-
Notifications
You must be signed in to change notification settings - Fork 574
[User Guide] Upgrade from v2.4.1 to v3.0.0
The v3.0.0
release marks an important update to the module, aimed primarily at reducing code changes needed when upgrading to latest releases.
Previously, any change to the schema of input variables with complex object types would result in a breaking change if not updated in the customer code.
This has been made possible with the GA release of optional()
types in Terraform v1.3.1.
As a result of this change, we have increased the minimum supported Terraform version to v1.3.1
.
To support other changes (as listed below), we have also bumped the minimum supported azurerm
provider version to v3.35.0
.
- Added documentation for how to set parameters for Policy Assignments
- Updated GitHub Super-Linter to
v4.9.7
for static code analysis - Updated the list of private DNS zones created by the module for private endpoints
- Removed deprecated policies for Arc monitoring (now included within VM monitoring built-in initiative)
- Added ability to set
sql_redirect_allowed
andtls_certificate
properties on Azure Firewall policies - Update logic for Azure Firewall public IPs to ensure correct availability zone mapping when only 2 zones are specified
- Added support for
optional()
types in input variables - Updated policies with the latest fixes from the upstream Azure/Enterprise-Scale repository
- Updated tag evaluation for connectivity and management resources, so
default_tags
are now merged with scope-specific tags - Updated the module upgrade guidance
- Updated
Deny-Public-IP
policy assignment to use the built-in policy forNot allowed resource types
- Fix #445 (azurerm v4 compatibility)
- Fix #359 (Specifying parameters in policy assignment loses Log Analytics ID)
- Fix #186 (Policies incompatible with Terraform)
- Fix #444 (Error received when running custom network connectivity deployment)
- Fix #508 (Bug Report: Advanced VPN revoke_certifcate fails to apply)
- Fix #513 (Feature Request: Azure Firewall: Specify TLS Certificate Location in Azure Keyvault)
- Fix #447 (Azure Firewall - Availability Zones)
- Fix #524 (Missing private DNS zone for private endpoint - Azure Data Health Data Services)
- Fix #521 (Feature Request - ExpressRoute Gateway VPN_Type is Hardcoded, parameterise.)
⚠️ Updated the minimum supported Terraform version to0.15.1
⚠️ Updated the minimum supportedazurerm
provider version to3.0.2
⚠️ Terraform will replace theDeny-Public-IP
policy assignment, resulting in loss of compliance history
IMPORTANT: Please also carefully review the planned changes following an upgrade, as the introduction of
optional()
settings may result in unexpected changes from your current configuration where recommended new features are enabled by default.
IMPORTANT: The introduction of
optional()
types should reduce the need to make changes to your code when upgrading, as long as you are happy with the default values specified for new inputs. Before runningterraform apply
, please carefully review the proposed plan to ensure you are happy with the proposed changes.
Anyone using this module should be aware of the following when planning to upgrade from release v2.4.1
to v3.0.0
:
-
Please review the updates listed above, especially in regard to the Breaking changes.
-
A select number of policies provided as part of this module have changed. Please carefully review Resource changes provided below and the output of
terraform plan
to ensure there are no issues with any custom configuration within your root module. -
If you are using a custom library, the following library template types will need checking for references to updated policies as listed in the resource changes section below:
- Archetype Definitions
- Policy Definitions
- Policy Set Definitions
- Policy Assignments
-
Before making changes to your configuration, we recommend to update the module version and run
terraform init -upgrade
followed byterraform plan
to see what changes are needed in the code. Fix any errors before reviewing the plan output to see whether any unexpected resource changes are going to happen. Review the additional guidance below to better understand what is likely to need changing, and please don't hesitate to log a GitHub Issue if you're unclear on any of the required steps.
IMPORTANT: As with any Terraform upgrade, please carefully review the output of
terraform plan
to ensure there are no issues with any custom configuration within your root module or unexpected changes to your environment before applying.
The following changes have been made within the module which should be reviewed carefully before running terraform apply
:
- The following Policy Definition changes have been included in the
es_root
archetype definition:-
Deny-PublicIP
deprecated -
Deploy-DDoSProtection
updated -
Deploy-Diagnostics-AA
updated -
Deploy-Diagnostics-ACI
updated -
Deploy-Diagnostics-ACR
updated -
Deploy-Diagnostics-AnalysisService
updated -
Deploy-Diagnostics-ApiForFHIR
updated -
Deploy-Diagnostics-APIMgmt
updated -
Deploy-Diagnostics-ApplicationGateway
updated -
Deploy-Diagnostics-AVDScalingPlans
updated -
Deploy-Diagnostics-Bastion
updated -
Deploy-Diagnostics-CDNEndpoints
updated -
Deploy-Diagnostics-CognitiveServices
updated -
Deploy-Diagnostics-CosmosDB
updated -
Deploy-Diagnostics-Databricks
updated -
Deploy-Diagnostics-DataExplorerCluster
updated -
Deploy-Diagnostics-DataFactory
updated -
Deploy-Diagnostics-DLAnalytics
updated -
Deploy-Diagnostics-EventGridSub
updated -
Deploy-Diagnostics-EventGridSystemTopic
updated -
Deploy-Diagnostics-EventGridTopic
updated -
Deploy-Diagnostics-ExpressRoute
updated -
Deploy-Diagnostics-Firewall
updated -
Deploy-Diagnostics-FrontDoor
updated -
Deploy-Diagnostics-Function
updated -
Deploy-Diagnostics-HDInsight
updated -
Deploy-Diagnostics-iotHub
updated -
Deploy-Diagnostics-LoadBalancer
updated -
Deploy-Diagnostics-LogicAppsISE
updated -
Deploy-Diagnostics-MariaDB
updated -
Deploy-Diagnostics-MediaService
updated -
Deploy-Diagnostics-MlWorkspace
updated -
Deploy-Diagnostics-MySQL
updated -
Deploy-Diagnostics-NetworkSecurityGroups
updated -
Deploy-Diagnostics-NIC
updated -
Deploy-Diagnostics-PostgreSQL
updated -
Deploy-Diagnostics-PowerBIEmbedded
updated -
Deploy-Diagnostics-RedisCache
updated -
Deploy-Diagnostics-Relay
updated -
Deploy-Diagnostics-SignalR
updated -
Deploy-Diagnostics-SQLElasticPools
updated -
Deploy-Diagnostics-SQLMI
updated -
Deploy-Diagnostics-TimeSeriesInsights
updated -
Deploy-Diagnostics-TrafficManager
updated -
Deploy-Diagnostics-VirtualNetwork
updated -
Deploy-Diagnostics-VM
updated -
Deploy-Diagnostics-VMSS
updated -
Deploy-Diagnostics-VNetGW
updated -
Deploy-Diagnostics-WebServerFarm
updated -
Deploy-Diagnostics-Website
updated -
Deploy-Diagnostics-WVDAppGroup
updated -
Deploy-Diagnostics-WVDHostPools
updated -
Deploy-Diagnostics-WVDWorkspace
updated -
Deploy-Nsg-FlowLogs
deprecated -
Deploy-Nsg-FlowLogs-to-LA
deprecated -
Deploy-Sql-SecurityAlertPolicies
updated -
Deploy-Sql-Tde
updated
-
These will result in a change to the resources deployed by the module.
- The following Policy Set Definition changes have been included in the
es_root
archetype definition:-
Deploy-MDFC-Config
updated
-
These will result in a change to the resources deployed by the module.
- The following Policy Assignment changes have been included in the
es_root
archetype definition:-
Deploy-LX-Arc-Monitoring
removed (now included within theDeploy-VM-Monitoring
Policy Assignment) -
Deploy-WS-Arc-Monitoring
removed (now included within theDeploy-VM-Monitoring
Policy Assignment) -
Deny-Public-IP
updated (custom policy definition replaced with built-in)
-
These will result in a change to the resources deployed by the module.
No changes.
No changes.
Management resources will now inherit tags from the default_tags
input variable, and combined with those set by configure_management_resources.tags
.
No other changes are expected to management resources.
Connectivity resources will now inherit tags from the default_tags
input variable, and combined with those set by configure_connectivity_resources.tags
.
The following changes were made to the configure_connectivity_resources.settings.dns.config.enable_private_link_by_service
object:
-
azure_api_management
added -
azure_arc
added -
azure_batch_account
added -
azure_bot_service_bot
added -
azure_bot_service_token
added -
azure_cache_for_redis_enterprise
added -
azure_data_explorer
added -
azure_data_health_data_services
added -
azure_digital_twins
added -
azure_hdinsights
added -
azure_iot_dps
added -
azure_key_vault_managed_hsm
added -
azure_media_services
added -
azure_migrate
added -
azure_purview_account
added -
azure_purview_studio
added -
azure_synapse_analytics_dev
added -
azure_synapse_analytics_sqlserver
removed -
azure_synapse_studio
added -
azure_web_apps_static_sites
added -
microsoft_power_bi
added -
signalr_webpubsub
added
NOTE: Due to the introduction of
optional()
types, this will not require a code change unless you want to disable creation of the newly added private DNS zones controlled by these inputs.
Additional changes were made to the underlying DNS zone mapping to support the latest required configuration. This may result in changes to the private DNS zones being managed by the module.
No other changes are expected to connectivity resources.
If you are using create_duration_delay
or destroy_duration_delay
custom inputs but have only partially defined the list of available resource types, you may observe a change in the default values being applied by the module. This is because the optional()
type allows us to correctly merge custom and default values without a "fallback" value, as previously implemented.
For any customers using the advanced
configuration blocks within configure_connectivity_resources
and configure_management_resources
, we have made a few updates to add new functionality.
These are not breaking changes and can be identified by reviewing the full change log v2.4.1...v3.0.0.
Take a look at the latest User Guide documentation and our Examples to understand the latest module configuration options, and review your implementation against the changes documented on this page.
If you're running into problems with the upgrade, please let us know via the GitHub Issues. We will do our best to point you in the right direction.
This wiki is being actively developed
If you discover any documentation bugs or would like to request new content, please raise them as an issue or feel free to contribute to the wiki via a pull request. The wiki docs are located in the repository in the docs/wiki/
folder.
- Home
- User guide
- Video guides
-
Examples
- Level 100
- Level 200
-
Level 300
- Deploy multi region networking with custom settings (Hub and Spoke)
- Deploy multi region networking with custom settings (Virtual WAN)
- Deploy with Zero Trust network principles (Hub and Spoke)
- Deploy identity resources with custom settings
- Deploy management resources with custom settings
- Expand built-in archetype definitions
- Create custom policies, initiatives and assignments
- Override module role assignments
- Control policy enforcement mode
- Policy assignments with user assigned managed identities
- Level 400
- Frequently Asked Questions
- Troubleshooting
- Contributing