From 02c19f0dfa9c4ac28e94c7ebe5e832cc32830338 Mon Sep 17 00:00:00 2001 From: Sebastian Claesson <34689432+SebastianClaesson@users.noreply.github.com> Date: Wed, 3 Apr 2024 12:41:11 +0200 Subject: [PATCH] Update - Microsoft.Management missing from Subscription during Initialize (#871) * Adding additional information for Azure Resource Provider prereq * adding Management groups not showing up in repo to faq * Correcting spelling mistake * Adding a string match for insufficient permissions * Adding error message for insufficient permissions * Update * Update Prerequisites.md Changing from "Registered" to "Register". --------- Co-authored-by: sebastian claesson Co-authored-by: Jesper Fajers --- docs/wiki/Frequently-Asked-Questions.md | 13 +++++++++++++ docs/wiki/Prerequisites.md | 2 ++ src/functions/Initialize-AzOpsEnvironment.ps1 | 2 +- src/localized/en-us/Strings.psd1 | 2 +- 4 files changed, 17 insertions(+), 2 deletions(-) diff --git a/docs/wiki/Frequently-Asked-Questions.md b/docs/wiki/Frequently-Asked-Questions.md index 274db810..5a13d2dc 100644 --- a/docs/wiki/Frequently-Asked-Questions.md +++ b/docs/wiki/Frequently-Asked-Questions.md @@ -7,6 +7,7 @@ This article answers frequently asked questions relating to AzOps. - [AzOps FAQ](#azops-faq) - [In this Section](#in-this-section) - [Subscriptions or resources not showing up in repository](#subscriptions-or-resources-not-showing-up-in-repository) + - [Management groups not showing up in repository](#management-groups-not-showing-up-in-repository) - [Push fail with deployment already exists in location error](#push-fail-with-deployment-already-exists-in-location-error) - [Does AzOps use temporary files](#does-azops-use-temporary-files) - [Pull fail with active pull request already exists error](#pull-fail-with-active-pull-request-already-exists-error) @@ -39,6 +40,18 @@ Remove the invalid resource or character and retry the operation. A common example of invalid characters preventing successful operations in AzOps is with [Visual Studio Enterprise](https://azure.microsoft.com/en-us/pricing/offers/ms-azr-0063p/) based subscriptions. The default resource name of said subscriptions contains the "`–`" [EN DASH](https://www.cogsci.ed.ac.uk/~richard/utf-8.cgi?input=2013&mode=hex) character. Example: `visual studio enterprise subscription – mpn`. +## Management groups not showing up in repository + +If the [Microsoft.Management](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-services-resource-providers#management-resource-providers) resource provider is not registered in the subscription where AzOps is initialized, AzOps is unable to list and create the folder structure for the management group hierarchy. + +To confirm if this applies to you, check the pipeline logs for the following message: + +```powershell +[Initialize-AzOpsEnvironment] No management group access +``` + +Resolve this by registering the `Microsoft.Management` [resource provider](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in the Azure Subscription or assign AzOps the permissions to perform the ```/register/action``` operation for the resource provider. + ## Push fail with deployment already exists in location error If you have changed `"Core.DefaultDeploymentRegion":` from the default `northeurope` post initial setup, subsequent Push/Deployments might fail with an error as below: diff --git a/docs/wiki/Prerequisites.md b/docs/wiki/Prerequisites.md index d97178ab..8d6e7fd4 100644 --- a/docs/wiki/Prerequisites.md +++ b/docs/wiki/Prerequisites.md @@ -17,6 +17,8 @@ AzOps pipelines can use either a Service Principal, or a Managed Identity if run - Assign Azure `Owner` role at the required scope to the Service Principal/Managed Identity - Add Service Principal/Managed Identity to Azure AD `Directory Readers` role +> Note: Discovering Management groups requires the registration of the Azure resource provider `Microsoft.Management` in the Azure Subscription where AzOps is initialized. AzOps will attempt to [register](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) `Microsoft.Management` if it's not already registered. If AzOps encounters any issues during this process, kindly ensure to manually register the resource provider. + The Azure Active Directory [Directory Readers](https://learn.microsoft.com/azure/active-directory/roles/permissions-reference#directory-readers) role is required to discover Azure 'roleAssignments'. These permissions are used to enrich data around the role assignments with additional Azure AD context such as `ObjectType` and Azure AD object `DisplayName`. > Theses steps require PowerShell 7 and _Az.Accounts_, _Az.Resources_, _Microsoft.Graph.Applications_ and _Microsoft.Graph.Identity.DirectoryManagement_ modules, they will be installed. diff --git a/src/functions/Initialize-AzOpsEnvironment.ps1 b/src/functions/Initialize-AzOpsEnvironment.ps1 index d0939a6b..a689bc5d 100644 --- a/src/functions/Initialize-AzOpsEnvironment.ps1 +++ b/src/functions/Initialize-AzOpsEnvironment.ps1 @@ -119,7 +119,7 @@ $managementGroups = Get-AzManagementGroup -ErrorAction Stop } catch { - Write-AzOpsMessage -LogLevel Warning -LogString 'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess' + Write-AzOpsMessage -LogLevel Warning -LogString 'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess' -LogStringValues $_ return } diff --git a/src/localized/en-us/Strings.psd1 b/src/localized/en-us/Strings.psd1 index 9eac2e32..8c43862c 100644 --- a/src/localized/en-us/Strings.psd1 +++ b/src/localized/en-us/Strings.psd1 @@ -157,7 +157,7 @@ 'Initialize-AzOpsEnvironment.ManagementGroup.NoRootPermissions' = 'Principal {0} does not have permissions under / in tenant, enabling partial discovery' # $currentAzContext.Account.Id 'Initialize-AzOpsEnvironment.ManagementGroup.PartialDiscovery' = 'Executing partial discovery' # 'Initialize-AzOpsEnvironment.ManagementGroup.Resolution' = 'Resolving {0} management groups' # $managementGroups.Count - 'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess' = 'No management group access, discovery will happen from subscription scope(s)' + 'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess' = 'No management group access, failed with: {0}, discovery will happen from subscription scope(s)' # $_ 'Initialize-AzOpsEnvironment.Processing' = 'Processing AzOps environment' # 'Initialize-AzOpsEnvironment.Processing.Completed' = 'AzOps environment initialization concluded' # 'Initialize-AzOpsEnvironment.ThrottleLimit.Adjustment' = 'Adjusting AzOps.Core.ThrottleLimit from {0} to 5 due to available CPU Cores ({1}) to ensure reliable and performant pipeline execution. For further details, refer to: https://github.com/azure/azops/wiki/performance-considerations' # $throttleLimit, $cpuCores