-
Notifications
You must be signed in to change notification settings - Fork 164
ResourceDeletion
The purpose of this wiki is to provide you with the detail information about the Resource Deletion feature. The resource deletion function is an enhancement which takes care of deleting the role and policy assignments from Azure, based on the AzOps pull generated templates at all scopes.
-
Deleting Custom or Built-in Role assignment: When
Invoke-AzOpsPull
runs, its fetches the existing environment which also includes custom and built-in role assignment. By removing the assignment file, role assignment at all levels(Management Group/Subscription/Resource Group)
can be managed from repo directly. -
Deleting Custom or Built-in Azure Policy assignment: When
Invoke-AzOpsPull
runs, its fetches the existing environment which also includes custom and built-in Azure Policy assignment. By removing the assignment file, Azure Policy assignment at all levels(Management Group/Subscription/Resource Group)
can be managed from repo directly.
Below are the detail steps by following which Resource deletion feature can be leveraged:-
-
Trigger the pull to fetch the fresh data of existing Azure environment. Navigate to Actions and run AzOps - Pull
-
Its recommended to capture the current stage either from
portal
or via anyscript
to validate the behavior after completion of the deletion.
3.Browse to the repository and to the feature branch
and delete the Role or Policy assignment file or both which are required to be deleted.
- Once file has been deleted from the branch, create pull request from
Feature Branch
toMaster/Main Branch
.
- Once Pull Requested has been created, it will trigger the
AzOps - Validate
pipeline to do initial check. Wait for the pipeline to complete.
- Now the
Approver
can review the pull request. It will have the detailed information about the file which are expected to be deleted and pull request can be approved based on that.
- With the approval,
AzOps - Push
pipeline will get triggered to apply/implement the requested changes.
- Now the changes can be validated via
Portal
orScript
Please Note
-
For any other resource type other than
Role assignment
orAzure Policy assignment
, deletion is not supported in AzOps yet. -
Resource Deletion is only supported for templates generated by
AzOps - Pull
. -
Resource Deletion is also supported, If AutoGeneratedTemplateFolderPath setting is set to specific
FOLDER NAME
insetting.json
file. -
SPN used for deletion/change action, should have the below scope in its role definition.
- For Azure Policy assignment removal
Microsoft.Authorization/policyAssignments/delete OR Microsoft.Authorization/policyAssignments/* OR Microsoft.Authorization/* OR * (For everything)
- For Azure Role assignment removal
Microsoft.Authorization/roleAssignments/delete OR Microsoft.Authorization/roleAssignments/* OR Microsoft.Authorization/* OR * (For everything)
The AzOps Accelerator pipelines (including Git Hub Actions
& Azure Pipelines
) have been updated to incorporate the execution of the new resource deletion feature.
Conditional logic has been implemented to call Invoke-AzOpsPush
with required change set in case of resource deletion operation, while existing logic without resource deletion remains same.