Skip to content
This repository has been archived by the owner on Oct 5, 2023. It is now read-only.

Commit

Permalink
Merge pull request #139 from mbrat2005/deployed-resource-cleanup
Browse files Browse the repository at this point in the history 
Deployed Resource Cleanup v2
  • Loading branch information
@jfaurskov
jfaurskov authored Apr 28, 2023
2 parents cd8e2d5 + aa86811 commit 80f0ce9
Show file tree
Hide file tree
Showing 65 changed files with 556 additions and 68 deletions.
52 changes: 52 additions & 0 deletions docs/wiki/DeploymentGuide.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,3 +422,55 @@ If you wish to disable monitoring for a resource or for alerts targeted at subsc
>
> If you wish to, also feel free to submit a pull request relating to the issue which we can review and work with you to potentially implement the suggestion/feature request.
<!-- markdownlint-restore -->
## Cleaning up an ALZ Monitor Deployment

In some scenarios, it may be necessary to remove everything deployed by the ALZ Monitor solution. The instructions below detail execution of a PowerShell script to delete all resources deployed, including:

- Metric Alerts
- Activity Log Alerts
- Resource Groups (created for to contain alert resources)
- Policy Assignments
- Policy Definitions
- Policy Set Definitions
- Policy Assignment remediation identity role assignments

All resources deployed as part of the initial ALZ Monitor deployment and the resources created by dynamically by 'deploy if not exist' policies are either tagged, marked in metadata, or in description (depending on what the resource supports) with the value `_deployed_by_alz_monitor` or `_deployed_by_alz_monitor=True`. This metadata is used to execute the cleanup of deployed resources; _if it has been removed or modified the cleanup script will not include those resources_.

### Cleanup Script Execution

#### Download the script file

Follow the instructions below to download the cleanup script file. Alternatively, clone the repo from GitHub and ensure you are working from the latest version of the file by fetching the latest `main` branch.

1. Navigate ALZ-Monitor [project in GitHub](https://github.com/Azure/alz-monitor)
1. In the folder structure, browse to the `src/scripts` directory
1. Open the **Start-ALZMonitorCleanup.ps1** script file
1. Click the **Raw** button
1. Save the open file as **Start-ALZMonitorCleanup.ps1**

#### Executing the Script

1. Open PowerShell
1. Install the **Az.ResourceGraph** module: `Install-Module Az.ResourceGraph`
1. Change directories to the location of the **Start-ALZMonitorCleanup.ps1** script
1. Sign in to the Azure with the `Connect-AzAccount` command. The account you sign in as needs to have permissions to remove Policy Assignments, Policy Definitions, and resources at the desired Management Group scope.
1. Execute the script using the option below

**Generate a list of the resource IDs which would be deleted by this script:**

```powershell
./Start-ALZMonitorCleanup.ps1 -ReportOnly
```

**Show output of what would happen if deletes executed:**

```powershell
./Start-ALZMonitorCleanup.ps1 -WhatIf
```

**Delete all resources deployed by the ALZ-Monitor IaC without prompting for confirmation:**

```powershell
./Start-ALZMonitorCleanup.ps1 -Force
```
1 change: 1 addition & 0 deletions infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ resource resPolicyAssignment 'Microsoft.Authorization/policyAssignments@2020-09-
nonComplianceMessages: parPolicyAssignmentNonComplianceMessages
notScopes: parPolicyAssignmentNotScopes
enforcementMode: parPolicyAssignmentEnforcementMode
metadata: {_deployed_by_alz_monitor: true}
}
identity: {
type: varPolicyIdentity
Expand Down
1 change: 1 addition & 0 deletions infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ resource resRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-p
roleDefinitionId: tenantResourceId('Microsoft.Authorization/roleDefinitions', parRoleDefinitionId)
principalId: parAssigneeObjectId
principalType: parAssigneePrincipalType
description: '_deployed_by_alz_monitor'
}
}

Expand Down
1 change: 1 addition & 0 deletions infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ resource resRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-p
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parRoleDefinitionId)
principalId: parAssigneeObjectId
principalType: parAssigneePrincipalType
description: '_deployed_by_alz_monitor'
}
}

Expand Down
6 changes: 5 additions & 1 deletion src/resources/Microsoft.Authorization/policyDefinitions/deploy-aa_totaljob_alert.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,10 @@ module TotalJobAlert '../../arm/Microsoft.Authorization/policyDefinitions/manage
description: 'DINE policy to audit/deploy Automation Account TotalJob Alert'
location: policyLocation
metadata: {
version: '1.0.0'
version: '1.0.1'
Category: 'Networking'
source: 'https://github.com/Azure/ALZ-Monitor/'
_deployed_by_alz_monitor: 'True'
}
parameters: {
severity: {
Expand Down Expand Up @@ -256,6 +257,9 @@ module TotalJobAlert '../../arm/Microsoft.Authorization/policyDefinitions/manage
apiVersion: '2018-03-01'
name: '[concat(parameters(\'resourceName\'), \'-TotalJob\')]'
location: 'global'
tags: {
_deployed_by_alz_monitor: true
}
properties: {
description: 'Metric Alert for Automation Account TotalJob Alert'
severity: '[parameters(\'severity\')]'
Expand Down
7 changes: 6 additions & 1 deletion ...rces/Microsoft.Authorization/policyDefinitions/deploy-activitylog-AzureFirewall-Del.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ param deploymentRoleDefinitionIds array = [
]
param parResourceGroupTags object = {
environment: 'test'
_deployed_by_alz_monitor: true
}

param parAlertState string = 'true'
Expand All @@ -22,9 +23,10 @@ module ActivityLogFirewallDeleteAlert '../../arm/Microsoft.Authorization/policyD
description: 'DINE policy to Deploy Activity Log Azure Firewall Delete Alert'
location: policyLocation
metadata: {
version: '1.0.0'
version: '1.0.1'
Category: 'ActivityLog'
source: 'https://github.com/Azure/ALZ-Monitor/'
_deployed_by_alz_monitor: 'True'
}
parameters: {
enabled: {
Expand Down Expand Up @@ -200,6 +202,9 @@ module ActivityLogFirewallDeleteAlert '../../arm/Microsoft.Authorization/policyD
apiVersion: '2020-10-01'
name: 'ActivityAzureFirewallDelete'
location: 'global'
tags: {
_deployed_by_alz_monitor: true
}
properties: {
description: 'Activity Log Firewall Delete'
enabled: '[parameters(\'enabled\')]'
Expand Down
7 changes: 6 additions & 1 deletion ...resources/Microsoft.Authorization/policyDefinitions/deploy-activitylog-KeyVault-Del.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ param deploymentRoleDefinitionIds array = [

param parResourceGroupTags object = {
environment: 'test'
_deployed_by_alz_monitor: true
}

param parAlertState string = 'true'
Expand All @@ -23,9 +24,10 @@ module ActivityLogKeyVaultDeleteAlert '../../arm/Microsoft.Authorization/policyD
description: 'DINE policy to Deploy Activity Log Key Vault Delete Alert'
location: policyLocation
metadata: {
version: '1.0.0'
version: '1.0.1'
Category: 'ActivityLog'
source: 'https://github.com/Azure/ALZ-Monitor/'
_deployed_by_alz_monitor: 'True'
}
parameters: {
enabled: {
Expand Down Expand Up @@ -203,6 +205,9 @@ module ActivityLogKeyVaultDeleteAlert '../../arm/Microsoft.Authorization/policyD
apiVersion: '2020-10-01'
name: 'ActivityKeyVaultDelete'
location: 'global'
tags: {
_deployed_by_alz_monitor: true
}
properties: {
description: 'Activity Log Key Vault Delete'
enabled: '[parameters(\'enabled\')]'
Expand Down
7 changes: 6 additions & 1 deletion ...ources/Microsoft.Authorization/policyDefinitions/deploy-activitylog-LAWorkspace-Del.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ param deploymentRoleDefinitionIds array = [
]
param parResourceGroupTags object = {
environment: 'test'
_deployed_by_alz_monitor: true
}
param parAlertState string = 'true'

Expand All @@ -21,9 +22,10 @@ module ActivityLogLAWorkspaceDeleteAlert '../../arm/Microsoft.Authorization/poli
description: 'DINE policy to Deploy Activity Log LA Workspace Delete Alert'
location: policyLocation
metadata: {
version: '1.0.0'
version: '1.0.1'
Category: 'ActivityLog'
source: 'https://github.com/Azure/ALZ-Monitor/'
_deployed_by_alz_monitor: 'True'
}
parameters: {
enabled: {
Expand Down Expand Up @@ -200,6 +202,9 @@ module ActivityLogLAWorkspaceDeleteAlert '../../arm/Microsoft.Authorization/poli
apiVersion: '2020-10-01'
name: 'ActivityLAWorkspaceDelete'
location: 'global'
tags: {
_deployed_by_alz_monitor: true
}
properties: {
description: 'Activity Log LA Workspace Delete'
enabled: '[parameters(\'enabled\')]'
Expand Down
7 changes: 6 additions & 1 deletion ...rces/Microsoft.Authorization/policyDefinitions/deploy-activitylog-LAWorkspace-ReGen.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ param deploymentRoleDefinitionIds array = [

param parResourceGroupTags object = {
environment: 'test'
_deployed_by_alz_monitor: true
}

param parAlertState string = 'true'
Expand All @@ -25,9 +26,10 @@ module ActivityLogLAWorkspaceGenKeyAlert '../../arm/Microsoft.Authorization/poli
description: 'DINE policy to Deploy Activity Log LA Workspace Regenerate Key Alert'
location: policyLocation
metadata: {
version: '1.0.0'
version: '1.0.1'
Category: 'ActivityLog'
source: 'https://github.com/Azure/ALZ-Monitor/'
_deployed_by_alz_monitor: 'True'
}
parameters: {
enabled: {
Expand Down Expand Up @@ -202,6 +204,9 @@ module ActivityLogLAWorkspaceGenKeyAlert '../../arm/Microsoft.Authorization/poli
apiVersion: '2020-10-01'
name: 'ActivityLAWorkspaceRegenKey'
location: 'global'
tags: {
_deployed_by_alz_monitor: true
}
properties: {
description: 'Activity Log LA Workspace Regenerate Key'
enabled: '[parameters(\'enabled\')]'
Expand Down
7 changes: 6 additions & 1 deletion src/resources/Microsoft.Authorization/policyDefinitions/deploy-activitylog-NSG-Del.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ param deploymentRoleDefinitionIds array = [

param parResourceGroupTags object = {
environment: 'test'
_deployed_by_alz_monitor: true
}

param parAlertState string = 'true'
Expand All @@ -23,9 +24,10 @@ module ActivityLogNSGDeleteAlert '../../arm/Microsoft.Authorization/policyDefini
description: 'DINE policy to Deploy Activity Log NSG Delete Alert'
location: policyLocation
metadata: {
version: '1.0.0'
version: '1.0.1'
Category: 'ActivityLog'
source: 'https://github.com/Azure/ALZ-Monitor/'
_deployed_by_alz_monitor: 'True'
}
parameters: {
enabled: {
Expand Down Expand Up @@ -202,6 +204,9 @@ module ActivityLogNSGDeleteAlert '../../arm/Microsoft.Authorization/policyDefini
apiVersion: '2020-10-01'
name: 'ActivityNSGDelete'
location: 'global'
tags: {
_deployed_by_alz_monitor: true
}
properties: {
description: 'Activity Log NSG Delete'
enabled: '[parameters(\'enabled\')]'
Expand Down
7 changes: 6 additions & 1 deletion ....Authorization/policyDefinitions/deploy-activitylog-ResourceHealth-UnHealthly-alert.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ param deploymentRoleDefinitionIds array = [
]
param parResourceGroupTags object = {
environment: 'test'
_deployed_by_alz_monitor: true
}

param parAlertState string = 'true'
Expand All @@ -22,9 +23,10 @@ module ResourceHealthUnhealthyAlert '../../arm/Microsoft.Authorization/policyDef
description: 'DINE policy to Deploy Resource Health Unhealthy Alert'
location: policyLocation
metadata: {
version: '1.0.0'
version: '1.0.1'
Category: 'ServiceHealth'
source: 'https://github.com/Azure/ALZ-Monitor/'
_deployed_by_alz_monitor: 'True'
}
parameters: {
enabled: {
Expand Down Expand Up @@ -191,6 +193,9 @@ module ResourceHealthUnhealthyAlert '../../arm/Microsoft.Authorization/policyDef
apiVersion: '2020-10-01'
name: 'ResourceHealthUnhealthyAlert'
location: 'global'
tags: {
_deployed_by_alz_monitor: true
}
properties: {
description: 'Resource Health Unhealthy Alert'
enabled: '[parameters(\'enabled\')]'
Expand Down
7 changes: 6 additions & 1 deletion ...rces/Microsoft.Authorization/policyDefinitions/deploy-activitylog-RouteTable-Update.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ param deploymentRoleDefinitionIds array = [

param parResourceGroupTags object = {
environment: 'test'
_deployed_by_alz_monitor: true
}

param parAlertState string = 'true'
Expand All @@ -23,9 +24,10 @@ module ActivityLogUDRUpdateAlert '../../arm/Microsoft.Authorization/policyDefini
description: 'DINE policy to Deploy Activity Log Route Table Update Alert'
location: policyLocation
metadata: {
version: '1.0.0'
version: '1.0.1'
Category: 'ActivityLog'
source: 'https://github.com/Azure/ALZ-Monitor/'
_deployed_by_alz_monitor: 'True'
}
parameters: {
enabled: {
Expand Down Expand Up @@ -200,6 +202,9 @@ module ActivityLogUDRUpdateAlert '../../arm/Microsoft.Authorization/policyDefini
apiVersion: '2020-10-01'
name: 'ActivityUDRUpdate'
location: 'global'
tags: {
_deployed_by_alz_monitor: true
}
properties: {
description: 'Activity Log Route table update'
enabled: '[parameters(\'enabled\')]'
Expand Down
7 changes: 6 additions & 1 deletion ...s/Microsoft.Authorization/policyDefinitions/deploy-activitylog-ServiceHealth-Health.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ param deploymentRoleDefinitionIds array = [
]
param parResourceGroupTags object = {
environment: 'test'
_deployed_by_alz_monitor: true
}

param parAlertState string = 'true'
Expand All @@ -22,9 +23,10 @@ module ServiceHealthIncidentAlert '../../arm/Microsoft.Authorization/policyDefin
description: 'DINE policy to Deploy Service Health Advisory Alert'
location: policyLocation
metadata: {
version: '1.0.0'
version: '1.0.1'
Category: 'ServiceHealth'
source: 'https://github.com/Azure/ALZ-Monitor/'
_deployed_by_alz_monitor: 'True'
}
parameters: {
enabled: {
Expand Down Expand Up @@ -199,6 +201,9 @@ module ServiceHealthIncidentAlert '../../arm/Microsoft.Authorization/policyDefin
type: 'microsoft.insights/activityLogAlerts'
apiVersion: '2020-10-01'
location: 'global'
tags: {
_deployed_by_alz_monitor: true
}
name: 'ServiceHealthAdvisoryEvent'
properties: {
description: 'Service Health Advisory Alert'
Expand Down
7 changes: 6 additions & 1 deletion ...Microsoft.Authorization/policyDefinitions/deploy-activitylog-ServiceHealth-Incident.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ param deploymentRoleDefinitionIds array = [
]
param parResourceGroupTags object = {
environment: 'test'
_deployed_by_alz_monitor: true
}

param parAlertState string = 'true'
Expand All @@ -22,9 +23,10 @@ module ServiceHealthIncidentAlert '../../arm/Microsoft.Authorization/policyDefin
description: 'DINE policy to Deploy Service Health Incident Alert'
location: policyLocation
metadata: {
version: '1.0.0'
version: '1.0.1'
Category: 'ServiceHealth'
source: 'https://github.com/Azure/ALZ-Monitor/'
_deployed_by_alz_monitor: 'True'
}
parameters: {
enabled: {
Expand Down Expand Up @@ -200,6 +202,9 @@ module ServiceHealthIncidentAlert '../../arm/Microsoft.Authorization/policyDefin
apiVersion: '2020-10-01'
name: 'ServieHealthIncident'
location: 'global'
tags: {
_deployed_by_alz_monitor: true
}
properties: {
description: 'ServiceHealthIncidentAlert'
enabled: '[parameters(\'enabled\')]'
Expand Down
Loading

0 comments on commit 80f0ce9

Please sign in to comment.