgate in #662
• fix: change gatewayType comparisons to lowercase by @baartch in #659

New Contributors

• @jaredfholgate made their first contribution in #662

Full Changelog: v0.16.5...v0.16.6