Skip to content

ResourceDeletion

github-actions edited this page Oct 21, 2021 · 9 revisions

AzOps Resources Deletion Feature

Introduction

The purpose of this wiki is to provide you with the detail information about the Resource Deletion feature. The resource deletion function is an enhancement which takes care of deleting the role and policy assignments from Azure, based on the AzOps pull generated templates at all scopes.

Supported Action

  • Deleting Custom or Built-in Role assignment: When Invoke-AzOpsPull runs, its fetches the existing environment which also includes custom and built-in role assignment. By removing the assignment file, role assignment at all levels (Management Group/Subscription/Resource Group) can be managed from repo directly.

  • Deleting Custom or Built-in Azure Policy assignment: When Invoke-AzOpsPull runs, its fetches the existing environment which also includes custom and built-in Azure Policy assignment. By removing the assignment file, Azure Policy assignment at all levels (Management Group/Subscription/Resource Group) can be managed from repo directly.

How to use

Below are the detail steps by following which Resource deletion feature can be leveraged:-

  1. Trigger the pull to fetch the fresh data of existing Azure environment. Navigate to Actions and run AzOps - Pull

    ResourceDeletion_workflow ResourceDeletion_intial_Pull

  2. Its recommended to capture the current stage either from portal or via any script to validate the behavior after completion of the deletion.

    ResourceDeletion_RBAC_portal ResourceDeletion_azpolicy_portal

3.Browse to the repository and to the feature branch and delete the Role or Policy assignment file or both which are required to be deleted.

ResourceDeletion_RBAC_File ResourceDeletion_azpolicy_File

  1. Once file has been deleted from the branch, create pull request from Feature Branch to Master/Main Branch.

ResourceDeletion_Pull_Request_creation ResourceDeletion_Pull_Request_status

  1. Once Pull Requested has been created, it will trigger the AzOps - Validate pipeline to do initial check. Wait for the pipeline to complete.

ResourceDeletion_azops_validate_pipeline

  1. Now the Approver can review the pull request. It will have the detailed information about the file which are expected to be deleted and pull request can be approved based on that.

ResourceDeletion_azops_validate_pipeline ResourceDeletion_azops_validate_pipeline

  1. With the approval, AzOps - Push pipeline will get triggered to apply/implement the requested changes.

ResourceDeletion_azops_push_pipeline

  1. Now the changes can be validated via Portal or Script

ResourceDeletion_RBAC_portal1 ResourceDeletion_azpolicy_portal1

Please Note

  • For any other resource type other than Role assignment or Azure Policy assignment, deletion is not supported in AzOps yet.

  • Resource Deletion is only supported for templates generated by AzOps - Pull.

  • Resource Deletion is also supported, If AutoGeneratedTemplateFolderPath setting is set to specific FOLDER NAME in setting.json file. ResourceDeletion_AutoGeneratedTemplateFolderPath1

  • SPN used for deletion/change action, should have the below scope in its role definition.

    • For Azure Policy assignment removal
                Microsoft.Authorization/policyAssignments/delete
                                        OR
                Microsoft.Authorization/policyAssignments/*
                                        OR
                Microsoft.Authorization/* OR  * (For everything)
    • For Azure Role assignment removal
                Microsoft.Authorization/roleAssignments/delete
                                        OR
                Microsoft.Authorization/roleAssignments/*
                                        OR
                Microsoft.Authorization/* OR  * (For everything)

Integration with AzOps Accelerator

The AzOps Accelerator pipelines (including Git Hub Actions & Azure Pipelines) have been updated to incorporate the execution of the new resource deletion feature.

Conditional logic has been implemented to call Invoke-AzOpsPush with required change set in case of resource deletion operation, while existing logic without resource deletion remains same.

ResourceDeletion_Pipeline_logic