Azure · Jefajers · Mar 12, 2024 · Jan 25, 2024 · Jan 25, 2024 · Jan 25, 2024
@@ -1,19 +1,47 @@
 # AzOps Resource Deletion
 
 - [Introduction](#introduction)
-- [Deletion dependency validation](#deletion-dependency-validation)
+- [Deletion of AzOps generated File](#deletion-of-azops-generated-file)
+  - [Deletion dependency validation](#deletion-dependency-validation)
   - [Deletion dependency validation scenario](#deletion-dependency-validation-scenario)
+- [Deletion of Custom Template](#deletion-of-custom-template)
+  - [Enable Deletion of Custom Template](#enable-deletion-of-custom-template)
 - [Integration with AzOps Accelerator](#integration-with-azops-accelerator)
   - [How to Add AzOps Resource Deletion to existing AzOps Push](#how-to-add-azops-resource-deletion-to-existing-azops-push-and-validate-pipelines)
 
 ## Introduction
 
-**AzOps Resource Deletion** performs deletion of locks, policyAssignments, policyDefinitions, policyExemptions, policySetDefinitions and roleAssignments in Azure, based on `AzOps - Pull` generated templates at all Azure scope levels `(Management Group/Subscription/Resource Group)`.
+**AzOps Resource Deletion** at a high level enables two scenarios.
+1. [Deletion of AzOps generated File](#deletion-of-azops-generated-file) of supported resource type, resulting in AzOps removes the corresponding resource in Azure.
+2. [Deletion of Custom Template](#deletion-of-custom-template), resulting in AzOps removes the corresponding resource in Azure.
+
+```mermaid
+flowchart TD
+    A[(Main Branch)] --> B[(1.Delete Branch)]
+    B -- Remove Template Files --> C([2. filename.json])
+    C --> D([3. Commit])
+    D --> B
+    B -- Pull Request to Main ----> E(((4. AzOps - Validate
+    '/tmp/diff.txt'
+    '/tmp/diffdeletedfiles.txt')))
+    E -- git diff --- A
+    E ---> F[5. Invoke-AzOpsPush -WhatIf:$true]
+    E -- Merge ---> A
+    A -- Automated trigger----> G(((6. AzOps - Push
+    '/tmp/diff.txt'
+    '/tmp/diffdeletedfiles.txt')))
+    G -- git diff --- A
+    G --> H[7. Invoke-AzOpsPush -WhatIf:$false]
+```
 
-- For any other resource type **deletion** is **not** supported by AzOps at this time.
+## Deletion of AzOps generated File
 
 By removing a AzOps generated file of a supported resource type AzOps removes the corresponding resource in Azure.
 
+_Supported resource types include: locks, policyAssignments, policyDefinitions, policyExemptions, policySetDefinitions, roleAssignments and resourceGroups in Azure._
+
+- For any other `AzOps - Pull` generated resource **deletion** is **not** supported by AzOps at this time.
+
 **_Please Note_**
 
 - SPN used for deletion/change action, requires below actions in its role definition. Choose which combination best suites your implementation.
@@ -68,7 +96,15 @@ By removing a AzOps generated file of a supported resource type AzOps removes th
                             OR
     Microsoft.Authorization/roleAssignments/*
 ```
-## Deletion dependency validation
+
+- For Azure Resource group removal
+
+```bash
+    Microsoft.Resources/subscriptions/resourceGroups/delete
+                            OR
+    Microsoft.Resources/subscriptions/resourceGroups/*
+```
+### Deletion dependency validation
 When deletion of a supported object is sent to AzOps it evaluates to ensure resource dependencies are included in the deletion job. If a dependency is missing the module will throw (exit with error) and post the result of missing dependencies to the pull request conversation asking you to add it and try again.
 
 **_Please Note: For the validation pipeline to fail in the manner intended (applicable to implementations created prior to AzOps release v1.9.0)_**
@@ -91,6 +127,41 @@ Scenario: Deletion of a policy definition and policy assignment where the assign
   - a) In the branch delete the dependent file corresponding to the resulting error.
   - b) Delete the dependency in Azure and re-run validation.
 
+## Deletion of Custom Template
+Deletion of custom templates is a opt-in feature that you need to enable [see](#enable-deletion-of-custom-template).
+
+Once enabled, deletion of `yourCustomTemplate.bicep`, `yourCustomTemplate.bicepparam`, `yourCustomTemplate.json` or `yourCustomTemplate.parameters.json` results in AzOps attempting deletion of the resolved Azure resources.
+
+How does AzOps attempt deletion of custom template?
+
+```mermaid
+flowchart TD
+    A(((Invoke-AzOpsPush))) --> B[Validate Template
+    filename.parameters.json]
+    B -- Failed --> K[Skip]
+    B -- Success --> C[Resolve template files]
+    C -- No template found --> D
+    C -- Found template
+    filename.json --> D[Sort Templates
+    Attempt locks before other resources]
+    D --> E[(Process templates for deletion in series)]
+    E -- Success ---> A
+    E --> F([Identify resources within template by attempting a WhatIf deployment and gather returned resource ids])
+    F --> G([Attempt resource deletion for each identified resource id])
+    G -- Success ---> E
+    G -- Fail --> H([If resource fails deletion, recursively retry deletion in different order])
+    H -- Success ---> E
+    H -- Fail --> I([For resources still failing deletion, collect them for a last deletion attempt, once all other templates are processed])
+    I -- Success ---> A
+    I --Fail --> J([If resource deletion still fails, module will log error and throw])
+    J --Fail ---> A
+```
+
+### Enable Deletion of Custom Template
+Set the `Core.CustomTemplateResourceDeletion` value in `settings.json` to `true`.
+
+`AzOps - Push` will now evaluate and attempt deletion of corresponding resource (_from template_) in Azure when a custom template is deleted.
+
 ## Integration with AzOps Accelerator
 
 The [AzOps Accelerator pipelines](https://github.com/azure/azops-accelerator) (including `Git Hub Actions` & `Azure Pipelines`) incorporates the execution of resource deletion.