v0.17.3

Summary

This update introduces several enhancements, bugs fixes, and documentation improvements. Key changes include the addition of documentation to incorporate Azure Monitor Baseline Alerts into the Accelerator framework, support availability zones by default for the Accelerator, and the addition of a policy exemption module utilized for Sovereign Landing Zone deployments. There are no breaking changes in this release. Additionally, three new contributors have joined the project!

What's Changed

• Enhancement: Add availability zones information in the config file by @sebassem in #736
• Docs: add build validation guidance Azure DevOps by @MarcoJanse in #742
• Bug: Update vwanConnectivity.bicep by @DavidLHannah in #744
• Enhancement: update docs for refactor by @jaredfholgate in #747
• Bug: Adding conditional statements for subnet references by @oZakari in #748
• Bug: Change Enforce-GR-KeyVault policy assignment from platform management to platform scope by @achechen in #752
• Docs: Known issues by @oZakari in #757
• Docs: Update Known Issue Guidance by @oZakari in #758
• Docs: Enhancements and adjustments to documentation by @oZakari in #770
• Docs: Add documentation for integrating AMBA by @oZakari in #776
• Feature: Parameterize Route Table Entry Names by @alisakina99 in #777
• Docs: Amba documentation disclaimer and fix links in Accelerator by @oZakari in #781
• Feature: Policy Baseline Exemption Logic Needs to Live in ALZ Repo and a Flag for Azure Firewall Policy by @VeronicaSea in #762

Breaking Changes

None 👍🏼

New Contributors

• @DavidLHannah made their first contribution in #744
• @achechen made their first contribution in #752
• @alisakina99 made their first contribution in #777

Full Changelog: v0.17.2...v0.17.3

v0.17.2

Summary

This GitHub release provides a few minor changes primarily focused on updating API versions, adding clarity to param descriptions, and enhancing flexibility in SLZ policy assignments.

What's Changed

• Enhancement: Update api versions for policy defs and subscription resources and add clarity for resource lock param desc. by @oZakari in #730
• Update: alzDefaultPolicyAssignments.bicep changes for SLZ Policy Assignments by @VeronicaSea in #729
• Update release version by @oZakari in #732

Breaking Changes

None 👍🏼

Full Changelog: V0.17.1...v0.17.2

v0.17.1

Summary

In this series of updates, we'd like to highlight the first-time contributors who participated in this release. We sincerely appreciate your contributions! Additionally, we've introduced the following new features:

• Introduced Resource Locks to ALZ Bicep Modules to enhance security and governance capabilities. Thank you, @DaFitRobsta!
• Added parameter files and associated wiki for connectivity modules to incorporate resources with availability zones configured by default. Thank you, @sebassem and @bobanda87!
• Implemented new deployment toggles in hub-spoke configurations, providing users with increased flexibility and control over deployment of the VPN and ExpressRoute Gateways.
• Add support for new Azure Regions (Israel Central, Italy North, and Poland Central). Thank you, @jtracey93!

We've also incorporated the policy refresh for Q2 FY24, to see all of the changes, please take a look at the release notes from the Enterprise-Scale repository.
 

What's Changed

• Docs: update for new accelerator update process by @jaredfholgate in #692
• Feature: Incorporate availability zone param file for hubNetworking module by @bobanda87 in #690
• Feature: Add support for new Azure Regions by @jtracey93 in #693
• Docs: General Accelerator doc updates by @oZakari in #696
• Bug: Added missing parTags to the private zone links by @sergey-netdev in #698
• Bug: Fix deployment toggle to hub-spoke by adding AzBastionEnabled boolean to resBastionSubnetRef by @FallenHoot in #700
• Docs: Additional Accelerator upgrade guidance by @stalejohnsen in #708
• Feature: Added new deployment toggles to hub-spoke by @oZakari in #699
• Bug: Use GITHUB_OUTPUT envvar instead of set-output command by @arunsathiya in #713
• Docs: Documenting minimal network deployment, and fix about modified Modules by @marcosgm in #711
• Docs: Accelerator minimal network deployment updates by @picccard in #715
• Enhancement: AB#31944 Bicep - MDFC VM Vulnerability Assessment provider update to mdeTVM by @marcosgm in #716
• Feature: Add Resource Locking to ALZ Bicep Modules by @DaFitRobsta in #712
• Update: Update Policy Library (automated) by @cae-pr-creator in #717
• Feature: Assign additional built-in Sovereign landing zone policy initiatives by @oZakari in #718
• Docs: Alz resiliency guidance by @sebassem in #722
• Bug: Updates to workflows versions and fix permissions of workflows by @oZakari in #724
• Bug: Fix dead resiliency wiki link by @oZakari in #725
• Update: Update Policy Library (automated) by @cae-pr-creator in #719
• Update: Release-V0.17.1 Updated version.json by @oZakari in #726

Breaking Changes

None 👍

New Contributors

• @bobanda87 made their first contribution in #690
• @sergey-netdev made their first contribution in #698
• @FallenHoot made their first contribution in #700
• @arunsathiya made their first contribution in #713
• @marcosgm made their first contribution in #711

Full Changelog: v0.17.0...V0.17.1

v0.17.0

Summary

This series of updates in the Azure/ALZ-Bicep repository includes various contributions that provide configuration enhancements, documentation improvements, and resolves a variety of bugs.

The following capabilities have been added:

• Adds ability to use custom resource names and/or properties for the following module parameters (Thank you, @johnlokerse!):
  • Logging module - parLogAnalyticsLinkedServiceAutomationAccountName
  • VWAN module - Optional: parVpnGatewayCustomName, parExpressRouteGatewayCustomName, parAzFirewallCustomName, and parVirtualWanHubCustomName,
  • Diagnostic settings modules - parDiagnosticSettingsName
• Enhanced parameter validation with multiple user-defined types for the following module parameters (Thank you, @johnlokerse!):
  • Hub module - parSubnets
  • Policy Assignments module - parPolicyAssignmentNonComplianceMessages
  • VWAN module - virtualWanOptionsType
• Automation Account - Adds parameter to logging module to disable public network access (Thank you, @picccard!)

Breaking Changes

None 👍

What's Changed

• chore: update accelerator release process by @jaredfholgate in #663
• Update alz-bicep-pr2-lint.yml by @baartch in #665
• Update policy_assignment_es_enforce_alz_sandbox.tmpl.json by @chrisking81 in #667
• Update the release version for accelerator config by @oZakari in #668
• Update pester test and workflow triggers by @oZakari in #669
• Accelerator.md fix parameter and version by @stalejohnsen in #670
• Wiki: fix Accelerator Azdevops instructions by @MarcoJanse in #672
• Add type element to contributing-wiki by @picccard in #674
• Fix #680 by @jtracey93 in #681
• Automation account public network access option by @picccard in #677
• chore: remove un-required version number and tidy docs by @jaredfholgate in #685
• Add installation of ALZ Powershell module for policy scripts by @oZakari in #679
• Added several user defined types, ability for custom resources names in vwanConnectivity and mgDiagSettings by @johnlokerse in #656

New Contributors

• @chrisking81 made their first contribution in #667
• @MarcoJanse made their first contribution in #672

Full Changelog: v0.16.6...v0.16,7

v0.16.6

Summary

This is a fairly minor release, fixing a bug for case handling (thanks @baartch) and also some release process improvements for the Accelerator (thanks @jaredfholgate)

What's Changed

• chore: de-couple accelerator releases from alz powershell module releaes by @jaredfholgate in #662
• fix: change gatewayType comparisons to lowercase by @baartch in #659

New Contributors

• @jaredfholgate made their first contribution in #662

Full Changelog: v0.16.5...v0.16.6

v0.16.5

Summary

This release contains a number of changes that add features and functionality for the Sovereign Landing Zone (SLZ)

Although one of these changes, #651 & #652, may be of use to others as it reduces the requirement for Tenant Root "/" permissions to deploy the Management Groups. Review the Management Groups Module README and look to use the managementGroupsScopeEscape.bicep module in place of the managementGroups.bicep if this is of interest to you.

FYI if interested in this you will need permissions on an existing Management Group to target the ARM deployment to 👍

Breaking Changes

None 👍

What's Changed

• Format pipeline-script for mgDiagSettings by @picccard in #648
• Fix #647 by @jtracey93 in #649
• Add new modules for MGs & Subscription Alias with targetScope = MG (Non-Breaking) by @jtracey93 in #651
• Make MG ID Changes Logic To Be Non-Breaking by @jtracey93 in #652
• Update Policy Library (automated) by @cae-pr-creator in #655
• ALZ Policy Assignment for Confidential Corp by @sid2305 in #653

Full Changelog: v0.16.4...v0.16.5

What's Changed

• Format pipeline-script for mgDiagSettings by @picccard in #648
• Fix #647 by @jtracey93 in #649
• Add new modules for MGs & Subscription Alias with targetScope = MG (Non-Breaking) by @jtracey93 in #651
• Make MG ID Changes Logic To Be Non-Breaking by @jtracey93 in #652
• Update Policy Library (automated) by @cae-pr-creator in #655
• ALZ Policy Assignment for Confidential Corp by @sid2305 in #653
• v0.16.5 release updates by @jtracey93 in #657

Full Changelog: v0.16.4...v0.16.5

v0.16.4

Summary

Another packed release with lots of great enhancements and community contributions 🥳😍

At a high level we have added:

• The latest upstream policy refresh from the ALZ repo
  • See the What's New wiki page in the ALZ repo for more info https://aka.ms/alz/whatsnew
• Added privatelink.azuredatabricks.net Private DNS Zone
• AAD Renamed to Entra ID
• Added ability to specify a fallback/failover vNet to link all your Private Link Private DNS Zones too - thanks @Acenl12
• Added VPN GW P2S support in Hub & Spoke model - thanks @juang903
• Azure Firewall changes:
  • Now able to specify Custom DNS Servers in DNS proxy feature - thanks @juang903
  • Now able to specify Threat Intel Mode - thanks @oZakari
  • Outputs now available for Private IP address of Azure Firewall
• Multiple Accelerator enhancements - thanks @MilesCameron-DMs & @oZakari
• Our GitHub Issues now are using GitHub Issue Forms, for an easier expeirence - thanks @jhajduk-microsoft

Things to be aware of

No breaking changes, don't worry 👍

But as part of the policy refresh we have added support for Azure Databricks Private Link/Endpoint configuration in the Deploy-Private-DNS-Zones initative. This requires the privatelink.azuredatabricks.net Private DNS Zone to exist.

Therefore we have updated our Private DNS Zone, Hub Networking & Virtual WAN Modules to deploy this new zone, but if you have made any customizations but want to take our policies in, please be aware that you'll need to ensure this zone is added to your environment 👍

What's Changed

• Acceleratorpics by @MilesCameron-DMs in #579
• Updates to Accelerator Documentation by @oZakari in #614
• Update Policy Library (automated) by @cae-pr-creator in #619
• Github Issue forms by @jhajduk-microsoft in #593
• Update ALZ Repo Bicep with Entra product names by @lachaves in #621
• Update Policy Library (automated) by @cae-pr-creator in #623
• Add fallback vnet for failover dns resolving. by @Acenl12 in #601
• Corrected Accelerator links and steps by @oZakari in #628
• Azure Firewall custom DNS server by @juang903 in #615
• Add Azure Firewall Private IPs as Output for VWAN Modules by @jtracey93 in #631
• Update Accelerator docs for ALZ-PowerShell-Module by @oZakari in #636
• BugFix-ParTopLevelManagementGroupPrefix-description-change by @oZakari in #637
• VPN Gateway P2S support by @juang903 in #617
• Update Policy Library (automated) by @cae-pr-creator in #639
• Add threat intel mode property for applicable firewall resources by @oZakari in #644

New Contributors

• @Acenl12 made their first contribution in #601

Full Changelog: v0.16.3...v0.16.4

v0.16.3

Summary

Another release, its been a busy month, but more great updates to ALZ Bicep 👍

In this release we add:

• Routing Intent support for Virtual WAN modules - https://learn.microsoft.com/azure/virtual-wan/how-to-routing-policies
• Ability to propagate the default route (0.0.0.0/0) from a VWAN Hub to spoke vNets via the enableInternetSecurity property
• Naming flexibility for Virtual WAN Hub Connections, if desired
• Azure Bastion Native Client Support (aka Tunnelling) - https://learn.microsoft.com/azure/bastion/native-client - thanks @juang903 🥳

What's Changed

• Add Bastion native client support by @juang903 in #607
• Add VWAN Features: Routing Intent, VHC Naming, Enable Internet Security by @jtracey93 in #612
• Release v0.16.3 by @jtracey93 in #613

New Contributors

• @juang903 made their first contribution in #607

Full Changelog: v0.16.2...v0.16.3

v0.16.2

Summary

A small patch release with no breaking changes 👍

Finally fixing the Bastion NSG only being deployed when Bastion is enabled 🥳

What's Changed

• fix: Description of parPlatformMgAlzDefaultsEnable by @baartch in #597
• Add paths in push trigger for accelerator workflows by @stalejohnsen in #599
• Update Policy Library (automated) by @cae-pr-creator in #603
• Fix #573 (bastion NSG) again and release v0.16.2 by @jtracey93 in #604
• Bastion NSG Conditional Deployment by @JamJarchitect in #606

Full Changelog: v0.16.1...v0.16.2

v0.16.1

Summary

Just some fixes for the Accelerator around RP registration for MG Diagnostic Settings on the Management Subscription, no other ALZ Bicep module changes

What's Changed

• Remove unnecessary usage of Alz.Tools Module by @jtracey93 in #592
• ALZ-Bicep-Accelerator Register missing resource provider by @sebassem in #595

New Contributors

• @sebassem made their first contribution in #595

Full Changelog: v0.16.0...v0.16.1