Summary
This release does bring a couple of slight "breaking changes" (see below section for details) however, aside from this there are a few key call outs to note:
- Updates around PowerShell & CLI deployment snippets from @JamJarchitect in #312
- Add support for Policy Set Definitions (Initiatives) Groups thanks to @vedagudipati in #364
- Fix issues with Azure Policies for China (Mooncake) thanks to @jtracey93 in #377 #378 #369
- Various documentation enhancements from @jfaurskov @johnlokerse @coolhome
- Changed
mgDiagSettingsAll.bicepto be targeted to Management Groups instead of Tenant level deployment thanks to @lachaves in #372 - Fix bug with uniqueness of custom role definition GUIDs and names that is required when deploying multiple ALZs in the same tenant, for scenario like canary thanks to @DaFitRobsta in #379
Breaking Changes
As mentioned above there are a couple of "slight" breaking changes that are introduced with this release.
Breaking Change 1 - mgDiagSettingsAll.bicep deployment scope change from Tenant to Management Group
This change was made based on customer feedback around using least privileged access in #338, which we agreed was valid and the right thing to do, hence the change.
Handling this change is as simple as changing the deployment scoping from Tenant to Management Group e.g. from New-AzTenantDeployment to New-AzManagementGroupDeployment.
The module README in the module documents the commands to use for PowerShell or Az CLI
Breaking Change 2 - customRoleDefinitions.bicep now has more unique GUIDs and Role Names based on Management Group ID/Name
This change was reported as a bug in #362 which meant if you followed our canary guidance you would not have been able to create the custom role definitions in each of the Management Group hierarchies as the GUIDs and names for the custom role definitions were not based on the Management Group ID/Name they were being deployed on.
We have now changed this so they are based on the Management Group ID/Name so they can be deployed across as many Management Group hierarchies in the same AAD Tenant 👍
What is the breaking change?
If you redeploy the latest version of the customRoleDefinitons.bicep you will get a set of new roles based on the new GUID and Name uniqueness that is based on the Management Group ID/Name you deploy them to, as detailed in the module README
So, this will not break anything, but it will just create a duplicate set of role definitions on your Management Group.
You should look to migrate all assignments of the old custom role definitions to the newly created ones, in this release, to ensure you can adopt scenarios like canary later on in your ALZ journey 👍
What's Changed
- Azure China Cloud - Policy Refactoring by @JamJarchitect in #351
- Update Policy Library for Azure China (automated) by @github-actions in #352
- Fix bicep example for parLandingZoneMgChildren by @coolhome in #353
- Updated markdowns to correspond with the Bicep files by @johnlokerse in #331
- Update Policy Library for Azure China (automated) by @github-actions in #361
- Update Policy Library (automated) by @github-actions in #360
- Support for groups as part of policy Initiatives by @vedagudipati in #364
- Update Policy Library (automated) by @github-actions in #366
- Add metadata filtering to China
.github/scripts/Invoke-PolicyToBicep-China.ps1by @jtracey93 in #369 - Guidance Update - Policies to Built-In by @jfaurskov in #363
- Response to FRs - Issues #267 and #290 - POC in RG Name and Deployment Snippets by @JamJarchitect in #312
- Change deployment scope for MG Diagnostics #338 by @lachaves in #372
- Update Policy Library (automated) by @github-actions in #373
- Feature: Add ability to exclude policy set/initiative child definitions for China policies by @jtracey93 in #377
- Update Policy Library for Azure China (automated) by @github-actions in #378
- fix: Update role ID and name by @DaFitRobsta in #379
- Release
v0.11.0prep by @jtracey93 in #380
New Contributors
- @coolhome made their first contribution in #353
- @vedagudipati made their first contribution in #364
Full Changelog: v0.10.6...v0.11.0