v0.6.0

What's Changed

• Update the number of scenarios for RBAC by @SenthuranSivananthan in #109
• Enable Diagnostic Settings for Log Analytics Workspace by @SenthuranSivananthan in #108
• Instructions for configuring Service connection in Azure DevOps by @SenthuranSivananthan in #110
• Moved delete policy & policyset disclaimer to a more noticeable spot by @tredell in #115
• Create Azure DevOps Setup onboarding guide by @skeeler in #116
• AKS - Restrict Egress traffic by using outboundType: userDefinedRouting (#97) by @Adeelku in #111
• Add ado.md with links to new pages for backward compatibility by @SenthuranSivananthan in #117
• Support for disabling policy enforcement for policy sets assignments by @SenthuranSivananthan in #120
• Archetype authoring guide by @SenthuranSivananthan in #112
• Update Bicep Linter rules & fix automation syntax by @SenthuranSivananthan in #124
• Migrate Microsoft Defender for Cloud plans for AKS and ACR to Containers plan by @SenthuranSivananthan in #122
• GitHub Actions for consistency checks by @SenthuranSivananthan in #125
• Policy defintion for LA Diag backup and ASR Events by @ghostme in #126

New Contributors

• @tredell made their first contribution in #115

Full Changelog: v0.5.0...v0.6.0

v0.5.1

What's Changed

• Update Bicep Linter rules & fix automation syntax (#124)

Full Changelog: v0.5.0...v0.5.1

v0.5.0

What's Changed

• Telemetry - enable Azure customer usage attribution by @SenthuranSivananthan in #59
• Platform Management Group alignment with Reference Architecture by @SenthuranSivananthan in #76. See https://github.com/Azure/CanadaPubSecALZ/blob/main/docs/architecture.md#3-management-groups
• Support AAD authentication for SQLDB by @mosharafMS in #74
• Azure Backup Recovery Vault for Generic Subscription by @ghostme in #95
• AKS - Azure CNI and Calico Network Policy (#48) by @Adeelku in #96
• Support Audit, Deny & Disabled effects for Tag policy by @SenthuranSivananthan in #91
• Parameterize Log Analytics Workspace log retention days by @SenthuranSivananthan in #44
• Support for Azure Bastion Standard SKU by @SenthuranSivananthan in #46
• Ensure PRs does not trigger pipeline runs by @SenthuranSivananthan in #92
• Parity between GitHub & Azure DevOps pull request validation pipeline by @SenthuranSivananthan in #42
• AuditEvent log category for Automation Account's Diagnostic Settings by @SenthuranSivananthan in #63
• Remove connection string from being added to Key Vault by @mosharafMS in #90
• Branding changes & policy re-organization by @SenthuranSivananthan in #82
• Azure DevOps Onboarding Guide updates by @nataliakon in #51. See https://github.com/Azure/CanadaPubSecALZ/blob/main/docs/onboarding/ado.md
• Azure Policy Authoring Guide by @SenthuranSivananthan in #54 & #55. See https://github.com/Azure/CanadaPubSecALZ/blob/main/docs/policy/authoring-guide.md
• Documentation improvements for archetypes by @SenthuranSivananthan in #89
• Improve archetype parameter JSON schemas by @SenthuranSivananthan in #61
• Parameters schema snapshot for v0.2.0 by @SenthuranSivananthan in #104

New Contributors

• @mosharafMS made their first contribution in #74
• @ghostme made their first contribution in #95
• @Adeelku made their first contribution in #96

Full Changelog: v0.4.0...v0.5.0

v0.4.0

This release includes:

• Documentation in markdown (see https://github.com/Azure/CanadaPubSecALZ/tree/main/docs)
• JSON schema based validation for subscription parameters (see https://github.com/Azure/CanadaPubSecALZ/tree/main/schemas/v0.1.0/landingzones)
• Built-in Azure Defender Policies for subscriptions
• Bug fix - Ensure resource tags are applied to Log Analytics Workspace solutions
• Bug fix - Bicep linter configuration (bicepconfig.json) for Azure Firewall moved to correct directory

cc: @Vallentyne, @hudua, @SenthuranSivananthan, @skeeler, @obrien-j, @nataliakon, @mnigh

v0.3.0

This release is based on Azure Landing Zones for Canadian Public Sector version: v0.3.0 (September 2021 Release)

The purpose of the reference implementation is to guide Canadian Public Sector customers on building Landing Zones in their Azure environment. The reference implementation is based on Cloud Adoption Framework for Azure and provides an opinionated implementation that enables ITSG-33 regulatory compliance by using NIST SP 800-53 Rev. 4 and Canada Federal PBMM Regulatory Compliance Policy Sets.

Architecture supported up to Treasury Board of Canada Secretariat (TBS) Cloud Profile 3 - Cloud Only Applications. This profile is applicable to Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) with characteristics :

• Cloud-based services hosting sensitive (up to Protected B) information
• No direct system to system network interconnections required with GC data centers

Current release supports:

• Supports Azure Policy Sets (customers are encouraged to review the compliance results and adjust their environment based on their requirements):
  • Azure Security Benchmark
  • Canada Federal Protected B (PBMM)
  • CIS Microsoft Foundation v1.3.0
  • HITRUST/HIPAA
  • NIST 800-53 R4 & NIST 800-53 R5
• DDOS Standard Protection
• Shared Azure Bastion in Hub
• Shared Private DNS Zones in Hub
• Bring-your-own DNS for Spoke subscriptions
• Service Health alerts
• Hub & Spoke networking with cloud-only access using Network Virtual Appliances (NVAs)
• Hub & Spoke networking with cloud-only access using Azure Firewall (with and without forced tunneling)
• 3 Archetypes:
  • Generic Subscription
  • Machine Learning
  • Healthcare
• Azure DevOps Pipelines for:
  • Management Groups
  • Log Analytics
  • Azure Policies
  • Roles
  • Hub Networking - Fortinet Firewalls (only pay-as-you-go images)
  • Hub Networking - Azure Firewall & Azure Firewall Policy
  • Subscriptions (Archetypes)

cc: @adamlash, @Vallentyne, @hudua, @MG-Microsoft, @SenthuranSivananthan, @skeeler