Skip to content

fix(bicep): pin API versions and record DoNotEnforce ADR (Phase 33 P2/P4)#13

Open
OgeonX-Ai wants to merge 2 commits into
mainfrom
fix/bicep-lint-api-version-pinning
Open

fix(bicep): pin API versions and record DoNotEnforce ADR (Phase 33 P2/P4)#13
OgeonX-Ai wants to merge 2 commits into
mainfrom
fix/bicep-lint-api-version-pinning

Conversation

@OgeonX-Ai

Copy link
Copy Markdown
Contributor

Description

Closes the two remaining Phase 33 (Azure Infra Hardening) items scoped to this repo:

P2 — Bicep linting / API version pinning

  • bicepconfig.json: use-recent-api-versions flipped from off to warning (this repo's copy of the config, merged via ci: scan actions with codeql and add bicep linter config #10, matched cas-platform's suppressed rule).
  • Four resources across impl/azure/landing-zone/bicep/modules/ had genuinely stale API versions once the rule was re-enabled; all four are bumped to a current, GA (non-preview) version:
    • identity.bicep: userAssignedIdentities@2023-01-31 -> @2024-11-30
    • logging-siem.bicep: workspaces@2023-09-01 -> @2025-02-01
    • network-hubspoke.bicep: networkSecurityGroups + virtualNetworks@2024-05-01 -> @2024-10-01 (both)
    • policy-assignments.bicep: policyAssignments@2024-04-01 -> @2025-01-01 (enforcementMode untouched)
    • keyvault.bicep was already current — untouched, regression-checked clean.

P4 — DoNotEnforce policy decision

  • docs/adr/001-policy-assignment-enforcement-mode.md records the enforcementMode: 'DoNotEnforce' setting on the allowed-locations policy assignment as an intentional, reviewed decision (this is a stub/reference landing zone per its own README, not a deployed environment), following this repo's existing ADR authoring convention.

All changes validated locally via az bicep build / az bicep lint only — no az deployment of any kind, per this phase's environment constraints. No CI wiring changes; this repo has no existing Bicep CI gate.

SDLC Verification

  • Code follows CAS architecture (AGENTS.md)
  • Tested via az bicep build / az bicep lint (see task-level verification in commit messages)
  • No embedded secrets or credentials
  • Passed local review (this repo's own CLAUDE.md description of "docs-only, no builds" is stale for impl/azure/landing-zone/bicep/; this PR treats that directory with full build/lint rigor)

Aitomates added 2 commits July 6, 2026 20:09
…e API versions

- bicepconfig.json: flip use-recent-api-versions from off to warning
- identity.bicep: userAssignedIdentities 2023-01-31 -> 2024-11-30
- logging-siem.bicep: workspaces 2023-09-01 -> 2025-02-01
- network-hubspoke.bicep: networkSecurityGroups + virtualNetworks 2024-05-01 -> 2024-10-01
- policy-assignments.bicep: policyAssignments 2024-04-01 -> 2025-01-01 (enforcementMode untouched)

Closes Phase 33 P2 item for cloud-security-service-model. Verified via az bicep build/lint
on every touched module plus a full-template pass on main.bicep and a regression check on
the untouched keyvault.bicep module.
Reaffirms enforcementMode: DoNotEnforce on the allowed-locations policy assignment in
impl/azure/landing-zone/bicep/modules/policy-assignments.bicep is an intentional,
reviewed decision (stub/reference landing zone, not a deployed environment) rather than
an unreviewed gap.

Closes Phase 33 P4 item for cloud-security-service-model.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants