Overview
As part of upgrade from release 0.4.0 to 1.0.0, the Terraform Module for Cloud Adoption Framework Enterprise-scale includes a minor breaking change due to the need to update the minimum supported azurerm
provider version to 2.77.0
.
This update is mainly focused on adding the latest updates to custom Policy Definitions, documentation updates for the Wiki, and a couple of minor bug fixes. These changes help to keep this module up to date with the latest reference architecture published in the Azure/Enterprise-Scale repository, and to support the latest releases of Terraform and the AzureRM Provider.
This also represents a significant milestone in the development of this module, as we aim to increase stability on the input variables and minimize breaking changes when adding new features.
Required actions
Anyone using this module should be aware of the following when planning to upgrade from release 0.4.0 to 1.0.0:
-
The module now has a minimum supported
azurerm
provider version of2.77.0
. -
A select number of policies provided as part of this module will be redeployed. Please carefully review the output of
terraform plan
to ensure there are no issues with any custom configuration within your root module. -
If you are using a custom library, the following library template types will need checking for references to updated policies as listed in the resource changes section below:
- Archetype Definitions
- Policy Assignments
- Policy Set Definitions
Resource changes
The following changes have been made within the module which may cause issues when using custom archetype definitions:
-
The following Policy Definition changes have been included in the
es_root
archetype definition:Deny-Databricks-NoPublicIp
addedDeny-Databricks-Sku
addedDeny-Databricks-VirtualNetwork
addedDeny-MachineLearning-PublicNetworkAccess
added
-
The following Policy Definitions have been updated:
-
The following Policy Assignments templates have been added to the module but are not associated with any archetype definition and therefore not assigned by default:
Deny-Private-DNS-Zones
NOTE: All references to resource names are Case Sensitive. Failure to use the correct case will result in an
Invalid index
error when runningterraform plan
, such as the following example:
Error: Invalid index
on ../../modules/archetypes/locals.policy_definitions.tf line 82, in locals:
82: template = local.archetype_policy_definitions_map[policy]
|----------------
| local.archetype_policy_definitions_map is object with 100 attributes
The given key does not identify an element in this collection value.
Resource type: azurerm_policy_definition
The following Policy Definitions had name
and description
fields updated, which will result in an in-place update:
Audit-MachineLearning-PrivateEndpointId
Deny-MachineLearning-Aks
Deny-MachineLearning-Compute-SubnetId
Deny-MachineLearning-Compute-VmSize
Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess
Deny-MachineLearning-ComputeCluster-Scale
Deny-MachineLearning-HbiWorkspace
Deny-MachineLearning-PublicAccessWhenBehindVnet
Deploy-VNET-HubSpoke
Management resources
An explicit dependency was added to ensure azurerm_log_analytics_solution
resources have a dependency on azurerm_log_analytics_linked_service
resources.
This increases reliability when running terraform apply
or terraform destroy
, preventing occurrences of errors similar to the following:
╷
│ Error: deleting Log Analytics Linked Service 'es-la/Automation' (Resource Group "es-mgmt"): operationalinsights.LinkedServicesClient#Delete: Failure sending request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status=<nil> Code="Conflict" Message="The link cannot be updated or deleted because it is linked to Update Management and/or ChangeTracking Solutions"
│
│
╵
Connectivity resources
The Connectivity resources module has been updated to provide management for the Deploy-Private-DNS-Zones
Policy Assignment.
The schema for advanced
settings on azurerm_private_dns_zone_virtual_network_link
resources has been updated to only allow setting registration_enabled
on a single DNS zone.
This is to prevent the error:
Code="Conflict" Message="A virtual network can only be linked to 1 Private DNS zone(s) with auto-registration enabled; conflicting Private DNS zone is "..."
Next steps
Take a look at the latest User Guide documentation and our Examples to understand the latest module configuration options, and review your implementation against the changes documented on this page.
Azure landing zones Terraform module
- Home
- User guide
- Video guides
- Examples
- Level 100
- Level 200
- Level 300
- Deploy multi region networking with custom settings (Hub and Spoke)
- Deploy multi region networking with custom settings (Virtual WAN)
- Deploy with Zero Trust network principles (Hub and Spoke)
- Deploy identity resources with custom settings
- Deploy management resources with custom settings
- Expand built-in archetype definitions
- Create custom policies, initiatives and assignments
- Override module role assignments
- Control policy enforcement mode
- Policy assignments with user assigned managed identities
- Level 400
- Frequently Asked Questions
- Troubleshooting
- Contributing
This wiki is being actively developed
If you discover any documentation bugs or would like to request new content, please raise them as an issue or feel free to contribute to the wiki via a pull request. The wiki docs are located in the repository in the docs/wiki/
folder.