-
Notifications
You must be signed in to change notification settings - Fork 2.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix resource clean-up script (#20273)
- Fix rg.Name to rg.ResourceGroupName - Add more verbose logging for better debugging - Handle deleted resource groups when gathering puragable resource - Remove coerce now that we are collecting in functions Co-authored-by: Wes Haggard <Wes.Haggard@microsoft.com>
- Loading branch information
1 parent
ad24e1d
commit e1ecaf0
Showing
2 changed files
with
116 additions
and
81 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,101 +1,136 @@ | ||
# Add 'AzsdkResourceType' member to outputs since actual output types have changed over the years. | ||
|
||
function Get-PurgeableGroupResources { | ||
param ( | ||
[Parameter(Mandatory=$true, Position=0)] | ||
[string] $ResourceGroupName | ||
) | ||
|
||
# Get any Key Vaults that will be deleted so they can be purged later if soft delete is enabled. | ||
Get-AzKeyVault @PSBoundParameters | ForEach-Object { | ||
# Enumerating vaults from a resource group does not return all properties we required. | ||
Get-AzKeyVault -VaultName $_.VaultName | Where-Object { $_.EnableSoftDelete } ` | ||
| Add-Member -MemberType NoteProperty -Name AzsdkResourceType -Value 'Key Vault' -PassThru | ||
} | ||
param ( | ||
[Parameter(Mandatory=$true, Position=0)] | ||
[string] $ResourceGroupName | ||
) | ||
$purgeableResources = @() | ||
|
||
# Get any Managed HSMs in the resource group, for which soft delete cannot be disabled. | ||
Get-AzKeyVaultManagedHsm @PSBoundParameters ` | ||
| Add-Member -MemberType NoteProperty -Name AzsdkResourceType -Value 'Managed HSM' -PassThru | ||
} | ||
Write-Verbose "Retrieving deleted Key Vaults from resource group $ResourceGroupName" | ||
|
||
# Get any Key Vaults that will be deleted so they can be purged later if soft delete is enabled. | ||
$deletedKeyVaults = Get-AzKeyVault -ResourceGroupName $ResourceGroupName -ErrorAction Ignore | ForEach-Object { | ||
# Enumerating vaults from a resource group does not return all properties we required. | ||
Get-AzKeyVault -VaultName $_.VaultName -ErrorAction Ignore | Where-Object { $_.EnableSoftDelete } ` | ||
| Add-Member -MemberType NoteProperty -Name AzsdkResourceType -Value 'Key Vault' -PassThru | ||
} | ||
|
||
if ($deletedKeyVaults) { | ||
Write-Verbose "Found $($deletedKeyVaults.Count) deleted Key Vaults to potentially purge." | ||
$purgeableResources += $deletedKeyVaults | ||
} | ||
|
||
Write-Verbose "Retrieving deleted Managed HSMs from resource group $ResourceGroupName" | ||
|
||
# Get any Managed HSMs in the resource group, for which soft delete cannot be disabled. | ||
$deletedHsms = Get-AzKeyVaultManagedHsm -ResourceGroupName $ResourceGroupName -ErrorAction Ignore ` | ||
| Add-Member -MemberType NoteProperty -Name AzsdkResourceType -Value 'Managed HSM' -PassThru | ||
|
||
if ($deletedHsms) { | ||
Write-Verbose "Found $($deletedHsms.Count) deleted Managed HSMs to potentially purge." | ||
$purgeableResources += $deletedHsms | ||
} | ||
|
||
return $purgeableResources | ||
} | ||
function Get-PurgeableResources { | ||
$subscriptionId = (Get-AzContext).Subscription.Id | ||
|
||
# Get deleted Key Vaults for the current subscription. | ||
Get-AzKeyVault -InRemovedState ` | ||
| Add-Member -MemberType NoteProperty -Name AzsdkResourceType -Value 'Key Vault' -PassThru | ||
|
||
# Get deleted Managed HSMs for the current subscription. | ||
$response = Invoke-AzRestMethod -Method GET -Path "/subscriptions/$subscriptionId/providers/Microsoft.KeyVault/deletedManagedHSMs?api-version=2021-04-01-preview" -ErrorAction Ignore | ||
if ($response.StatusCode -ge 200 -and $response.StatusCode -lt 300 -and $response.Content) { | ||
$content = $response.Content | ConvertFrom-Json | ||
foreach ($r in $content.value) { | ||
[pscustomobject] @{ | ||
AzsdkResourceType = 'Managed HSM' | ||
Id = $r.id | ||
Name = $r.name | ||
Location = $r.properties.location | ||
DeletionDate = $r.properties.deletionDate -as [DateTime] | ||
ScheduledPurgeDate = $r.properties.scheduledPurgeDate -as [DateTime] | ||
EnablePurgeProtection = $r.properties.purgeProtectionEnabled | ||
} | ||
} | ||
$purgeableResources = @() | ||
$subscriptionId = (Get-AzContext).Subscription.Id | ||
|
||
Write-Verbose "Retrieving deleted Key Vaults from subscription $subscriptionId" | ||
|
||
# Get deleted Key Vaults for the current subscription. | ||
$deletedKeyVaults = Get-AzKeyVault -InRemovedState ` | ||
| Add-Member -MemberType NoteProperty -Name AzsdkResourceType -Value 'Key Vault' -PassThru | ||
|
||
if ($deletedKeyVaults) { | ||
Write-Verbose "Found $($deletedKeyVaults.Count) deleted Key Vaults to potentially purge." | ||
$purgeableResources += $deletedKeyVaults | ||
} | ||
|
||
Write-Verbose "Retrieving deleted Managed HSMs from subscription $subscriptionId" | ||
|
||
# Get deleted Managed HSMs for the current subscription. | ||
$response = Invoke-AzRestMethod -Method GET -Path "/subscriptions/$subscriptionId/providers/Microsoft.KeyVault/deletedManagedHSMs?api-version=2021-04-01-preview" -ErrorAction Ignore | ||
if ($response.StatusCode -ge 200 -and $response.StatusCode -lt 300 -and $response.Content) { | ||
$content = $response.Content | ConvertFrom-Json | ||
|
||
$deletedHsms = @() | ||
foreach ($r in $content.value) { | ||
$deletedHsms += [pscustomobject] @{ | ||
AzsdkResourceType = 'Managed HSM' | ||
Id = $r.id | ||
Name = $r.name | ||
Location = $r.properties.location | ||
DeletionDate = $r.properties.deletionDate -as [DateTime] | ||
ScheduledPurgeDate = $r.properties.scheduledPurgeDate -as [DateTime] | ||
EnablePurgeProtection = $r.properties.purgeProtectionEnabled | ||
} | ||
} | ||
|
||
if ($deletedHsms) { | ||
Write-Verbose "Found $($deletedHsms.Count) deleted Managed HSMs to potentially purge." | ||
$purgeableResources += $deletedHsms | ||
} | ||
} | ||
|
||
return $purgeableResources | ||
} | ||
|
||
# A filter differs from a function by teating body as -process {} instead of -end {}. | ||
# This allows you to pipe a collection and process each item in the collection. | ||
filter Remove-PurgeableResources { | ||
param ( | ||
[Parameter(Position=0, ValueFromPipeline=$true)] | ||
[object[]] $Resource | ||
) | ||
param ( | ||
[Parameter(Position=0, ValueFromPipeline=$true)] | ||
[object[]] $Resource | ||
) | ||
|
||
if (!$Resource) { | ||
return | ||
} | ||
if (!$Resource) { | ||
return | ||
} | ||
|
||
$subscriptionId = (Get-AzContext).Subscription.Id | ||
|
||
$subscriptionId = (Get-AzContext).Subscription.Id | ||
|
||
foreach ($r in $Resource) { | ||
switch ($r.AzsdkResourceType) { | ||
'Key Vault' { | ||
Log "Attempting to purge $($r.AzsdkResourceType) '$($r.VaultName)'" | ||
if ($r.EnablePurgeProtection) { | ||
# We will try anyway but will ignore errors | ||
Write-Warning "Key Vault '$($r.VaultName)' has purge protection enabled and may not be purged for $($r.SoftDeleteRetentionInDays) days" | ||
} | ||
|
||
Remove-AzKeyVault -VaultName $r.VaultName -Location $r.Location -InRemovedState -Force -ErrorAction Continue | ||
} | ||
|
||
'Managed HSM' { | ||
Log "Attempting to purge $($r.AzsdkResourceType) '$($r.Name)'" | ||
if ($r.EnablePurgeProtection) { | ||
# We will try anyway but will ignore errors | ||
Write-Warning "Managed HSM '$($r.Name)' has purge protection enabled and may not be purged for $($r.SoftDeleteRetentionInDays) days" | ||
} | ||
|
||
$response = Invoke-AzRestMethod -Method POST -Path "/subscriptions/$subscriptionId/providers/Microsoft.KeyVault/locations/$($r.Location)/deletedManagedHSMs/$($r.Name)/purge?api-version=2021-04-01-preview" -ErrorAction Ignore | ||
if ($response.StatusCode -ge 200 -and $response.StatusCode -lt 300) { | ||
Write-Warning "Successfully requested that Managed HSM '$($r.Name)' be purged, but may take a few minutes before it is actually purged." | ||
} elseif ($response.Content) { | ||
$content = $response.Content | ConvertFrom-Json | ||
if ($content.error) { | ||
$err = $content.error | ||
Write-Warning "Failed to deleted Managed HSM '$($r.Name)': ($($err.code)) $($err.message)" | ||
} | ||
} | ||
} | ||
|
||
default { | ||
Write-Warning "Cannot purge resource type $($r.AzsdkResourceType). Add support to https://github.com/Azure/azure-sdk-tools/blob/main/eng/common/scripts/Helpers/Resource-Helpers.ps1." | ||
} | ||
foreach ($r in $Resource) { | ||
switch ($r.AzsdkResourceType) { | ||
'Key Vault' { | ||
Log "Attempting to purge $($r.AzsdkResourceType) '$($r.VaultName)'" | ||
if ($r.EnablePurgeProtection) { | ||
# We will try anyway but will ignore errors | ||
Write-Warning "Key Vault '$($r.VaultName)' has purge protection enabled and may not be purged for $($r.SoftDeleteRetentionInDays) days" | ||
} | ||
|
||
Remove-AzKeyVault -VaultName $r.VaultName -Location $r.Location -InRemovedState -Force -ErrorAction Continue | ||
} | ||
|
||
'Managed HSM' { | ||
Log "Attempting to purge $($r.AzsdkResourceType) '$($r.Name)'" | ||
if ($r.EnablePurgeProtection) { | ||
# We will try anyway but will ignore errors | ||
Write-Warning "Managed HSM '$($r.Name)' has purge protection enabled and may not be purged for $($r.SoftDeleteRetentionInDays) days" | ||
} | ||
|
||
$response = Invoke-AzRestMethod -Method POST -Path "/subscriptions/$subscriptionId/providers/Microsoft.KeyVault/locations/$($r.Location)/deletedManagedHSMs/$($r.Name)/purge?api-version=2021-04-01-preview" -ErrorAction Ignore | ||
if ($response.StatusCode -ge 200 -and $response.StatusCode -lt 300) { | ||
Write-Warning "Successfully requested that Managed HSM '$($r.Name)' be purged, but may take a few minutes before it is actually purged." | ||
} elseif ($response.Content) { | ||
$content = $response.Content | ConvertFrom-Json | ||
if ($content.error) { | ||
$err = $content.error | ||
Write-Warning "Failed to deleted Managed HSM '$($r.Name)': ($($err.code)) $($err.message)" | ||
} | ||
} | ||
} | ||
|
||
default { | ||
Write-Warning "Cannot purge resource type $($r.AzsdkResourceType). Add support to https://github.com/Azure/azure-sdk-tools/blob/main/eng/common/scripts/Helpers/Resource-Helpers.ps1." | ||
} | ||
} | ||
} | ||
} | ||
|
||
# The Log function can be overridden by the sourcing script. | ||
function Log($Message) { | ||
Write-Host ('{0} - {1}' -f [DateTime]::Now.ToLongTimeString(), $Message) | ||
Write-Host ('{0} - {1}' -f [DateTime]::Now.ToLongTimeString(), $Message) | ||
} |