3.2.6¶

Release Date: March 16, 2026

✨ New Features¶

Terraform Modules¶

Custom Subdomain WAF Security Policies 🛡️¶

Module: src/terraform/saif-custom-subdomain-service

Dedicated Web Application Firewall (WAF) policies are now created per custom subdomain deployment, resolving a Terraform conflict where shared WAF policies from the infosec workspace were already attached to the Front Door profile.

Previously, teams sharing the same Azure Front Door profile would fail on terraform apply with Web Application Firewall Policy is already attached to AFDX profile because the infosec-managed WAF policies could only be attached to one profile at a time.

What Changed:

✅ Dedicated WAF policies per deployment — each custom subdomain service now creates its own azurerm_cdn_frontdoor_firewall_policy resources (waf_policy_ext / waf_policy_int)
✅ Removed dependency on infosec workspace — the tfe_outputs.firewall data source is no longer required
✅ Unique naming convention — policies follow the wafpolicy{ext|int}{owner}{env} pattern to prevent naming collisions across teams

New Variables:

owner (string) — used to generate unique WAF policy names scoped per team
resource_group_name (string) — required by azurerm_cdn_frontdoor_firewall_policy (WAF policies require an explicit resource group)

Example:

module "custom_subdomain" {
  source = "./modules/saif-custom-subdomain-service"

  owner               = "platform"
  resource_group_name = azurerm_resource_group.main.name
  # ... other variables
}

Benefits:

🚀 Teams can now deploy custom subdomain services without conflicts on shared Front Door profiles
🔒 WAF policies are isolated per team, preventing accidental cross-team policy changes
🔄 Backwards compatible — existing deployments will create new WAF resources on the next apply

PR: #515, #517

IaC Modules Migrated to Dedicated Repositories 📦¶

Migration: src/terraform/ → iac-azure-modules / iac-okta-modules

Completes the IaC modularization initiative by moving all Azure and Okta Terraform modules out of the Forge monorepo into their dedicated repositories, reducing repository complexity and enabling independent module versioning.

What Changed:

✅ 10 Azure modules removed from src/terraform/ and moved to iac-azure-modules
✅ 8 Okta modules removed from src/terraform/ and moved to iac-okta-modules
✅ 18 pipeline YAMLs removed from .azdo/prs/ for migrated modules
✅ 105 module entries added to src/terraform/modules.json for the newly migrated modules
✅ swap-terraform-modules.ps1 updated — resolves azure/* sources to iac-azure-modules and okta/* to iac-okta-modules (sibling repos)
✅ RepublishFromManifest action added to Manage-TerraformRegistryModule.ps1 for bulk republishing of modules from a manifest

Benefits:

🗂️ Forge monorepo reduced from 33 to 15 module directories
🔄 Modules can be versioned and released independently from Forge
🚀 Teams consuming modules get dedicated changelogs and release notes per module repo

Closes: #425, #428

PR: #516

GitHub Repository Setup Script 🔧¶

Tool: tools/setup-repo.ps1

A new PowerShell script is available to configure a GitHub repository to match the settings of saif-corp/forge, applying general settings, squash merge format, and branch rulesets automatically.

The script is idempotent — safe to run repeatedly as existing rulesets are skipped if they already exist.

Benefits:

⚡ New repositories can be bootstrapped with consistent settings in seconds
🔄 Runnable repeatedly without side effects
📋 Ensures consistent branch protection and merge strategy across the platform

📦 Dependencies¶

TypeScript Packages¶

The following TypeScript packages were updated:

Package	Change	PR
`flatted`	`3.3.3` → `3.4.1`	#511
`tar`	`7.5.6` → `7.5.11` (security)	#506
`lerna`	`9.0.5` → `9.0.6`	#504
npm/yarn group (8 dirs)	Various updates	#513

.NET & Other Packages¶

Broad dependency refresh across multiple packages (#509, #505):

Microsoft.Extensions.* packages updated to 10.0.5
Microsoft.TemplateEngine.* packages updated to 10.0.201
OpenTelemetry.Instrumentation.AspNetCore updated to 1.15.1
25+ additional dependency updates

🔒 Security note: The tar package update (7.5.6 → 7.5.11) addresses a known vulnerability. All projects using Forge's TypeScript tooling should update immediately.

� Breaking Changes¶

None in this release ✅

📋 Additional Notes¶

Total commits: 12
Files changed: ~50
Contributors: Jason Coria Corona Yue, Emmitt Johnson, Copilot

Support¶

📧 Teams Support Channel: Support