Skip to content

Releases: Azure/ALZ-Bicep

v0.20.1

07 Dec 15:57
Compare
Choose a tag to compare

What's Changed

  • build: Bump github/codeql-action from 3.27.0 to 3.27.1 by @dependabot in #900
  • chore: Adjust permission scopes by @oZakari in #898
  • docs: Update known issues wiki by @oZakari in #908
  • build: Bump softprops/action-gh-release from 2.0.9 to 2.1.0 by @dependabot in #906
  • build: Bump github/codeql-action from 3.27.1 to 3.27.4 by @dependabot in #905
  • build: Update permissions at top level and add environment by @oZakari in #904
  • docs: Update known issues with Azure PowerShell v13.0.0 by @oZakari in #910
  • feat: updates to fix Region name now being appended to azFw policy name #914 by @jtracey93 in #915
  • build: Bump github/codeql-action from 3.27.4 to 3.27.5 by @dependabot in #911
  • build: Bump step-security/harden-runner from 2.10.1 to 2.10.2 by @dependabot in #913
  • build: Bump actions/dependency-review-action from 4.4.0 to 4.5.0 by @dependabot in #912

Breaking Changes

None 👍🏼

Full Changelog: v0.20.0...v0.20.1

v0.20.0

07 Nov 20:27
301891f
Compare
Choose a tag to compare

Summary

In this release, the primary update is alignment with the Q1 2025 Policy Refresh.

We've also fixed several bugs, one of which results in some breaking changes, so please see the Breaking Changes section below for additional information.

What's Changed

  • feat: Policy Refresh Q1 FY25 by @oZakari in #806
  • feat: Update Policy Library (automated) by @cae-pr-creator in #894
  • fix: Private DNS Zones Bug (#695) by @jtracey93 in #891
  • fix: Resolve a variety of bugs and update api version of private dns zone links resource by @oZakari in #896
  • chore: artifact workflow trigger fix by @jaredfholgate in #872
  • chore: [StepSecurity] Apply security best practices by @step-security-bot in #876
  • build: Bump github/codeql-action from 3.26.10 to 3.26.13 by @dependabot in #879
  • build: Bump actions/checkout from 4.1.1 to 4.2.1 by @dependabot in #881
  • build: Bump actions/upload-artifact from 4.4.0 to 4.4.3 by @dependabot in #880
  • build: Bump softprops/action-gh-release from 2.0.8 to 2.0.9 by @dependabot in #893
  • build: Bump github/codeql-action from 3.26.13 to 3.27.0 by @dependabot in #887
  • build: Bump actions/checkout from 4.2.1 to 4.2.2 by @dependabot in #889
  • build: Bump actions/dependency-review-action from 4.3.4 to 4.4.0 by @dependabot in #892
    Bicep/pull/896

Breaking Changes

Private DNS Zones Breaking Changes

The local private DNS zones modules (privateDnsZones.bicep) has been replaced in the networking related modules in this repo with the AVM Pattern module of avm/ptn/network/private-link-private-dns-zones to resolve bug #695.

This has meant some breaking changes to each of the networking modules that are detailed below.

privateDnsZones.bicep

hubNetworking.bicep & hubNetworking-multiRegion.bicep

From:

[
  {
    "name": "privatelink.api.azureml.ms",
    "id": "/subscriptions/<subID>/resourceGroups/<rgID>/providers/Microsoft.Network/privateDnsZones/privatelink.api.azureml.ms"
  },
  {
    "name": "privatelink.notebooks.azure.net",
    "id": "subscriptions/<subID>/resourceGroups/<rgID>/providers/Microsoft.Network/privateDnsZones/privatelink.notebooks.azure.net"
  },
  …
]

To:

[
  {
    "pdnsZoneName": "privatelink.api.azureml.ms",
    "virtualNetworkResourceIdsToLinkTo": [
      "/subscriptions/<subID>/resourceGroups/<rgID>/providers/Microsoft.Network/virtualNetworks/alz-hub-uksouth"
    ]
  },
  {
    "pdnsZoneName": "privatelink.notebooks.azure.net",
    "virtualNetworkResourceIdsToLinkTo": [
      "/subscriptions/<subID>/resourceGroups/<rgID>/providers/Microsoft.Network/virtualNetworks/alz-hub-uksouth"
    ]
  },
  …
]

vwanConnectivity.bicep

From:

[
  {
    "name": "privatelink.api.azureml.ms",
    "id": "/subscriptions/<subID>/resourceGroups/<rgID>/providers/Microsoft.Network/privateDnsZones/privatelink.api.azureml.ms"
  },
  {
    "name": "privatelink.notebooks.azure.net",
    "id": "subscriptions/<subID>/resourceGroups/<rgID>/providers/Microsoft.Network/privateDnsZones/privatelink.notebooks.azure.net"
  },
  …
]

To:

[
  {
    "pdnsZoneName": "privatelink.api.azureml.ms",
    "virtualNetworkResourceIdsToLinkTo": [
      "/subscriptions/<subID>/resourceGroups/<rgID>/providers/Microsoft.Network/virtualNetworks/alz-hub-uksouth"
    ]
  },
  {
    "pdnsZoneName": "privatelink.notebooks.azure.net",
    "virtualNetworkResourceIdsToLinkTo": [
      "/subscriptions/<subID>/resourceGroups/<rgID>/providers/Microsoft.Network/virtualNetworks/alz-hub-uksouth"
    ]
  },
  …
]

New Contributors

Full Changelog: v0.19.4...v0.20.0

v0.20.0-pre

06 Nov 03:40
d1edb92
Compare
Choose a tag to compare
v0.20.0-pre Pre-release
Pre-release

Used for testing only.

v0.19.4

02 Oct 07:59
d456e09
Compare
Choose a tag to compare

Compatibility

This version of the Bicep starter module is only compatible with with versions of the ALZ PowerShell module > 4.0.0: https://github.com/Azure/ALZ-PowerShell-Module/releases/tag/4.0.0

Older version of the PowerShell module will fail.

Summary

Deprecation Notice: ALZ Bicep Accelerator (Classic)

The classic version of the ALZ Bicep Accelerator has been officially deprecated and removed from the ALZ PowerShell Module (supported only in version 3.1.2 or earlier). Users are encouraged to transition to the updated version, which automates the bootstrapping of your Version Control System and Azure resources.

However, if you prefer, you can hold off on updating and wait for the upcoming ALZ-Bicep Refactor that will leverage Azure Verified Modules, providing an enhanced and standardized framework.

Additionally, the Azure Monitor Baseline Alerts (AMBA) guidance is specific to the deprecated classic version. While integration into the updated ALZ-Bicep Accelerator is underway, you can still deploy AMBA as a standalone solution or wait for the upcoming integration.

For more information, see the updated documentation.

What's Changed

Breaking Changes

None 👍🏼

Full Changelog: v0.19.3...v0.19.4

v0.19.3

27 Sep 04:56
2b7ee23
Compare
Choose a tag to compare

Summary

This release introduces several new capabilities and improvements to the networking modules:

  • SNAT Configuration for Azure Firewall: Added support to configure Source Network Address Translation (SNAT) for Azure Firewall resources.
  • Active/Active Virtual Network Gateways: Networking modules now support the deployment of active/active virtual network gateways.
  • Bug Fixes:
    • Resolved an issue in the ALZ Default Policy Assignments module, where a specific assignment was missing a required role.
    • Fixed an issue with the DDOS resource output, which was missing a condition that caused failures when parDdosEnabled was set to true.

We’ve also introduced a hub networking module and an associated parameter file for use in the Accelerator for deployments targeting two regions. Along with this, a new parameter file for the VWAN module has been added, supporting multi-region deployments within the Accelerator.

Finally, we've added a note in the README indicating that starting in Q4 2024, applicable resources in all modules will be configured to be zone-redundant by default.

What's Changed

  • feat: Add SNAT property to firewall resources by @oZakari in #854
  • fix: Fix hubNetworking module output when DDoS is disabled by @cconstantin in #861
  • chore: Bump github/codeql-action from 3.26.6 to 3.26.8 by @dependabot in #858
  • fix: Add role connectedMachineResourceAdministrator to Deploy-vmHybr-Monitoring by @baartch in #862
  • fix: General networking fixes and add active-active capability for vnet gateway by @oZakari in #863
  • ci: Bump github/codeql-action from 3.26.8 to 3.26.9 by @dependabot in #864
  • feat: Multi region support for accelerator by @sebassem in #857

Breaking Changes

None 👍🏼

New Contributors

Full Changelog: v0.19.2...v0.19.3

v0.19.2

06 Sep 01:46
3ab7cc2
Compare
Choose a tag to compare

Summary

This release addresses an issue where the compiled ARM template for the Default Policy Assignments Module was excessively large, resulting in deployment failures.

What's Changed

Breaking Changes

None 👍🏼

Full Changelog: v0.19.1...v0.19.2

v0.19.1

04 Sep 19:11
ec4f4b8
Compare
Choose a tag to compare

Summary

This update introduces the ability to use constrained delegation, adds new linter rules, updates API versions, and includes several bug fixes.

What's Changed

  • fix: rename private DNS zone privatelink.dp.kubernetesconfiguration.azure.com by @baartch in #814
  • Adding RBAC constrained delegation parameters and guidance in the roleAssignment modules by @sebassem in #816
  • Fix safe access linter warnings by @picccard in #827
  • Added newer linter-rules by @picccard in #826
  • Updated api version for automation account by @picccard in #829
  • Bump github/codeql-action from 3.24.9 to 3.26.5 by @dependabot in #840
  • Bump gaurav-nelson/github-action-markdown-link-check from 1.0.13 to 1.0.15 by @dependabot in #839
  • Bump actions/upload-artifact from 3.pre.node20 to 4.3.6 by @dependabot in #838
  • Bump github/super-linter from 4 to 6 by @dependabot in #836
  • Bump azure/powershell from 1 to 2 by @dependabot in #837
  • Bump ossf/scorecard-action from 2.3.1 to 2.4.0 by @dependabot in #842
  • Bump github/codeql-action from 3.26.5 to 3.26.6 by @dependabot in #844
  • Bump a11smiles/GitSync from 1.1.4 to 1.2.3 by @dependabot in #843
  • Adding a link to RBAC constrained delegation limitations by @sebassem in #847
  • fix: Condensed descriptions and add known issue for ALZ Default Policy Assignments Module by @oZakari in #831
  • Bump github/super-linter from 6 to 7 by @dependabot in #846
  • hygiene: Add semantic versioning by @oZakari in #849
  • Bump actions/upload-artifact from 4.3.6 to 4.4.0 by @dependabot in #848

Breaking Changes

None 👍🏼

Full Changelog: v0.19.0...v0.19.1

v0.19.0

18 Jul 20:26
8dd8d53
Compare
Choose a tag to compare

Summary

This update brings multi-region support along with guidance for deploying networking components across multiple regions.

We are also excited to introduce V2 of the ALZ-Bicep Accelerator! Expanding on the features of the V1 Accelerator, V2 provides complete automation for setting up continuous integration and deployment environments in both Azure DevOps and GitHub.
New Features and Improvements:

  • Support for self-hosted container instances for GitHub Runners and Azure DevOps Agents.
  • Templatized pipelines with options to toggle module deployments.
  • Group/member approval processes for deployments.
  • And many more enhancements!

Note: The classic version of the ALZ Bicep Accelerator will be maintained for a limited time. We recommend migrating to the new version as soon as possible.

What's Changed

  • Add DdosEnabled toggle and fix logic modPolicyAssignmentConnEnableDdos by @oZakari in #810
  • Bug: Several hygiene fixes and/or cleanup by @oZakari in #809
  • bug: Fix deploymentnames in pipeline-scripts to max 64 char by @picccard in #801
  • Sentinel onboarding via OnboardingStates API by @cloudchristoph in #811
  • [vwanConnectivity] Refactor to support multi-region hubs by @sebassem in #805
  • Enhancement: Remove secret references for login by @oZakari in #793
  • ALZ bicep modules multi-region guidance by @sebassem in #804
  • Implement bicep bootstrap by @jaredfholgate in #799

Breaking Changes

With PR #805, the following parameters were moved into the user-defined type of virtualWanOptionsType to allow for different firewall configurations per hub/region

  • parAzFirewallDnsServers
  • parAzFirewallIntelMode
  • parAzFirewallDnsProxyEnabled
  • parAzFirewallTier
  • parAzFirewallAvailabilityZones

Full Changelog: v0.18.0...v0.19.0

v0.18.0

21 Jun 09:33
0a9a675
Compare
Choose a tag to compare

Summary

This is a major release, following the update of Azure Landing Zones with its major policy refresh and the transition from Microsoft Monitoring Agent (MMA) to Azure Monitoring Agent (AMA), you can read more in the "What's New" wiki page in the Enterprise-Scale repo. This release incorporates the following changes from the upstream Enterprise Scale repo:

1. Policy Refresh H2 FY24

  • Transition to built-in policies for the deployment of diagnostic settings (original assignments will be moved to new definitions).
  • Transition to built-in policies for the deployment of Azure Monitor Agent.

Tip

See here for the updated list of all ALZ Default Policy Assignments

Policy Refresh H2 FY24 Cleanup

Existing consumers of ALZ will notice that some "assigned by default" initiative assignments from the ALZ Default Policy Assignment Module have been replaced/renamed to avoid breaking changes to existing assignments.

  • Therefore, the original assignments listed below will need to be deleted within your Azure environments:

    Initiative Display Name Original Assignment Name New Assignment Name Scope of Assignment
    Deploy-VM-Monitor Legacy - Enable Azure Monitor for VMs Deploy-VM-Monitoring Deploy-VM-Monitor-24 Landing Zones Management Group
    Deploy-VMSS-Monitor Legacy - Enable Azure Monitor for Virtual Machine Scale Sets Deploy-VMSS-Monitoring Deploy-VMSS-Monitor-24 Landing Zones Management Group
    Deploy-MDFC-Config Deploy Microsoft Defender for Cloud configuration Deploy-MDFC-Config Deploy-MDFC-Config-H224 Intermediate Root Management Group
    Deploy-EncryptTransit Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit Enforce-TLS-SSL Enforce-TLS-SSL-H224 Landing Zones Management Group
    Deploy-Diagnostics-LogAnalytics Deploy Diagnostic Settings to Azure Services Deploy-Resource-Diag Deploy-Diag-Logs Intermediate Root Management Group

| Deploy-VM-Monitor | Deploy

2. AMA Updates

The Microsoft Monitoring Agent (MMA) is deprecated, and all related assignment files have been removed, though the policy definitions files remain. We now assign policies that deploy the Azure Monitor Agent (AMA) instead of MMA.

The ALZ team have a number of pieces of guidance you can utilise to understand the MMA deprecation (aka AMA migration) steps: aka.ms/alz/ama/blog

New resources

  • A user-assigned managed identity (UAMI) for the AMA agent to authenticate with Azure Monitor (this requires no special role assignments; any valid identity will suffice)
  • Data collection rule for VM Insights
  • Data collection rule for Change Tracking
  • Data collection rule for Defender for SQ

Microsoft Monitoring Agent (MMA) Cleanup

As MMA resources were deployed using Azure Policy (DeployIfNotExists), they will not be cleaned up automatically. Manual cleanup of these resources is required. Please refer to the product group guidance on how to clean up the MMA resources.

Legacy Policy Cleanup

Existing consumers of ALZ will notice that some "assigned by default" initiative assignments from the ALZ Default Policy Assignment Module have been replaced/renamed to avoid breaking changes to existing assignments.

  • Therefore, the original assignments listed below will need to be deleted within your Azure environments:

    Assignment Name Display Name Scope of Assignment
    Deploy-MDFC-DefenSQL-AMA Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace Platform Management Group
    Landing Zones Management Group
    Deploy-UAMI-VMInsights Deploy User Assigned Managed Identity for VM Insights Landing Zones Management Group

Important

Going forward, this ALZ Default Policy Assignments Module and Logging Module will not support MMA and will only support AMA. If you wish to continue using MMA, you will need to manage it outside of these modules.

What's Changed

Breaking Changes

  1. With the fix for #780, we changed the allowed value within the param to specify the hub routing preference from ASN to AsPath

Full Changelog: v0.17.5...v0.18.0

v0.17.5

11 Jun 16:25
6928d91
Compare
Choose a tag to compare

Summary

Just a very small release to fix a bug for Sovereign Landing Zone deployments.

What's Changed

Breaking Changes

None 👍🏼

Full Changelog: v0.17.4...v0.17.5