feat: november 2024 release (#1201)

<!-- markdownlint-disable first-line-h1 -->

Azure Landing Zones policy refresh
https://github.com/Azure/Enterprise-Scale/releases/tag/2024-11-05

And other minor improvements:

## This PR fixes/adds/changes/removes

1. includes #1200
2. includes #1183
3. includes #1137
4. includes #1143
5. fixes #1171
6. fixes #1170
7. fixes #1185
8. fixes #1176



![image](https://github.com/user-attachments/assets/18f34c9f-29cd-4499-9cd1-de2c85c6c0db)


![image](https://github.com/user-attachments/assets/52eb0679-6a3f-4cf6-a6f7-a8cf9d67f5d4)



## Testing Evidence

Please provide any testing evidence to show that your Pull Request
works/fixes as described and planned (include screenshots, if
appropriate).

## As part of this Pull Request I have

- [ ] Checked for duplicate [Pull
Requests](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/pulls)
- [ ] Associated it with relevant
[issues](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues),
for tracking and closure.
- [ ] Ensured my code/branch is up-to-date with the latest changes in
the `main`
[branch](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main)
- [ ] Performed testing and provided evidence.
- [ ] Updated relevant and associated documentation.

---------

Co-authored-by: cae-pr-creator[bot] <126156663+cae-pr-creator[bot]@users.noreply.github.com>
Co-authored-by: github-actions <action@github.com>
Co-authored-by: Jed Laundry <jlaundry@jlaundry.com>
Co-authored-by: lolorol <LaurentLesle@users.noreply.github.com>
Co-authored-by: Camilo Aguilar <c4milo@users.noreply.github.com>

.terraform-docs.yml

@@ -4,7 +4,7 @@
 
 formatter: "markdown document" # this is required
 
-version: "0.17.0"
+version: "~> 0.18"
 
 header-from: "_README_header.md"
 footer-from: "_README_footer.md"
@@ -13,13 +13,6 @@ recursive:
   enabled: true
   path: modules
 
-sections:
-  hide: []
-  show: []
-
-  hide-all: false # deprecated in v0.13.0, removed in v0.15.0
-  show-all: true # deprecated in v0.13.0, removed in v0.15.0
-
 content: |-
   {{ .Header }}
 

README.md

@@ -52,7 +52,7 @@ This allows customers to address concerns around managing large state files, or
 
 ## Terraform versions
 
-This module has been tested using Terraform `1.7.0` and AzureRM Provider `3.107.0` as a baseline, and various versions to up the latest at time of release.
+This module has been tested using Terraform `1.7.0` and AzureRM Provider `3.108.0` as a baseline, and various versions to up the latest at time of release.
 In some cases, individual versions of the AzureRM provider may cause errors.
 If this happens, we advise upgrading to the latest version and checking our [troubleshooting](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Troubleshooting) guide before [raising an issue](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues).
 
@@ -186,7 +186,7 @@ The following requirements are needed by this module:
 
 - <a name="requirement_azapi"></a> [azapi](#requirement\_azapi) (~> 1.13, != 1.13.0)
 
-- <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) (~> 3.107)
+- <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) (~> 3.108)
 
 - <a name="requirement_random"></a> [random](#requirement\_random) (~> 3.6)
 
@@ -654,6 +654,7 @@ object({
       log_analytics = optional(object({
         enabled = optional(bool, true)
         config = optional(object({
+          daily_quota_gb                         = optional(number, -1)
           retention_in_days                      = optional(number, 30)
           enable_monitoring_for_vm               = optional(bool, true)
           enable_monitoring_for_vmss             = optional(bool, true)
@@ -1108,6 +1109,7 @@ The following resources are used by this module:
 - [azurerm_resource_group.virtual_wan](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
 - [azurerm_role_assignment.ama_managed_identity_operator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
 - [azurerm_role_assignment.ama_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
+- [azurerm_role_assignment.deploy_azsqldb_auditing_connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
 - [azurerm_role_assignment.enterprise_scale](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
 - [azurerm_role_assignment.policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
 - [azurerm_role_assignment.private_dns_zone_contributor_connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
@@ -1141,6 +1143,10 @@ The following resources are used by this module:
 
 The following outputs are exported:
 
+### <a name="output_ama_user_assigned_identity"></a> [ama\_user\_assigned\_identity](#output\_ama\_user\_assigned\_identity)
+
+Description: The user assigned identity for Azure Monitor Agent that is created by this module.
+
 ### <a name="output_azurerm_automation_account"></a> [azurerm\_automation\_account](#output\_azurerm\_automation\_account)
 
 Description: Returns the configuration data for all Automation Accounts created by this module.
@@ -1257,6 +1263,10 @@ Description: Returns the configuration data for all Virtual WANs created by this
 
 Description: Returns the configuration data for all (Virtual WAN) VPN Gateways created by this module.
 
+### <a name="output_data_collection_rules"></a> [data\_collection\_rules](#output\_data\_collection\_rules)
+
+Description: A map of the data collection rules created by this module.
+
 <!-- markdownlint-enable -->
 <!-- markdownlint-disable MD041 -->
 ## Telemetry

_README_header.md

@@ -51,7 +51,7 @@ This allows customers to address concerns around managing large state files, or
 
 ## Terraform versions
 
-This module has been tested using Terraform `1.7.0` and AzureRM Provider `3.107.0` as a baseline, and various versions to up the latest at time of release.
+This module has been tested using Terraform `1.7.0` and AzureRM Provider `3.108.0` as a baseline, and various versions to up the latest at time of release.
 In some cases, individual versions of the AzureRM provider may cause errors.
 If this happens, we advise upgrading to the latest version and checking our [troubleshooting](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Troubleshooting) guide before [raising an issue](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues).
 

docs/wiki/[User-Guide]-Getting-Started.md

@@ -3,7 +3,7 @@
 
 Before getting started with this module, please take note of the following considerations:
 
-1. This module requires a minimum `azurerm` provider version of `3.107.0`.
+1. This module requires a minimum `azurerm` provider version of `3.108.0`.
 
 1. This module requires a minimum Terraform version `1.7.0`.
 

docs/wiki/[User-Guide]-Upgrade-from-v5.2.1-to-v6.0.0.md

@@ -5,7 +5,7 @@ This is a major release, following the update of Azure Landing Zones with it's m
 
 ## ‼️ Breaking Changes
 
-1. Minimum AzureRM provider version now `3.107.0`
+1. Minimum AzureRM provider version now `3.108.0`
 2. Minimum Terraform version now `1.7.0`
 3. `var.configure_management_resources` schema change, removing legacy components and adding support for AMA resources
 

examples/400-multi-with-orchestration/modules/core/main.tf

@@ -5,7 +5,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.107.0"
+      version = "3.108.0"
     }
   }
 }

modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json

@@ -8,7 +8,6 @@
       "Deny-Privileged-AKS",
       "Deny-Storage-http",
       "Deny-Subnet-Without-Nsg",
-      "Deploy-AKS-Policy",
       "Deploy-AzSqlDb-Auditing",
       "Deploy-MDFC-DefSQL-AMA",
       "Deploy-SQL-TDE",
@@ -25,6 +24,7 @@
       "Enforce-AKS-HTTPS",
       "Enforce-ASR",
       "Enforce-GR-KeyVault",
+      "Enforce-Subnet-Private",
       "Enforce-TLS-SSL-H224"
     ],
     "policy_definitions": [],

modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json

@@ -11,7 +11,8 @@
       "Deploy-VMSS-Monitoring",
       "Enable-AUM-CheckUpdates",
       "Enforce-ASR",
-      "Enforce-GR-KeyVault"
+      "Enforce-GR-KeyVault",
+      "Enforce-Subnet-Private"
     ],
     "policy_definitions": [],
     "policy_set_definitions": [],

modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json

@@ -9,7 +9,7 @@
       "Deny-UnmanagedDisk",
       "Deploy-ASC-Monitoring",
       "Deploy-AzActivity-Log",
-      "Deploy-Diag-Logs",
+      "Deploy-Diag-LogsCat",
       "Deploy-MDEndpoints",
       "Deploy-MDEndpointsAMA",
       "Deploy-MDFC-Config-H224",
@@ -200,6 +200,7 @@
       "Enforce-Guardrails-APIM",
       "Enforce-Guardrails-AppServices",
       "Enforce-Guardrails-Automation",
+      "Enforce-Guardrails-BotService",
       "Enforce-Guardrails-CognitiveServices",
       "Enforce-Guardrails-Compute",
       "Enforce-Guardrails-ContainerApps",

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json

@@ -0,0 +1,28 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Deploy-Diag-LogsCat",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources.",
+    "displayName": "Enable category group resource logging for supported resources to Log Analytics",
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5",
+    "enforcementMode": "Default",
+    "nonComplianceMessages": [
+      {
+        "message": "Diagnostic settings {enforcementMode} be deployed to Azure services to forward logs to Log Analytics."
+      }
+    ],
+    "parameters": {
+      "logAnalytics": {
+        "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la"
+      }
+    },
+    "scope": "${current_scope_resource_id}",
+    "notScopes": []
+  }
+}

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json

@@ -210,13 +210,13 @@
       "azureStorageTableSecondaryPrivateDnsZoneId": {
         "value": "${private_dns_zone_prefix}privatelink.table.core.windows.net"
       },
-      "azureSiteRecoveryBackupPrivateDnsZoneID": {
+      "azureSiteRecoveryBackupPrivateDnsZoneId": {
         "value": "${private_dns_zone_prefix}privatelink.${connectivity_location_short}.backup.windowsazure.com"
       },
-      "azureSiteRecoveryBlobPrivateDnsZoneID": {
+      "azureSiteRecoveryBlobPrivateDnsZoneId": {
         "value": "${private_dns_zone_prefix}privatelink.blob.core.windows.net"
       },
-      "azureSiteRecoveryQueuePrivateDnsZoneID": {
+      "azureSiteRecoveryQueuePrivateDnsZoneId": {
         "value": "${private_dns_zone_prefix}privatelink.queue.core.windows.net"
       }
     },

modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json

@@ -0,0 +1,28 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Enforce-Subnet-Private",
+  "dependsOn": [],
+  "properties": {
+    "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement",
+    "displayName": "Subnets should be private",
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837",
+    "enforcementMode": "Default",
+    "nonComplianceMessages": [
+      {
+        "message": "Subnets {enforcementMode} be private."
+      }
+    ],
+    "parameters": {
+      "effect": {
+        "value": "Audit"
+      }
+    },
+    "scope": "${current_scope_resource_id}",
+    "notScopes": []
+  },
+  "location": "${default_location}",
+  "identity": {
+    "type": "None"
+  }
+}

modules/archetypes/lib/policy_definitions/policy_definition_es_append_appservice_latesttls.json

@@ -9,7 +9,7 @@
     "displayName": "AppService append sites with minimum TLS version to enforce.",
     "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.",
     "metadata": {
-      "version": "1.1.0",
+      "version": "1.2.0",
       "category": "App Service",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -35,6 +35,7 @@
         "type": "String",
         "defaultValue": "1.2",
         "allowedValues": [
+          "1.3",
           "1.2",
           "1.0",
           "1.1"
@@ -54,7 +55,7 @@
           },
           {
             "field": "Microsoft.Web/sites/config/minTlsVersion",
-            "notEquals": "[parameters('minTlsVersion')]"
+            "less": "[parameters('minTlsVersion')]"
           }
         ]
       },

modules/archetypes/lib/policy_definitions/policy_definition_es_append_redis_sslenforcement.json

@@ -9,7 +9,7 @@
     "displayName": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.",
     "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "Cache",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -56,7 +56,7 @@
             "anyOf": [
               {
                 "field": "Microsoft.Cache/Redis/minimumTlsVersion",
-                "notequals": "[parameters('minimumTlsVersion')]"
+                "less": "[parameters('minimumTlsVersion')]"
               }
             ]
           }

modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_mintls.json

@@ -9,7 +9,7 @@
     "displayName": "Event Hub namespaces should use a valid TLS version",
     "description": "Event Hub namespaces should use a valid TLS version.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "Event Hub",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -52,7 +52,7 @@
             "anyOf": [
               {
                 "field": "Microsoft.EventHub/namespaces/minimumTlsVersion",
-                "notEquals": "[parameters('minTlsVersion')]"
+                "less": "[parameters('minTlsVersion')]"
               },
               {
                 "field": "Microsoft.EventHub/namespaces/minimumTlsVersion",

modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mysql_http.json

@@ -9,7 +9,7 @@
     "displayName": "MySQL database servers enforce SSL connections.",
     "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -66,7 +66,7 @@
               },
               {
                 "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
-                "notequals": "[parameters('minimalTlsVersion')]"
+                "less": "[parameters('minimalTlsVersion')]"
               }
             ]
           }

modules/archetypes/lib/policy_definitions/policy_definition_es_deny_redis_http.json

@@ -9,7 +9,7 @@
     "displayName": "Azure Cache for Redis only secure connections should be enabled",
     "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "Cache",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -41,7 +41,7 @@
           "1.0"
         ],
         "metadata": {
-          "displayName": "Select minumum TLS version for Azure Cache for Redis.",
+          "displayName": "Select minimum TLS version for Azure Cache for Redis.",
           "description": "Select minimum TLS version for Azure Cache for Redis."
         }
       }
@@ -61,7 +61,7 @@
               },
               {
                 "field": "Microsoft.Cache/Redis/minimumTlsVersion",
-                "notequals": "[parameters('minimumTlsVersion')]"
+                "less": "[parameters('minimumTlsVersion')]"
               }
             ]
           }

modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sql_mintls.json

@@ -9,7 +9,7 @@
     "displayName": "Azure SQL Database should have the minimal TLS version set to the highest version",
     "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -61,7 +61,7 @@
               },
               {
                 "field": "Microsoft.Sql/servers/minimalTlsVersion",
-                "notequals": "[parameters('minimalTlsVersion')]"
+                "less": "[parameters('minimalTlsVersion')]"
               }
             ]
           }

modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sqlmi_mintls.json

@@ -7,9 +7,9 @@
     "policyType": "Custom",
     "mode": "Indexed",
     "displayName": "SQL Managed Instance should have the minimal TLS version set to the highest version",
-    "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.",
+    "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -61,7 +61,7 @@
               },
               {
                 "field": "Microsoft.Sql/managedInstances/minimalTlsVersion",
-                "notequals": "[parameters('minimalTlsVersion')]"
+                "less": "[parameters('minimalTlsVersion')]"
               }
             ]
           }