-
Notifications
You must be signed in to change notification settings - Fork 164
ResourceDeletion
AzOps Resource Deletion performs deletion of policyAssignments, policyDefinitions, policyExemptions, policySetDefinitions and roleAssignments in Azure, based on AzOps - Pull
generated templates at all Azure scope levels (Management Group/Subscription/Resource Group)
.
- For any other resource type deletion is not supported by AzOps at this time.
By removing a AzOps generated file of a supported resource type AzOps removes the corresponding resource in Azure.
Please Note
-
SPN used for deletion/change action, requires the below actions in its role definition.
-
For Azure Policy Assignment removal
Microsoft.Authorization/policyAssignments/delete
OR
Microsoft.Authorization/policyAssignments/*
OR
Microsoft.Authorization/* OR * (For everything)
- For Azure Policy Definition removal
Microsoft.Authorization/policyDefinitions/delete
OR
Microsoft.Authorization/policyDefinitions/*
OR
Microsoft.Authorization/* OR * (For everything)
- For Azure Policy Exemption removal
Microsoft.Authorization/policyExemptions/delete
OR
Microsoft.Authorization/policyExemptions/*
OR
Microsoft.Authorization/* OR * (For everything)
- For Azure Policy SetDefinition removal
Microsoft.Authorization/policySetDefinitions/delete
OR
Microsoft.Authorization/policySetDefinitions/*
OR
Microsoft.Authorization/* OR * (For everything)
- For Azure Role Assignment removal
Microsoft.Authorization/roleAssignments/delete
OR
Microsoft.Authorization/roleAssignments/*
OR
Microsoft.Authorization/* OR * (For everything)
When deletion of a supported object is sent to AzOps it evaluates to ensure resource dependencies are included in the deletion job. If a dependency is missing the module will throw (exit with error) and post the result of missing dependencies to the pull request conversation asking you to add it and try again.
Please Note: For the validation pipeline to fail in the manner intended (applicable to implementations created prior to AzOps release v1.9.0)
Ensure the results job "if" logic exists in your validate.yml
- name: "Results"
if: always()
shell: bash
Scenario: Deletion of a policy definition and policy assignment where the assignment is referencing the policy definition.
- Create branch
- Delete policy definition file from branch.
- Create pull request
- Validation pipeline evaluates input and discovers there is a policy assignment with dependency towards the definition and the assignment is not part of the pull request.
- Validation pipelines throws and posts results back to pull request conversation for user remediation.
- Two options:
- a) In the branch delete the dependent file corresponding to the resulting error.
- b) Delete the dependency in Azure and re-run validation.
The AzOps Accelerator pipelines (including Git Hub Actions
& Azure Pipelines
) incorporates the execution of resource deletion.
Conditional logic has been implemented to call Invoke-AzOpsPush
with required change set in case of resource deletion operation, while existing logic without resource deletion remains same.
Applicable to implementations created prior to AzOps release v1.6.0
- Update the
AzOps - Push
pipeline by copying content from the latest upstream push.yml file into your existing file. - Update the
AzOps - Validate
pipeline by copying content from the latest upstream validate.yml file into your existing file.