Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Microsoft.authorization/locks support #704

Merged
merged 8 commits into from
Nov 16, 2022
Merged

Add Microsoft.authorization/locks support #704

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
93b4239
Add pull logic for Microsoft.Authorization/locks
Jefajers Nov 13, 2022
acd44a1
Add deletion logic for Microsoft.Authorization/locks
Jefajers Nov 14, 2022
7641a73
Add test logic for Microsoft.Authorization/locks
Jefajers Nov 14, 2022
776e96a
Update Microsoft.Authorization/locks
Jefajers Nov 14, 2022
a3029c5
Update Microsoft.Authorization/locks
Jefajers Nov 15, 2022
d893afa
Update Microsoft.Authorization/locks
Jefajers Nov 15, 2022
375aa66
Merge branch 'main' into Microsoft.Authorization/locks
Jefajers Nov 15, 2022
5fca754
Merge branch 'Azure:main' into Microsoft.Authorization/locks
Jefajers Nov 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 19 additions & 12 deletions docs/wiki/ResourceDeletion.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,24 +8,39 @@

## Introduction

**AzOps Resource Deletion** performs deletion of policyAssignments, policyDefinitions, policyExemptions, policySetDefinitions and roleAssignments in Azure, based on `AzOps - Pull` generated templates at all Azure scope levels `(Management Group/Subscription/Resource Group)`.
**AzOps Resource Deletion** performs deletion of locks, policyAssignments, policyDefinitions, policyExemptions, policySetDefinitions and roleAssignments in Azure, based on `AzOps - Pull` generated templates at all Azure scope levels `(Management Group/Subscription/Resource Group)`.

- For any other resource type **deletion** is **not** supported by AzOps at this time.

By removing a AzOps generated file of a supported resource type AzOps removes the corresponding resource in Azure.

**_Please Note_**

- SPN used for deletion/change action, requires the below actions in its role definition.
- SPN used for deletion/change action, requires below actions in its role definition. Choose which combination best suites your implementation.

```bash
Microsoft.Authorization/* OR * (For everything)
```
- For Azure Locks removal

```bash
Microsoft.Authorization/locks/delete
OR
Microsoft.Authorization/locks/*
```

- For Azure Policy Assignment removal

```bash
Microsoft.Authorization/locks/delete
OR
Microsoft.Authorization/locks/*
```

```bash
Microsoft.Authorization/policyAssignments/delete
OR
Microsoft.Authorization/policyAssignments/*
OR
Microsoft.Authorization/* OR * (For everything)
```

- For Azure Policy Definition removal
Expand All @@ -34,8 +49,6 @@ By removing a AzOps generated file of a supported resource type AzOps removes th
Microsoft.Authorization/policyDefinitions/delete
OR
Microsoft.Authorization/policyDefinitions/*
OR
Microsoft.Authorization/* OR * (For everything)
```

- For Azure Policy Exemption removal
Expand All @@ -44,8 +57,6 @@ By removing a AzOps generated file of a supported resource type AzOps removes th
Microsoft.Authorization/policyExemptions/delete
OR
Microsoft.Authorization/policyExemptions/*
OR
Microsoft.Authorization/* OR * (For everything)
```

- For Azure Policy SetDefinition removal
Expand All @@ -54,8 +65,6 @@ By removing a AzOps generated file of a supported resource type AzOps removes th
Microsoft.Authorization/policySetDefinitions/delete
OR
Microsoft.Authorization/policySetDefinitions/*
OR
Microsoft.Authorization/* OR * (For everything)
```

- For Azure Role Assignment removal
Expand All @@ -64,8 +73,6 @@ By removing a AzOps generated file of a supported resource type AzOps removes th
Microsoft.Authorization/roleAssignments/delete
OR
Microsoft.Authorization/roleAssignments/*
OR
Microsoft.Authorization/* OR * (For everything)
```
## Deletion dependency validation
When deletion of a supported object is sent to AzOps it evaluates to ensure resource dependencies are included in the deletion job. If a dependency is missing the module will throw (exit with error) and post the result of missing dependencies to the pull request conversation asking you to add it and try again.
Expand Down
37 changes: 19 additions & 18 deletions docs/wiki/Settings.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
## In this guide
# In this guide
- [AzOps Settings](#azops-settings)
- [Workflow / Pipeline Settings](#workflow--pipeline-settings)
- [Workflow Settings in GitHub](#workflow-settings-in-github)
Expand All @@ -23,31 +23,32 @@ The following configuration values can be modified within the `settings.json` fi
| 11 | InvalidateCache | Invalidate cached Subscriptions and Management Groups and do a full discovery. *Not recommended to change* | `"Core.InvalidateCache": false` |
| 12 | OfferType | Default offer type for Subscription creation | `"Core.OfferType": "MS-AZR-0017P"` |
| 13 | PartialMgDiscoveryRoot | Generate folder hierachy for specific Management Groups | `"Core.PartialMgDiscoveryRoot": []` |
| 14 | SkipPim | Do not include Privileged Identity Management resources in pull | `"Core.SkipPim": true` |
| 15 | SkipPolicy | Do not include Azure Policy state in pull | `"Core.SkipPolicy": false` |
| 16 | SkipResource | Do not include Resources within Resource Groups | `"Core.SkipResource": false` |
| 17 | SkipChildResource | Do not include Azure child resources | `"Core.SkipChildResource": false` |
| 18 | SkipResourceGroup | Do not include Resource Groups in pull | `"Core.SkipResourceGroup": false` |
| 19 | SkipResourceType | Skip specific [Resource Types](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types) (only targets Resource Group scoped resources) | `"Core.SkipResourceType": ["Microsoft.VSOnline/plans"]` |
| 20 | SkipRole | Do not include Role types in pull | `"Core.SkipRole": false` |
| 21 | State | Folder to store AzOpsState artefact, defaults to `root` | `"Core.State: "/root"` |
| 22 | SubscriptionsToIncludeResourceGroups | Filter which Subscriptions should include Resource Groups in pull | `"Core.SubscriptionsToIncludeResourceGroups": ["*"]` |
| 23 | TemplateParameterFileSuffix | Default template file suffix. *Not recommended to change* | `"Core.TemplateParameterFileSuffix": ".json"` |
| 24 | ThrottleLimit | Default template file suffix. *Not recommended to change* | `"Core.ThrottleLimit": 10` |
| 25 | WhatifExcludedChangeTypes | Exclude specific change types from WhatIf operations | `"Core.WhatifExcludedChangeTypes": ["NoChange","Ignore"]` |
| 14 | SkipPim | Do not include Privileged Identity Management resources in pull | `"Core.SkipPim": true` |
| 15 | SkipLock | Do not include ResourceLock resources in pull | `"Core.SkipLock": true` |
| 16 | SkipPolicy | Do not include Azure Policy state in pull | `"Core.SkipPolicy": false` |
| 17 | SkipResource | Do not include Resources within Resource Groups | `"Core.SkipResource": false` |
| 18 | SkipChildResource | Do not include Azure child resources | `"Core.SkipChildResource": false` |
| 19 | SkipResourceGroup | Do not include Resource Groups in pull | `"Core.SkipResourceGroup": false` |
| 20 | SkipResourceType | Skip specific [Resource Types](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types) (only targets Resource Group scoped resources) | `"Core.SkipResourceType": ["Microsoft.VSOnline/plans"]` |
| 21 | SkipRole | Do not include Role types in pull | `"Core.SkipRole": false` |
| 22 | State | Folder to store AzOpsState artefact, defaults to `root` | `"Core.State: "/root"` |
| 23 | SubscriptionsToIncludeResourceGroups | Filter which Subscriptions should include Resource Groups in pull | `"Core.SubscriptionsToIncludeResourceGroups": ["*"]` |
| 24 | TemplateParameterFileSuffix | Default template file suffix. *Not recommended to change* | `"Core.TemplateParameterFileSuffix": ".json"` |
| 25 | ThrottleLimit | Default template file suffix. *Not recommended to change* | `"Core.ThrottleLimit": 10` |
| 26 | WhatifExcludedChangeTypes | Exclude specific change types from WhatIf operations | `"Core.WhatifExcludedChangeTypes": ["NoChange","Ignore"]` |

## Workflow / Pipeline Settings

The following settings can be modified as variables inside GitHub or Azure DevOps and will affect how the workflow or pipeline is run.

* **AZOPS_MODULE_VERSION**
Set this to the version of the AzOps module you want to use. If the variable is missing, the latest version will be used.
Typically used to pin the version of the module to a specific version and update to new versions at a controlled manner.
Make sure to have a process to continously update this variable if it is set.
Set this to the version of the AzOps module you want to use. If the variable is missing, the latest version will be used.
Typically used to pin the version of the module to a specific version and update to new versions at a controlled manner.
Make sure to have a process to continously update this variable if it is set.

* **AZOPS_CUSTOM_SORT_ORDER**
Set this variable to `true` to enable custom sort ordering. When enabled, create a file named `.order` in a folder where you want to control the deployment order of templates.
Any file that is listed by name in `.order` will will be deployed before other files and in the order that they are listed.
Set this variable to `true` to enable custom sort ordering. When enabled, create a file named `.order` in a folder where you want to control the deployment order of templates.
Any file that is listed by name in `.order` will will be deployed before other files and in the order that they are listed.

### Workflow Settings in GitHub

Expand Down
1 change: 1 addition & 0 deletions scripts/Remove-AzOpsTestsDeployment.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@
Remove-ManagementGroups -DisplayName $script:mgclean.DisplayName -Name $script:mgclean.Name -RootName (Get-AzTenant).TenantId
}
# Collect resources to cleanup
Get-AzResourceLock | Remove-AzResourceLock -Force
$script:resourceGroups = Get-AzResourceGroup | Where-Object {$_.ResourceGroupName -like "*-azopsrg"}
$script:roleAssignments = Get-AzRoleAssignment | Where-Object {$_.Scope -ne "/"}
$script:policyAssignments = Get-AzPolicyAssignment
Expand Down
9 changes: 7 additions & 2 deletions src/functions/Invoke-AzOpsPull.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@
Skip childResource discovery.
.PARAMETER SkipPim
Skip discovery of Privileged Identity Management resources.
.PARAMETER SkipLock
Skip discovery of resource lock resources.
.PARAMETER SkipPolicy
Skip discovery of policies.
.PARAMETER SkipRole
Expand Down Expand Up @@ -54,6 +56,9 @@
[switch]
$SkipPim = (Get-PSFConfigValue -FullName 'AzOps.Core.SkipPim'),

[switch]
$SkipLock = (Get-PSFConfigValue -FullName 'AzOps.Core.SkipLock'),

[switch]
$SkipPolicy = (Get-PSFConfigValue -FullName 'AzOps.Core.SkipPolicy'),

Expand Down Expand Up @@ -179,14 +184,14 @@
Save-AzOpsManagementGroupChildren -Scope $root -StatePath $StatePath

# Discover Resource at scope recursively
$parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Inherit -Include IncludeResourcesInResourceGroup, IncludeResourceType, SkipPim, SkipPolicy, SkipRole, SkipResourceGroup, SkipChildResource, SkipResource, SkipResourceType, ExportRawTemplate, StatePath
$parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Inherit -Include IncludeResourcesInResourceGroup, IncludeResourceType, SkipPim, SkipLock, SkipPolicy, SkipRole, SkipResourceGroup, SkipChildResource, SkipResource, SkipResourceType, ExportRawTemplate, StatePath
Get-AzOpsResourceDefinition -Scope $root @parameters
}
}
else {
# If no management groups are found, iterate through each subscription
foreach ($subscription in $script:AzOpsSubscriptions) {
$parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Inherit -Include IncludeResourcesInResourceGroup, IncludeResourceType, SkipPim, SkipPolicy, SkipRole, SkipResourceGroup, SkipChildResource, SkipResource, SkipResourceType, ExportRawTemplate, StatePath
$parameters = $PSBoundParameters | ConvertTo-PSFHashtable -Inherit -Include IncludeResourcesInResourceGroup, IncludeResourceType, SkipPim, SkipLock, SkipPolicy, SkipRole, SkipResourceGroup, SkipChildResource, SkipResource, SkipResourceType, ExportRawTemplate, StatePath
Get-AzOpsResourceDefinition -Scope $subscription.id @parameters
}

Expand Down
10 changes: 7 additions & 3 deletions src/functions/Invoke-AzOpsPush.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -294,15 +294,18 @@

Resolve-ArmFileAssociation -ScopeObject $scopeObject -FilePath $deletion -AzOpsMainTemplate $AzOpsMainTemplate
}
#Required order for deletion

#Required deletion order
$deletionListPriority = @(
"locks",
"policyExemptions",
"policyAssignments",
"policySetDefinitions",
"policyDefinitions"
)
$deletionList = $deletionList | Sort-Object {$deletionListPriority.IndexOf($_.ScopeObject.Resource)}
$WhatIfPreference = $WhatIfPreferenceState

#Sort 'deletionList' based on 'deletionListPriority'
$deletionList = $deletionList | Sort-Object -Property {$deletionListPriority.IndexOf($_.ScopeObject.Resource)}

#If addModifySet exists and no deploymentList has been generated at the same time as the StatePath root has additional directories, exit with terminating error
if (($addModifySet -and -not $deploymentList) -and (Get-ChildItem -Path $StatePath -Directory)) {
Expand All @@ -311,6 +314,7 @@
}

#Starting Tenant Deployment
$WhatIfPreference = $WhatIfPreferenceState
$uniqueProperties = 'Scope', 'DeploymentName', 'TemplateFilePath', 'TemplateParameterFilePath'
$deploymentList | Select-Object $uniqueProperties -Unique | New-AzOpsDeployment -WhatIf:$WhatIfPreference

Expand Down
Loading