-
Notifications
You must be signed in to change notification settings - Fork 574
[User Guide] Upgrade from v5.2.1 to v6.0.0
This is a major release, following the update of Azure Landing Zones with it's major policy refresh and move to Azure Monitoring Agent from Microsoft Monitoring Agent.
- Minimum AzureRM provider version now
3.108.0
- Minimum Terraform version now
1.7.0
-
var.configure_management_resources
schema change, removing legacy components and adding support for AMA resources
See: https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies
- Move to built-in policies for deployment of diagnostic settings (original assignment will be moved to new definitions)
- Move to built-in policies for deployment of Azure Monitor Agent
The Microsoft Monitoring Agent is deprecated and all assignments have been removed, however the policy definitions remain.
We now assign polices that deploy the Azure Monitor Agent (AMA) instead of the Microsoft Monitoring Agent (MMA).
We deploy AMA resources using the new configure_management_resources
variable.
- A user-assigned managed identity (UAMI) for the AMA agent to authenticate with Azure Monitor (this needs no special tole assignments, any valid identity will suffice)
- Data collection rule for VM Insights
- Data collection rule for Change Tracking
- Data collection rule for Defender for SQL
Going forward, this module will not provide support for the MMA, and will only support the AMA. If you wish to continue using the MMA, you will need to manage this outside of the module.
As MMA resources were deployed using Azure Policy (DeployIfNotExists), the resources will not be cleaned up automatically. You will need to manually clean up the resources. Please see product group guidance on how to clean up the MMA resources: https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-mma-removal-tool?tabs=single-tenant%2Cdiscovery.
We will publish a link to additional ALZ tooling once it is published.
- feat: new private DNS zones: #918 (thanks @chrsundermann!)
- feat: new virtual network gateway routing parameters: #925 (thanks @nyanhp!)
- fix: mg diag setting location: #952 (thanks @Keetika-Yogendra!)
This has been updated, the changed sections are shown below. Note the removal of deprecated log analytics solutions and the addition of the new AMA settings.
variable "configure_management_resources" {
type = object({
settings = optional(object({
ama = optional(object({
enable_uami = optional(bool, true)
enable_vminsights_dcr = optional(bool, true)
enable_change_tracking_dcr = optional(bool, true)
enable_mdfc_defender_for_sql_dcr = optional(bool, true)
enable_mdfc_defender_for_sql_query_collection_for_security_research = optional(bool, true)
}), {})
log_analytics = optional(object({
enabled = optional(bool, true)
config = optional(object({
retention_in_days = optional(number, 30)
enable_monitoring_for_vm = optional(bool, true)
enable_monitoring_for_vmss = optional(bool, true)
enable_sentinel = optional(bool, true)
enable_change_tracking = optional(bool, true)
}), {})
}), {})
### ... (other settings, no changes)
}), {})
})
}
Thanks to:
- @JamesDLD for providing a helpful contribution for the DCRs
- @jaredfholgate for the policy sync process work and code review
- @arjenhuitema for his awesome work on the AMA design
- @springstone for an awesome policy refresh effort
- @jtracey93 for his technical assurance and oversight
Full Changelog: v5.2.1...v6.0.0
Take a look at the latest User Guide documentation and our Examples to understand the latest module configuration options, and review your implementation against the changes documented on this page.
If you're running into problems with the upgrade, please let us know via the GitHub Issues. We will do our best to point you in the right direction.
This wiki is being actively developed
If you discover any documentation bugs or would like to request new content, please raise them as an issue or feel free to contribute to the wiki via a pull request. The wiki docs are located in the repository in the docs/wiki/
folder.
- Home
- User guide
- Video guides
-
Examples
- Level 100
- Level 200
-
Level 300
- Deploy multi region networking with custom settings (Hub and Spoke)
- Deploy multi region networking with custom settings (Virtual WAN)
- Deploy with Zero Trust network principles (Hub and Spoke)
- Deploy identity resources with custom settings
- Deploy management resources with custom settings
- Expand built-in archetype definitions
- Create custom policies, initiatives and assignments
- Override module role assignments
- Control policy enforcement mode
- Policy assignments with user assigned managed identities
- Level 400
- Frequently Asked Questions
- Troubleshooting
- Contributing