microsoft · tamirkamara · Feb 27, 2022 · Feb 27, 2022 · Feb 27, 2022
diff --git a/devops/scripts/control_tre.sh b/devops/scripts/control_tre.sh
@@ -9,44 +9,48 @@ if [[ -z ${TRE_ID:-} ]]; then
     exit 1
 fi
 
-az config set extension.use_dynamic_install=yes_without_prompt
-
-# if we don't have a firewall, no need to continue this script.
+# if the resource group doesn't exist, no need to continue this script.
 # most likely this is an automated execution before calling make tre-deploy.
-if [[ $(az network firewall list --query "[?resourceGroup=='rg-${TRE_ID}'&&name=='fw-${TRE_ID}'] | length(@)") == 0 ]]; then
-  echo "TRE resource group or firewall don't exits. Exiting..."
+if [[ $(az group list --query "[?name=='rg-${TRE_ID}'] | length(@)") == 0 ]]; then
+  echo "TRE resource group doesn't exits. Exiting..."
   exit 0
 fi
 
+az config set extension.use_dynamic_install=yes_without_prompt
+
 if [[ "$1" == *"start"* ]]; then
-  CURRENT_PUBLIC_IP=$(az network firewall ip-config list -f "fw-$TRE_ID" -g "rg-$TRE_ID" --query "[0].publicIpAddress" -o tsv)
-  if [ -z "$CURRENT_PUBLIC_IP" ]; then
-    echo -e "Starting Firewall - creating ip-config"
-    az network firewall ip-config create -f "fw-$TRE_ID" -g "rg-$TRE_ID" -n "fw-ip-configuration" --public-ip-address "pip-fw-$TRE_ID" --vnet-name "vnet-$TRE_ID" > /dev/null
-  else
-    echo -e "Firewall ip-config already exists"
+  if [[ $(az network firewall list --query "[?resourceGroup=='rg-${TRE_ID}'&&name=='fw-${TRE_ID}'] | length(@)") != 0 ]]; then
+    CURRENT_PUBLIC_IP=$(az network firewall ip-config list -f "fw-$TRE_ID" -g "rg-$TRE_ID" --query "[0].publicIpAddress" -o tsv)
+    if [ -z "$CURRENT_PUBLIC_IP" ]; then
+      echo "Starting Firewall - creating ip-config"
+      az network firewall ip-config create -f "fw-$TRE_ID" -g "rg-$TRE_ID" -n "fw-ip-configuration" --public-ip-address "pip-fw-$TRE_ID" --vnet-name "vnet-$TRE_ID" > /dev/null
+    else
+      echo "Firewall ip-config already exists"
+    fi
   fi
 
   if [[ $(az network application-gateway list --query "[?resourceGroup=='rg-${TRE_ID}'&&name=='agw-${TRE_ID}'&&operationalState=='Stopped'] | length(@)") != 0 ]]; then
-    echo -e "Starting Application Gateway\n"
+    echo "Starting Application Gateway"
     az network application-gateway start -g "rg-$TRE_ID" -n "agw-$TRE_ID"
   else
-    echo -e "Application Gateway already running"
+    echo "Application Gateway already running"
   fi
 elif [[ "$1" == *"stop"* ]]; then
-  IPCONFIG_NAME=$(az network firewall ip-config list -f "fw-$TRE_ID" -g "rg-$TRE_ID" --query "[0].name" -o tsv)
+  if [[ $(az network firewall list --query "[?resourceGroup=='rg-${TRE_ID}'&&name=='fw-${TRE_ID}'] | length(@)") != 0 ]]; then
+    IPCONFIG_NAME=$(az network firewall ip-config list -f "fw-$TRE_ID" -g "rg-$TRE_ID" --query "[0].name" -o tsv)
 
-  if [ -n "$IPCONFIG_NAME" ]; then
-    echo -e "Deleting Firewall ip-config: $IPCONFIG_NAME"
-    az network firewall ip-config delete -f "fw-$TRE_ID" -n "$IPCONFIG_NAME" -g "rg-$TRE_ID"
-  else
-    echo -e "No Firewall ip-config found"
+    if [ -n "$IPCONFIG_NAME" ]; then
+      echo "Deleting Firewall ip-config: $IPCONFIG_NAME"
+      az network firewall ip-config delete -f "fw-$TRE_ID" -n "$IPCONFIG_NAME" -g "rg-$TRE_ID"
+    else
+      echo "No Firewall ip-config found"
+    fi
   fi
 
   if [[ $(az network application-gateway list --query "[?resourceGroup=='rg-${TRE_ID}'&&name=='agw-${TRE_ID}'&&operationalState=='Running'] | length(@)") != 0 ]]; then
     az network application-gateway stop -g "rg-$TRE_ID" -n "agw-$TRE_ID"
   else
-    echo -e "Application Gateway already stopped"
+    echo "Application Gateway already stopped"
   fi
 fi
 

diff --git a/devops/scripts/destroy_env_no_terraform.sh b/devops/scripts/destroy_env_no_terraform.sh
@@ -70,9 +70,25 @@ fi
 locks=$(az group lock list -g ${core_tre_rg} --query [].id -o tsv)
 if [ ! -z "${locks:-}" ]
 then
+  echo "Deleting locks..."
   az resource lock delete --ids ${locks}
 fi
 
+echo "Looking for diagnostic settings. This can take a few minutes..."
+# sometimes, diagnostic settings aren't deleted with the resource group. we need to manually do that,
+# and unfortuanlly, there's no easy way to list all that are present.
+az resource list --resource-group ${core_tre_rg} --query '[].[id]' -o tsv |
+while read -r resource_id; do
+  # the command will return an error if the resource doesn't support this setting, so need to suppress it.
+  if [[ $(az monitor diagnostic-settings list --resource ${resource_id} -o tsv 2> /dev/null) == "1" ]]; then
+      az monitor diagnostic-settings list --resource ${resource_id} --query "value[].name" -o tsv 2> /dev/null |
+      while read -r diag_name; do
+        echo "Deleting ${diag_name} on ${resource_id}"
+        az monitor diagnostic-settings delete --resource ${resource_id} --name ${diag_name} ${no_wait_option}
+      done
+  fi
+done
+
 # purge keyvault if possible (makes it possible to reuse the same tre_id later)
 # this has to be done before we delete the resource group since we don't wait for it to complete
 if [[ $(az keyvault list --resource-group ${core_tre_rg} --query '[?proterties.enablePurgeProtection==null] | length (@)') != 0 ]]; then
@@ -83,7 +99,7 @@ if [[ $(az keyvault list --resource-group ${core_tre_rg} --query '[?proterties.e
   az keyvault delete --name ${keyvault_name} --resource-group ${core_tre_rg}
 
   echo "Purging keyvault: ${keyvault_name}"
-  az keyvault purge --name ${keyvault_name}
+  az keyvault purge --name ${keyvault_name} ${no_wait_option}
 fi
 
 # this will find the mgmt, core resource groups as well as any workspace ones