github crossplane-contrib/provider-upjet-azure v2.0.0
on GitHub

25 days ago

Release v2.0.0

Caution

This release introduces breaking changes and significant internal upgrades. Please review the release notes thoroughly, make the necessary changes to your manifests, and test thoroughly before upgrading.

Before using any Crossplane v2 capabilities in the provider, we encourage you to familiarize yourself with the changes in v2.

This release introduces:

  • Compatibility with Crossplane v2
  • Support for Crossplane v2 namespace-scoped Managed Resources (MRs) alongside existing cluster-scoped MRs.
  • Upgrade to crossplane-runtime v2.0.0.
  • Upgrade to Upjet v2.0.0.
  • Upgrade of the underlying Terraform Azure provider to v4.35.0, introducing resource-level API changes.
  • Removal of External Secret Store support.

Please review the breaking changes carefully before upgrading.

Breaking API Changes

Warning

Make adjustments to any impacted resources in your Control Plane when upgrading to this provider version.

The following resources have changed due to the underlying Terraform provider upgrade to version v4.35.0:

  • Analysis Services group Server resource: The enablePowerBiService property has been removed in favour of the powerBiServiceEnabled property.
  • API Management group API resource: The soapPassThrough property has been removed in favour of the apiType property.
  • API Management group Management resource: The policy block has been removed in favour of the dedicated API Management Policy resource.
  • API Management group CustomDomain resource: The keyVaultId property has been deprecated and its references have been removed from developerPortal and gateway blocks in favour of the keyVaultCertificateId property.
  • Attestation group Provider resource: The policy block has been removed in favour of individual policy properties (openEnclavePolicyBase64, sgxEnclavePolicyBase64, tpmPolicyBase64, sevSnpPolicyBase64).
  • Bot Service group BotChannelsRegistration resource: The isolatedNetworkEnabled property has been removed in favour of the publicNetworkAccessEnabled property.
  • Bot Service group BotChannelWebChat resource: The siteNames property has been removed in favour of the site property.
  • Bot Service group BotConnection resource: The tags property has been removed.
  • Cache group RedisCache resource:
    • The enableNonSslPort property has been removed in favour of nonSslPortEnabled.
    • The enableAuthentication property has been removed from redisConfiguration.
  • Cache group RedisEnterpriseDatabase resource: The resourceGroupName property has been removed.
  • CDN group FrontdoorOrigin resource: The healthProbesEnabled property has been removed in favour of the enabled property.
  • Cognitive Services group Deployment resource: The scale block has been removed and replaced with the required sku block.
  • Compute group LinuxVirtualMachineScaleSet resource:
    • The galleryApplications and terminateNotification properties have been removed in favour of the galleryApplication and terminationNotification properties.
    • The scaleInPolicy property has been removed in favour of the scaleIn block.
  • Compute group ManagedDisk resource: The enabled property has been removed from encryptionSettings. Enabling and disabling encryption is controlled by the presence or absence of the encryptionSettings block.
  • Compute group OrchestratedVirtualMachineScaleSet resource: The extensionOperationsEnabled property now defaults to true.
  • Compute group Snapshot resource: The enabled property has been removed from encryptionSettings. Enabling and disabling encryption is controlled by the presence or absence of the encryptionSettings block.
  • Compute group WindowsVirtualMachineScaleSet resource:
    • The galleryApplications and terminateNotification properties have been removed in favour of the galleryApplication and terminationNotification properties.
    • The scaleInPolicy property has been removed in favour of the scaleIn block.
  • Consumption group BudgetManagementGroup resource: The not property has been removed from the filter block.
  • Consumption group BudgetResourceGroup resource: The not property has been removed from the filter block.
  • Consumption group BudgetSubscription resource: The not property has been removed from the filter block.
  • Container App group ContainerApp resource: The ingress.customDomain property is now only computed. Domains should be configured with the CustomDomain resource.
  • Container Registry group Registry resource:
    • The retentionPolicy and trustPolicy blocks have been removed in favour of the retentionPolicyInDays and trustTolicyEnabled properties.
    • The enabled property has been removed from encryption. Encryption can be toggled on and off through the presence and absence of the encryption block in the configuration.
    • The virtualNetwork property has been removed from networkRuleSet.
  • Container Service group KubernetesClusterNodePool resource:
    • Multiple properties removed: customCaTrustEnabled, enableAutoScaling, enableHostEncryption, enableNodePublicIp, messageOfTheDay.
    • The enableAutoScaling property has been renamed to autoScalingEnabled.
    • The enableNodePublicIp property has been renamed to nodePublicIpEnabled.
    • The enableHostEncryption property has been renamed to hostEncryptionEnabled.
  • Container Service group KubernetesCluster resource:
    • The enablePodSecurityPolicy property has been removed.
    • The networkProfile.ebpfDataPlane property has been removed in favour of the networkProfile.networkDataPlane property.
    • The apiServerAuthorizedIpRanges property has been removed in favour of the apiServerAccessProfile.authorizedIpRanges property.
    • The networkProfile.dockerBridgeCidr property has been removed.
    • The azureActiveDirectoryRoleBasedAccessControl.clientAppId property has been removed.
    • The azureActiveDirectoryRoleBasedAccessControl.serverAppId property has been removed.
    • The azureActiveDirectoryRoleBasedAccessControl.serverAppSecret property has been removed.
    • The azureActiveDirectoryRoleBasedAccessControl.managed property has been removed.
    • The workloadAutoscalerProfile.verticalPodAutoscalerUpdateMode property has been removed.
    • The workloadAutoscalerProfile.verticalPodAutoscalerControlledValues property has been removed.
    • The webAppRouting.dnsZoneId property has been removed in favour of the webAppRouting.dnsZoneIds property.
    • The publicNetworkAccessEnabled property has been removed.
    • The defaultNodePool.nodeTaints property has been removed.
    • The automaticChannelUpgrade property has been renamed to automaticUpgradeChannel.
    • The nodeOsChannelUpgrade property has been renamed to nodeOsUpgradeChannel and now defaults to NodeImage.
    • The defaultNodePool.enableAutoScaling property has been renamed to defaultNodePool.autoScalingEnabled.
    • The defaultNodePool.enableNodePublicIp property has been renamed to defaultNodePool.nodePublicIpEnabled.
    • The defaultNodePool.enableHostEncryption property has been renamed to defaultNodePool.hostEncryptionEnabled.
    • The defaultNodePool.type property no longer accepts the value AvailabilitySet.
    • The imageCleanerIntervalHours property now defaults to 0 and will only be set if imageCleanerEnabled has been set to true.
    • The networkProfile.loadBalancerProfile.outboundIpPrefixIds property is no longer Computed.
    • The networkProfile.loadBalancerProfile.outboundIpAddressIds property is no longer Computed.
    • The serviceMeshProfile block has had the required revisions property added.
  • Cosmos DB group Account resource:
    • The connectionStrings property has been removed in favour of the primary and secondary connection strings for SQL, MongoDB and readonly properties.
    • The enableMultipleWriteLocations property has been removed in favour of the multipleWriteLocationsEnabled property.
    • The enableFreeTier property has been removed in favour of the freeTierEnabled property.
    • The enableAutomaticFailover property has been removed in favour of the automaticFailoverEnabled property.
    • The minimalTlsVersion property now defaults to Tls12.
    • The ipRangeFilter property is now a set that will only accept valid CIDR values.
  • Cosmos DB group SqlContainer resource: The partitionKeyPath property has been removed in favour of the required partitionKeyPaths property.
  • Data Protection group BackupPolicyBlobStorage resource: The retentionDuration property has been removed in favour of the operationalDefaultRetentionDuration property.
  • Dev Test Lab group Lab resource: The storageType property has been removed.
  • Event Hub group EventHubNamespace resource: The zoneRedundant property has been removed.
  • HDInsight group InteractiveQueryCluster resource: The roles.workerNode.autoscale.capacity property removed.
  • HDInsight group KafkaCluster resource: The roles.kafkaManagementNode.username property removed from roles.kafkaManagementNode.
  • Insights group MonitorActionGroup resource: The eventHubId property has been removed from eventHubReceiver in favor of eventHubName.
  • Insights group MonitorActivityLogAlert resource: The location property is now required.
  • Insights group MonitorDiagnosticSetting resource: The log property has been removed in favor of enabledLog.
  • Insights group MonitorScheduledQueryRulesAlertV2 resource: The evaluationFrequency property is now required.
  • Kusto group Cluster resource:
    • The engine property has been removed.
    • The languageExtensions property type changed from string to object.
  • Machine Learning Services group ComputeInstance resource: The location property has been removed.
  • Machine Learning Services group Workspace resource:
    • The publicAccessBehindVirtualNetworkEnabled property has been removed in favour of the publicNetworkAccessEnabled property.
    • The publicNetworkAccessEnabled property now defaults to true.
  • Maps group Account resource: The location property is now required.
  • Network group DnsZone resource: The soaRecord.hostName property is now only computed.
  • Network group NetworkInterface resource: The enableAcceleratedNetworking and enableIpForwarding properties have been removed in favour of the acceleratedNetworkingEnabled and ipForwardingEnabled properties.
  • Network group PrivateDnsResolverInboundEndpoint resource: The ipConfigurations property type changed from array to object.
  • Network group RouteTable resource: The disableBgpRoutePropagation property has been removed in favour of the bgpRoutePropagationEnabled property.
  • Network group Subnet resource:
    • The actions block has become a Set instead of a List, meaning that the order of these items no longer matters. This may require code changes if you're referencing these items by index.
    • The privateEndpointNetworkPoliciesEnabled property has been removed in favour of the privateEndpointNetworkPolicies property.
    • The enforcePrivateLinkEndpointNetworkPolicies property has been removed in favour of the privateEndpointNetworkPolicies property.
    • The enforcePrivateLinkServiceNetworkPolicies property has been removed in favour of the privateLinkServiceNetworkPoliciesEnabled property.
    • The privateEndpointNetworkPolicies property now defaults to Disabled.
    • The privateLinkServiceNetworkPoliciesEnabled property now defaults to true.
  • Network group VirtualNetwork resource: The addressSpace property has been changed from a list to a set. If you're referencing an element in this property by index, this will require code changes.
  • Network group WebApplicationFirewallPolicy resource:
    • The managedRules.managedRuleSet.ruleGroupOverride.disabledRules property has been removed in favour of the managedRules.managedRuleSet.ruleGroupOverride.rule block.
    • The managedRules.managedRuleSet.ruleGroupOverride.rule.enabled property now defaults to false.
  • Notification Hubs group AuthorizationRule resource: The primaryAccessKey and secondaryAccessKey properties have been removed from status.
  • Operational Insights group LogAnalyticsLinkedStorageAccount resource: The workspaceResourceIdRef and workspaceResourceIdSelector properties have been removed.
  • Policy Insights group ResourcePolicyRemediation resource: The policyDefinitionId property has been removed in favour of the policyDefinitionReferenceId property.
  • Policy Insights group SubscriptionPolicyRemediation resource: The policyDefinitionId property has been removed in favour of the policyDefinitionReferenceId property.
  • Security group SecurityCenterContact resource: The name property is now required.
  • Security Insights group SentinelAutomationRule resource: The condition property has been removed in favor of the conditionJson property.
  • Security Insights group SentinelLogAnalyticsWorkspaceOnboarding resource: The resourceGroupName and workspaceName properties and their references have been removed in favor of the workspaceId property.
  • Service Bus group Queue resource:
    • The enableBatchedOperations property has been removed in favour of the batchedOperationsEnabled property.
    • The enableExpress property has been removed in favour of the expressEnabled property.
    • The enablePartitioning property has been removed in favour of the partitioningEnabled property.
    • The autoDeleteOnIdle property now defaults to P10675199DT2H48M5.4775807S.
    • The defaultMessageTtl property now defaults to P10675199DT2H48M5.4775807S.
    • The duplicateDetectionHistoryTimeWindow property now defaults to PT10M.
    • The lockDuration property now defaults to PT1M.
    • The maxMessageSizeInKilobytes property now defaults to 256.
    • The maxSizeInMegabytes property now defaults to 5120.
  • Service Bus group ServiceBusNamespace resource: The zoneRedundant property has been removed.
  • Service Bus group Subscription resource: The enableBatchedOperations property has been removed.
  • Service Bus group Topic resource: The enableBatchedOperations, enableExpress, and enablePartitioning properties have been removed.
  • Storage group Account resource:
    • The enableHttpsTrafficOnly property has been removed in favour of the httpsTrafficOnlyEnabled property.
    • The largeFileShareEnabled property is no longer defaulted to true as that value varies based on the value of accountKind.
    • The crossTenantReplicationEnabled property now defaults to false.
  • Storage group ShareDirectory resource: The shareName and storageAccountName properties and their references have been removed in favor of the storageShareId property.
  • Storage group Share resource: The storageAccountNameRef and storageAccountNameSelector properties have been removed.
  • Storage group TableEntity resource: The storageAccountName and tableName properties and their references have been removed in favor of the storageTableId property.
  • Synapse group SparkPool resource: The sparkVersion property is now required.
  • Synapse group SqlPool resource: The storageAccountType property is now required.
  • Synapse group Workspace resource: The aadAdmin and sqlAadAdmin blocks have been removed.
  • Web group LinuxFunctionApp resource:
    • The properties siteConfig.healthCheckPath and siteConfig.healthCheckEvictionTimeInMin must be set together.
    • New vnetImagePullEnabled property has been added, this property must be set to true if your App is running in an App Service Environment.
  • Web group LinuxFunctionAppSlot resource: New vnetImagePullEnabled property has been added, this property must be set to true if your App is running in an App Service Environment.
  • Web group LinuxWebApp resource:
    • The siteConfig.autoHealSetting.trigger.slowRequest.path property has been removed in favour of the siteConfig.autoHealSetting.trigger.slowRequestWithPath block.
    • The siteConfig.applicationStack.dockerImageTag property has been removed.
    • The siteConfig.applicationStack.dockerImage property has been removed.
    • The properties siteConfig.healthCheckPath and siteConfig.healthCheckEvictionTimeInMin must be set together.
    • The property autoHealEnabled has been removed and is now implied by the presence of the autoHeal block.
  • Web group LinuxWebAppSlot resource:
    • The siteConfig.applicationStack.dockerImageTag property has been removed.
    • The siteConfig.applicationStack.dockerImage property has been removed.
    • The property autoHealEnabled has been removed and is now implied by the presence of the autoHeal block.
  • Web group WindowsFunctionApp resource:
    • The properties siteConfig.healthCheckPath and siteConfig.healthCheckEvictionTimeInMin must be set together.
    • New vnetImagePullEnabled property has been added, this property must be set to true if your App is running in an App Service Environment.
  • Web group WindowsFunctionAppSlot resource: New vnetImagePullEnabled property has been added, this property must be set to true if your App is running in an App Service Environment.
  • Web group WindowsWebApp resource:
    • The siteConfig.autoHealSetting.trigger.slowRequest.path property has been removed in favour of the siteConfig.autoHealSetting.trigger.slowRequestWithPath block.
    • The siteConfig.applicationStack.dockerContainerRegistry property has been removed.
    • The siteConfig.applicationStack.dockerContainerName property has been removed.
    • The siteConfig.applicationStack.dockerContainerTag property has been removed.
    • The properties siteConfig.healthCheckPath and siteConfig.healthCheckEvictionTimeInMin must be set together.
    • The property autoHealEnabled has been removed and is now implied by the presence of the autoHeal block.
  • Web group WindowsWebAppSlot resource:
    • The siteConfig.autoHealSetting.trigger.slowRequest.path property has been removed in favour of the siteConfig.autoHealSetting.trigger.slowRequestWithPath block.
    • The siteConfig.applicationStack.dockerContainerRegistry property has been removed.
    • The siteConfig.applicationStack.dockerContainerName property has been removed.
    • The siteConfig.applicationStack.dockerContainerTag property has been removed.
    • The properties siteConfig.healthCheckPath and siteConfig.healthCheckEvictionTimeInMin must be set together.
    • The property autoHealEnabled has been removed and is now implied by the presence of the autoHeal block.

Removed Resources and Their Replacements

  1. WorkspaceCustomerManagedKey resource in databricks group → You can use WorkspaceRootDbfsCustomerManagedKey resource in databricks group
  2. MonitorActionRuleActionGroup resource in alertsmanagement group → You can use MonitorAlertProcessingRuleActionGroup resource in alertsmanagement group
  3. MonitorActionRuleSuppression resource in alertsmanagement group → You can use MonitorAlertProcessingRuleSuppression resource in alertsmanagement group
  4. NamespaceNetworkRuleSet resource in servicebus group → You can use network_rule_set block in ServicebusNamespace resource in servicebus group
  5. SecurityCenterServerVulnerabilityAssessment resource in security group → You can use SecurityCenterServerVulnerabilityAssessmentVirtualMachine resource in security group
  6. ActiveDirectoryAdministrator resource in dbformysql group → You can use MysqlFlexibleServerActiveDirectoryAdministrator resource in dbformysql group (MySQL Single Server retired 2024-09-16)
  7. Configuration resource in dbformysql group → You can use MysqlFlexibleServerConfiguration resource in dbformysql group (MySQL Single Server retired 2024-09-16)
  8. Database resource in dbformysql group → You can use MysqlFlexibleDatabase resource in dbformysql group (MySQL Single Server retired 2024-09-16)
  9. FirewallRule resource in dbformysql group → You can use MysqlFlexibleServerFirewallRule resource in dbformysql group (MySQL Single Server retired 2024-09-16)
  10. Server resource in dbformysql group → You can use MysqlFlexibleServer resource in dbformysql group (MySQL Single Server retired 2024-09-16)
  11. VirtualNetworkRule resource in dbformysql group → REMOVED (MySQL Single Server retired 2024-09-16)
  12. Asset resource in media group → REMOVED (Azure Media Services retired June 30, 2024)
  13. AssetFilter resource in media group → REMOVED (Azure Media Services retired June 30, 2024)
  14. ContentKeyPolicy resource in media group → REMOVED (Azure Media Services retired June 30, 2024)
  15. Job resource in media group → REMOVED (Azure Media Services retired June 30, 2024)
  16. LiveEvent resource in media group → REMOVED (Azure Media Services retired June 30, 2024)
  17. LiveEventOutput resource in media group → REMOVED (Azure Media Services retired June 30, 2024)
  18. ServicesAccount resource in media group → REMOVED (Azure Media Services retired June 30, 2024)
  19. ServicesAccountFilter resource in media group → REMOVED (Azure Media Services retired June 30, 2024)
  20. StreamingEndpoint resource in media group → REMOVED (Azure Media Services retired June 30, 2024)
  21. StreamingLocator resource in media group → REMOVED (Azure Media Services retired June 30, 2024)
  22. StreamingPolicy resource in media group → REMOVED (Azure Media Services retired June 30, 2024)
  23. Transform resource in media group → REMOVED (Azure Media Services retired June 30, 2024)
  24. Configuration resource in dbformariadb group → You can use MysqlFlexibleServerConfiguration resource in dbformysql group (MariaDB retired 2024-09-19)
  25. Database resource in dbformariadb group → You can use MysqlFlexibleDatabase resource in dbformysql group (MariaDB retired 2024-09-19)
  26. FirewallRule resource in dbformariadb group → You can use MysqlFlexibleServerFirewallRule resource in dbformysql group (MariaDB retired 2024-09-19)
  27. Server resource in dbformariadb group → You can use MysqlFlexibleServer resource in dbformysql group (MariaDB retired 2024-09-19)
  28. VirtualNetworkRule resource in dbformariadb group → REMOVED (MariaDB retired 2024-09-19)
  29. Monitor resource in logz group → REMOVED (Logz service retired, no new instances allowed)
  30. SubAccount resource in logz group → REMOVED (Logz service retired, no new instances allowed)
  31. SubAccountTagRule resource in logz group → REMOVED (Logz service retired, no new instances allowed)
  32. TagRule resource in logz group → REMOVED (Logz service retired, no new instances allowed)
  33. LabServicePlan resource in labservices group → REMOVED (Lab Services retiring 2027-06-28)
  34. LabServiceLab resource in labservices group → REMOVED (Lab Services retiring 2027-06-28)
  35. IntegrationServiceEnvironment resource in logic group → REMOVED (Service retired 2024-08-31, no new instances since 2022-11-01)
  36. EventSourceEventHub resource in timeseriesinsights group → REMOVED (Time Series Insights retiring 2025-03-31)
  37. EventSourceIOTHub resource in timeseriesinsights group → REMOVED (Time Series Insights retiring 2025-03-31)
  38. Gen2Environment resource in timeseriesinsights group → REMOVED (Time Series Insights retiring 2025-03-31)
  39. ReferenceDataSet resource in timeseriesinsights group → REMOVED (Time Series Insights retiring 2025-03-31)
  40. StandardEnvironment resource in timeseriesinsights group → REMOVED (Time Series Insights retiring 2025-03-31)
  41. DiskPool resource in storagepool group → REMOVED (Deprecated)
  42. IntegrationRuntimeManaged resource in datafactory group → You can use IntegrationRuntimeAzureSsis resource in datafactory group

Namespace-scope MR Support (Crossplane v2-only)

  • New namespace-scoped MR APIs are available under the azure.m.crossplane.io API group.
  • All new APIs are at version v1beta1.
  • ProviderConfig
    • ProviderConfig.azure.m.crossplane.io is now namespace-scoped.
    • A new cluster-scoped ClusterProviderConfig.azure.m.crossplane.io resource was added; new MRs can reference either ProviderConfig or ClusterProviderConfig via spec.providerConfigRef.kind.
    • spec.providerConfigRef defaults to ClusterProviderConfig with name default when omitted.
  • spec.writeConnectionSecretToRef and sensitive parameter refs (e.g., spec.forProvider.fooSecretRef) in namespace-scoped MRs are now local secret references (if no namespace is specified, it defaults to the MR's namespace).
  • Cross-resource references are now namespace-scoped by default, however, cross-namespace references are allowed.
  • This provider will serve both the new namespace-scoped and cluster-scoped APIs.

Note

Cluster-scoped MRs do NOT implement the above changes and continue operating as before.

Removed Features

  • External Secret Store support has been removed from all MRs (spec.publishConnectionDetailsTo is no longer available) as the feature has been removed in Crossplane v2.

Note

The removed feature is the External Secret Store, which allowed storing connection details outside the cluster (e.g., in Vault). Connection secrets for managed resources remain available for storing connection details in Kubernetes Secrets.

Other Notable Changes

  • SafeStart capability has been added (Crossplane v2-only): Controllers start once their CRD is installed.
  • Repository structure changes:
    • apis, controllers, and examples now have scoped subdirectories: cluster and namespaced.
    • Resource configurations are also scoped; updates must be applied to both where relevant.
    • Examples for namespace-scoped MRs are included.

Backward Compatibility Notes

  • This provider can be installed in Crossplane v1.x environments:
    • Both cluster-scoped and namespace-scoped CRDs will be installed; namespace-scoped CRDs cannot be composed in v1.x.
    • SafeStart will be disabled.
  • When upgrading from v1.x providers, review all breaking resource API changes noted above. The package itself is Crossplane v1.x compatible, but there can be resources that have API changes that need adjustment in your control plane.

Upgrade Guide

  1. Review all affected resources listed under Breaking API Changes.
  2. Update manifests to reflect renamed/removed properties.
  3. For Crossplane v2.x users:
    • Ensure secret and reference configurations align with the new namespace-scoped MR behavior.
    • Decide whether to use ProviderConfig or ClusterProviderConfig.
  4. Remove any spec.publishConnectionDetailsTo usage.
  5. Validate repository structure changes if maintaining custom resource configurations.

What's Changed

New Contributors

Full Changelog: v1.13.0...v2.0.0

Check out latest releases or
releases around crossplane-contrib/provider-upjet-azure v2.0.0

Don't miss a new provider-upjet-azure release

NewReleases is sending notifications on new releases.

Get notifications