Summary
This release includes our recent policy refresh work from the upstream repo and also the launch of our ALZ Bicep Accelerator 🥳
Highlights
- Updated policy definitions, initiatives and assignments from upstream ALZ repo - as documented here
- Launch of the ALZ Bicep Accelerator - thanks @oZakari, @lovelysandwich, @Nepomuceno for your work and efforts here 👍(also thanks to @stalejohnsen for testing and providing feedback)
- Recommended way to consume ALZ Bicep
- GitHub Actions support only today, but will add Azure DevOps and others other time - please raise issues/feature requests
- Guidance on staying up-to-date and customizing modules
- Added support for Azure Firewall Basic SKU - thanks @JamJarchitect
- Added policy assignment exclusion feature - thanks @stalejohnsen
- Added platform child Management Group flexibility - thanks @JamJarchitect
- Private DNS Zone Linking in
hubPeeredSpoke.biceporchestration module - thanks @JamJarchitect - In the Logging module we have removed the Service Map solution from being deployed as per guidance here.
Policy Changes
Information on policy changes can be found in the Whats New Wiki Page in the Azure Landing Zones/Enterprise-Scale repo
Deny-RDP-From-Internet replacement with Deny-MgmtPorts-Internet
The Deny-RDP-From-Internet policy assignment has been replaced with the assignment of the new policy Deny-MgmtPorts-Internet. The alzDefaultPolicyAssignments.bicep has been updated with this change, so to clean up the old `Deny-RDP-From-Internet assignment use the below PowerShell code snippet.
$mgPrefix = "alz" # UPDATE ME
$mgSuffix = "" # UPDATE ME
Get-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-landingzones$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet"
Get-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-platform-identity$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet"
Remove-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-landingzones$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet"
Remove-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-platform-identity$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet"You are welcome to continue using the
Deny-RDP-From-Internetif you wish, it is still valid and works as desired, we have just enhanced the control with the new policy and would advise reviewing and migrating to it for better controls preventing the exposure of Management Ports to the internet
Breaking Changes
- There is a policy initiative
Enforce-TLS-SSLthat has had a parameter removed, on purpose, that means a breaking change unfortunately. To resolve this follow the below guidance:- Run the following PowerShell commands to remove the policy assignment and initiative, then redeploy the latest versions of:
a.customPolicyDefinitions.bicep
b.alzDefaultPolicyAssignments.bicep
- Run the following PowerShell commands to remove the policy assignment and initiative, then redeploy the latest versions of:
$mgPrefix = "alz" # UPDATE ME
$mgSuffix = "" # UPDATE ME
Get-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-landingzones$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL"
Remove-AzPolicyAssignment -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix-landingzones$mgSuffix/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL"
Remove-AzPolicySetDefinition -Id "/providers/Microsoft.Management/managementGroups/$mgPrefix$mgSuffix/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit" -ForceFurther info can be found in Update Azure landing zone custom policies
What's Changed / Pull Requests
- Remove unrequired parameters from
mgDiagSettings- Fix #473 by @jtracey93 in #474 - Removing second VWan Hub as per conversation with jtracey93 by @lovelysandwich in #480
- 26294 - Feature - Accelerator Pipelines and Scripts by @oZakari in #479
- 26740 - Feature - Generated Parameter Markdowns for Orchestration by @JamJarchitect in #466
- Deploy-VM-Backup optional parameters for exclusion tag by @stalejohnsen in #482
- 26294 - Feature - Accelerator Pipeline Adjustments by @oZakari in #483
- Update RSG API version & workflow to only run on this repo by @jtracey93 in #486
- 26294: Accelerator Pipeline Adjustments by @oZakari in #487
- 26294: Accelerator - Add ability to import env file and minor fixes by @oZakari in #488
- hubNetwork: Dynamic prefix and suffix for Public IPs by @picccard in #493
- New parameter for Alzdefaults exclusions by @stalejohnsen in #494
- Fix doc link for parameter description by @stalejohnsen in #495
- 26016 - Feature - Child Landing Zone Management Groups Flexibility by @JamJarchitect in #496
- Remove Service map from LogAnalyticsWorskpace Solutions by @lachaves in #501
- 26808 - Feature - Add support to allow Private DNS Zone VNet Linking for Spoke VNets by @JamJarchitect in #500
- Accelerator Documentation and remove hard-coded rg values by @oZakari in #497
- Remove accelerator doc temporarily by @oZakari in #506
- Update Policy Library (automated) - Policy Refresh FY23 Q3 by @cae-pr-creator in #499
- Nested deployments should get passed the value for parTelemetryOptOut by @picccard in #502
- ADO 27172 - Add Zero Trust Networking Telemetry - Phase 1 by @jtracey93 in #508
- remove unused duplicate
asnproperty by @picccard in #511 - Update Policy Library (automated) by @cae-pr-creator in #514
- 25520 - Azfw Basic SKU by @JamJarchitect in #510
- Fixes #517 by making the deployment name for the recently added module unique on the zones resource ID by @jtracey93 in #518
- Fix deployment double loop in #519 by @jtracey93 in #520
- add option to set NSG and UDR on subnets in hub-vnet by @picccard in #513
- Accelerator documentation for v0.14.0 release by @oZakari in #507
- Minor Tweaks by @jtracey93 in #521
New Contributors
A huge thanks to all new contributors and we welcome many more contributions in the future 😎
- @lovelysandwich made their first contribution in #480
- @stalejohnsen made their first contribution in #482
- @picccard made their first contribution in #493
Full Changelog: v0.13.0...v0.14.0