Merge pull request #79 from clouddrove/feat/policy-update-6.3.1

updated az lanading zone to 6.3.1

Author: dverma-cd

README.md

@@ -4,13 +4,38 @@
 > [!IMPORTANT]
 > For new deployments we now recommend using Azure Verified Modules for Platform Landing Zones.
 > Please see the documentation at <https://aka.ms/alz/tf>.
-> This module will continue to be supported for existing deployments.
 
-[![Build Status](https://dev.azure.com/mscet/CAE-ALZ-Terraform/_apis/build/status/Tests/E2E?branchName=refs%2Ftags%2Fv6.0.0)](https://dev.azure.com/mscet/CAE-ALZ-Terraform/_build/latest?definitionId=26&branchName=refs%2Ftags%2Fv6.0.0)
-![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Azure/terraform-azurerm-caf-enterprise-scale?style=flat&logo=github)
-[![Average time to resolve an issue](http://isitmaintained.com/badge/resolution/azure/terraform-azurerm-caf-enterprise-scale.svg)](http://isitmaintained.com/project/azure/terraform-azurerm-caf-enterprise-scale "Average time to resolve an issue")
-[![Percentage of issues still open](http://isitmaintained.com/badge/open/azure/terraform-azurerm-caf-enterprise-scale.svg)](http://isitmaintained.com/project/azure/terraform-azurerm-caf-enterprise-scale "Percentage of issues still open")
-[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/Azure/terraform-azurerm-caf-enterprise-scale/badge)](https://scorecard.dev/viewer/?uri=github.com/Azure/terraform-azurerm-caf-enterprise-scale)
+## ⚠️ DEPRECATION NOTICE
+
+**This module is now in extended support mode and will be archived on August 1, 2026.**
+
+### Current Status
+
+- **Extended Support Period**: This module is now in extended support for one year (until August 1, 2026)
+- **Support Scope**: During this period, we will provide quality updates (e.g. bug fixes) and policy library updates only
+- **No New Features**: No new features or functionality will be added to this module
+
+### Migration Path
+
+We strongly recommend that all users migrate to the new **Azure Verified Modules** approach for Azure Landing Zones. This new approach provides:
+
+- Enhanced reliability and testing
+- Improved modularity and flexibility
+- Better alignment with Azure best practices
+- Ongoing feature development and support
+
+**Further reading**: Please read our recent [blog](https://techcommunity.microsoft.com/blog/azuretoolsblog/terraform-azure-verified-modules-for-platform-landing-zone-alz-migration-guidanc/4432035)
+
+**Migration Guide**: Please visit [aka.ms/alz/tf/migrate](https://aka.ms/alz/tf/migrate) for detailed migration guidance and resources.
+
+### Timeline
+
+- **Now - August 1, 2026**: Extended support (quality and policy updates only)
+- **August 1, 2026**: Repository will be archived and no further updates will be made
+
+### Questions?
+
+If you have questions about the migration process or need assistance, please refer to the migration documentation or raise an issue in the repository before the archive date.
 
 Detailed information about how to use, configure and extend this module can be found on our Wiki:
 
@@ -20,17 +45,6 @@ Detailed information about how to use, configure and extend this module can be f
 - [Frequently Asked Questions](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Frequently-Asked-Questions)
 - [Troubleshooting](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Troubleshooting)
 
-## ‼ Notice of upcoming breaking changes
-
-We are planning to make some breaking changes to the module in the next release (Q4 2024).
-
-- Module defaults will updated to deploy zone redundant SKUs by default - this applies to:
-  - Firewall
-  - Public IP
-  - Virtual Network Gateway
-
-We will publish guidance on how to avoid re-deployment of existing resources nearer the time.
-
 ## Overview
 
 The [Azure landing zones Terraform module](https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest) is designed to accelerate deployment of platform resources based on the [Azure landing zones conceptual architecture](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone#azure-landing-zone-conceptual-architecture) using Terraform.

_README_header.md

@@ -3,13 +3,38 @@
 > [!IMPORTANT]
 > For new deployments we now recommend using Azure Verified Modules for Platform Landing Zones.
 > Please see the documentation at <https://aka.ms/alz/tf>.
-> This module will continue to be supported for existing deployments.
 
-[![Build Status](https://dev.azure.com/mscet/CAE-ALZ-Terraform/_apis/build/status/Tests/E2E?branchName=refs%2Ftags%2Fv6.0.0)](https://dev.azure.com/mscet/CAE-ALZ-Terraform/_build/latest?definitionId=26&branchName=refs%2Ftags%2Fv6.0.0)
-![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Azure/terraform-azurerm-caf-enterprise-scale?style=flat&logo=github)
-[![Average time to resolve an issue](http://isitmaintained.com/badge/resolution/azure/terraform-azurerm-caf-enterprise-scale.svg)](http://isitmaintained.com/project/azure/terraform-azurerm-caf-enterprise-scale "Average time to resolve an issue")
-[![Percentage of issues still open](http://isitmaintained.com/badge/open/azure/terraform-azurerm-caf-enterprise-scale.svg)](http://isitmaintained.com/project/azure/terraform-azurerm-caf-enterprise-scale "Percentage of issues still open")
-[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/Azure/terraform-azurerm-caf-enterprise-scale/badge)](https://scorecard.dev/viewer/?uri=github.com/Azure/terraform-azurerm-caf-enterprise-scale)
+## ⚠️ DEPRECATION NOTICE
+
+**This module is now in extended support mode and will be archived on August 1, 2026.**
+
+### Current Status
+
+- **Extended Support Period**: This module is now in extended support for one year (until August 1, 2026)
+- **Support Scope**: During this period, we will provide quality updates (e.g. bug fixes) and policy library updates only
+- **No New Features**: No new features or functionality will be added to this module
+
+### Migration Path
+
+We strongly recommend that all users migrate to the new **Azure Verified Modules** approach for Azure Landing Zones. This new approach provides:
+
+- Enhanced reliability and testing
+- Improved modularity and flexibility
+- Better alignment with Azure best practices
+- Ongoing feature development and support
+
+**Further reading**: Please read our recent [blog](https://techcommunity.microsoft.com/blog/azuretoolsblog/terraform-azure-verified-modules-for-platform-landing-zone-alz-migration-guidanc/4432035)
+
+**Migration Guide**: Please visit [aka.ms/alz/tf/migrate](https://aka.ms/alz/tf/migrate) for detailed migration guidance and resources.
+
+### Timeline
+
+- **Now - August 1, 2026**: Extended support (quality and policy updates only)
+- **August 1, 2026**: Repository will be archived and no further updates will be made
+
+### Questions?
+
+If you have questions about the migration process or need assistance, please refer to the migration documentation or raise an issue in the repository before the archive date.
 
 Detailed information about how to use, configure and extend this module can be found on our Wiki:
 
@@ -19,17 +44,6 @@ Detailed information about how to use, configure and extend this module can be f
 - [Frequently Asked Questions](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Frequently-Asked-Questions)
 - [Troubleshooting](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Troubleshooting)
 
-## ‼ Notice of upcoming breaking changes
-
-We are planning to make some breaking changes to the module in the next release (Q4 2024).
-
-- Module defaults will updated to deploy zone redundant SKUs by default - this applies to:
-  - Firewall
-  - Public IP
-  - Virtual Network Gateway
-
-We will publish guidance on how to avoid re-deployment of existing resources nearer the time.
-
 ## Overview
 
 The [Azure landing zones Terraform module](https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest) is designed to accelerate deployment of platform resources based on the [Azure landing zones conceptual architecture](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone#azure-landing-zone-conceptual-architecture) using Terraform.

modules/archetypes/README.md

@@ -4,7 +4,38 @@
 > [!IMPORTANT]
 > For new deployments we now recommend using Azure Verified Modules for Platform Landing Zones.
 > Please see the documentation at <https://aka.ms/alz/tf>.
-> This module will continue to be supported for existing deployments.
+
+## ⚠️ DEPRECATION NOTICE
+
+**This module is now in extended support mode and will be archived on August 1, 2026.**
+
+### Current Status
+
+- **Extended Support Period**: This module is now in extended support for one year (until August 1, 2026)
+- **Support Scope**: During this period, we will provide quality updates (e.g. bug fixes) and policy library updates only
+- **No New Features**: No new features or functionality will be added to this module
+
+### Migration Path
+
+We strongly recommend that all users migrate to the new **Azure Verified Modules** approach for Azure Landing Zones. This new approach provides:
+
+- Enhanced reliability and testing
+- Improved modularity and flexibility
+- Better alignment with Azure best practices
+- Ongoing feature development and support
+
+**Further reading**: Please read our recent [blog](https://techcommunity.microsoft.com/blog/azuretoolsblog/terraform-azure-verified-modules-for-platform-landing-zone-alz-migration-guidanc/4432035)
+
+**Migration Guide**: Please visit [aka.ms/alz/tf/migrate](https://aka.ms/alz/tf/migrate) for detailed migration guidance and resources.
+
+### Timeline
+
+- **Now - August 1, 2026**: Extended support (quality and policy updates only)
+- **August 1, 2026**: Repository will be archived and no further updates will be made
+
+### Questions?
+
+If you have questions about the migration process or need assistance, please refer to the migration documentation or raise an issue in the repository before the archive date.
 
 ## Documentation
 <!-- markdownlint-disable MD033 -->

modules/archetypes/_README_header.md

@@ -3,4 +3,35 @@
 > [!IMPORTANT]
 > For new deployments we now recommend using Azure Verified Modules for Platform Landing Zones.
 > Please see the documentation at <https://aka.ms/alz/tf>.
-> This module will continue to be supported for existing deployments.
+
+## ⚠️ DEPRECATION NOTICE
+
+**This module is now in extended support mode and will be archived on August 1, 2026.**
+
+### Current Status
+
+- **Extended Support Period**: This module is now in extended support for one year (until August 1, 2026)
+- **Support Scope**: During this period, we will provide quality updates (e.g. bug fixes) and policy library updates only
+- **No New Features**: No new features or functionality will be added to this module
+
+### Migration Path
+
+We strongly recommend that all users migrate to the new **Azure Verified Modules** approach for Azure Landing Zones. This new approach provides:
+
+- Enhanced reliability and testing
+- Improved modularity and flexibility
+- Better alignment with Azure best practices
+- Ongoing feature development and support
+
+**Further reading**: Please read our recent [blog](https://techcommunity.microsoft.com/blog/azuretoolsblog/terraform-azure-verified-modules-for-platform-landing-zone-alz-migration-guidanc/4432035)
+
+**Migration Guide**: Please visit [aka.ms/alz/tf/migrate](https://aka.ms/alz/tf/migrate) for detailed migration guidance and resources.
+
+### Timeline
+
+- **Now - August 1, 2026**: Extended support (quality and policy updates only)
+- **August 1, 2026**: Repository will be archived and no further updates will be made
+
+### Questions?
+
+If you have questions about the migration process or need assistance, please refer to the migration documentation or raise an issue in the repository before the archive date.

modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json

@@ -23,9 +23,36 @@
       "Enable-DDoS-VNET",
       "Enforce-AKS-HTTPS",
       "Enforce-ASR",
+      "Enforce-Encrypt-CMK0",
+      "Enforce-GR-APIM0",
+      "Enforce-GR-AppServices0",
+      "Enforce-GR-Automation0",
+      "Enforce-GR-BotService0",
+      "Enforce-GR-CogServ0",
+      "Enforce-GR-Compute0",
+      "Enforce-GR-ContApps0",
+      "Enforce-GR-ContInst0",
+      "Enforce-GR-ContReg0",
+      "Enforce-GR-CosmosDb0",
+      "Enforce-GR-DataExpl0",
+      "Enforce-GR-DataFactory0",
+      "Enforce-GR-EventGrid0",
+      "Enforce-GR-EventHub0",
       "Enforce-GR-KeyVault",
+      "Enforce-GR-KeyVaultSup0",
+      "Enforce-GR-Kubernetes0",
+      "Enforce-GR-MachLearn0",
+      "Enforce-GR-MySQL0",
+      "Enforce-GR-Network0",
+      "Enforce-GR-OpenAI0",
+      "Enforce-GR-PostgreSQL0",
+      "Enforce-GR-ServiceBus0",
+      "Enforce-GR-SQL0",
+      "Enforce-GR-Storage0",
+      "Enforce-GR-Synapse0",
+      "Enforce-GR-VirtualDesk0",
       "Enforce-Subnet-Private",
-      "Enforce-TLS-SSL-H224"
+      "Enforce-TLS-SSL-Q225"
     ],
     "policy_definitions": [],
     "policy_set_definitions": [],

modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json

@@ -11,7 +11,34 @@
       "Deploy-VMSS-Monitoring",
       "Enable-AUM-CheckUpdates",
       "Enforce-ASR",
+      "Enforce-Encrypt-CMK0",
+      "Enforce-GR-APIM0",
+      "Enforce-GR-AppServices0",
+      "Enforce-GR-Automation0",
+      "Enforce-GR-BotService0",
+      "Enforce-GR-CogServ0",
+      "Enforce-GR-Compute0",
+      "Enforce-GR-ContApps0",
+      "Enforce-GR-ContInst0",
+      "Enforce-GR-ContReg0",
+      "Enforce-GR-CosmosDb0",
+      "Enforce-GR-DataExpl0",
+      "Enforce-GR-DataFactory0",
+      "Enforce-GR-EventGrid0",
+      "Enforce-GR-EventHub0",
       "Enforce-GR-KeyVault",
+      "Enforce-GR-KeyVaultSup0",
+      "Enforce-GR-Kubernetes0",
+      "Enforce-GR-MachLearn0",
+      "Enforce-GR-MySQL0",
+      "Enforce-GR-Network0",
+      "Enforce-GR-OpenAI0",
+      "Enforce-GR-PostgreSQL0",
+      "Enforce-GR-ServiceBus0",
+      "Enforce-GR-SQL0",
+      "Enforce-GR-Storage0",
+      "Enforce-GR-Synapse0",
+      "Enforce-GR-VirtualDesk0",
       "Enforce-Subnet-Private"
     ],
     "policy_definitions": [],

modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json

@@ -29,6 +29,8 @@
       "Audit-PrivateLinkDnsZones",
       "Audit-PublicIpAddresses-UnusedResourcesCostOptimization",
       "Audit-ServerFarms-UnusedResourcesCostOptimization",
+      "Audit-Tags-Mandatory-Rg",
+      "Audit-Tags-Mandatory",
       "Deny-AA-child-resources",
       "Deny-APIM-TLS",
       "Deny-AppGw-Without-Tls",
@@ -194,8 +196,9 @@
       "Enforce-ALZ-Decomm",
       "Enforce-ALZ-Sandbox",
       "Enforce-Backup",
-      "Enforce-Encryption-CMK",
+      "Enforce-Encryption-CMK_20250218",
       "Enforce-EncryptTransit_20240509",
+      "Enforce-EncryptTransit_20241211",
       "Enforce-EncryptTransit",
       "Enforce-Guardrails-APIM",
       "Enforce-Guardrails-AppServices",

modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Audit-AppGW-WAF",
   "dependsOn": [],
   "properties": {
     "description": "Assign the WAF should be enabled for Application Gateway audit policy.",
     "displayName": "Web Application Firewall (WAF) should be enabled for Application Gateway",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
+    "definitionVersion": "2.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_resourcerglocation.tmpl.json

@@ -1,12 +1,13 @@
 {
   "type": "Microsoft.Authorization/policyAssignments",
-  "apiVersion": "2022-06-01",
+  "apiVersion": "2024-04-01",
   "name": "Audit-ResourceRGLocation",
   "dependsOn": [],
   "properties": {
     "description": "Resource Group and Resource locations should match.",
     "displayName": "Resource Group and Resource locations should match",
     "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a",
+    "definitionVersion": "2.*.*",
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {

modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json

@@ -11,7 +11,7 @@
     "enforcementMode": "Default",
     "nonComplianceMessages": [
       {
-        "message": "Trust Launch {enforcementMode} be used on supported virtual machines for enhanced security."
+        "message": "Trusted Launch {enforcementMode} be used on supported virtual machines for enhanced security."
       }
     ],
     "parameters": {