Skip to content

Commit

Permalink
Adding Support for Deletion of custom ARM and Bicep template resource (
Browse files Browse the repository at this point in the history
…#861)

* UpdateBase

* Update

* Update

* Update

* PriorityFix

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update
  • Loading branch information
Jefajers authored Mar 12, 2024
1 parent 07b896e commit 350dc96
Show file tree
Hide file tree
Showing 24 changed files with 1,239 additions and 322 deletions.
79 changes: 75 additions & 4 deletions docs/wiki/ResourceDeletion.md
Original file line number Diff line number Diff line change
@@ -1,19 +1,47 @@
# AzOps Resource Deletion

- [Introduction](#introduction)
- [Deletion dependency validation](#deletion-dependency-validation)
- [Deletion of AzOps generated File](#deletion-of-azops-generated-file)
- [Deletion dependency validation](#deletion-dependency-validation)
- [Deletion dependency validation scenario](#deletion-dependency-validation-scenario)
- [Deletion of Custom Template](#deletion-of-custom-template)
- [Enable Deletion of Custom Template](#enable-deletion-of-custom-template)
- [Integration with AzOps Accelerator](#integration-with-azops-accelerator)
- [How to Add AzOps Resource Deletion to existing AzOps Push](#how-to-add-azops-resource-deletion-to-existing-azops-push-and-validate-pipelines)

## Introduction

**AzOps Resource Deletion** performs deletion of locks, policyAssignments, policyDefinitions, policyExemptions, policySetDefinitions and roleAssignments in Azure, based on `AzOps - Pull` generated templates at all Azure scope levels `(Management Group/Subscription/Resource Group)`.
**AzOps Resource Deletion** at a high level enables two scenarios.
1. [Deletion of AzOps generated File](#deletion-of-azops-generated-file) of supported resource type, resulting in AzOps removes the corresponding resource in Azure.
2. [Deletion of Custom Template](#deletion-of-custom-template), resulting in AzOps removes the corresponding resource in Azure.

```mermaid
flowchart TD
A[(Main Branch)] --> B[(1.Delete Branch)]
B -- Remove Template Files --> C([2. filename.json])
C --> D([3. Commit])
D --> B
B -- Pull Request to Main ----> E(((4. AzOps - Validate
'/tmp/diff.txt'
'/tmp/diffdeletedfiles.txt')))
E -- git diff --- A
E ---> F[5. Invoke-AzOpsPush -WhatIf:$true]
E -- Merge ---> A
A -- Automated trigger----> G(((6. AzOps - Push
'/tmp/diff.txt'
'/tmp/diffdeletedfiles.txt')))
G -- git diff --- A
G --> H[7. Invoke-AzOpsPush -WhatIf:$false]
```

- For any other resource type **deletion** is **not** supported by AzOps at this time.
## Deletion of AzOps generated File

By removing a AzOps generated file of a supported resource type AzOps removes the corresponding resource in Azure.

_Supported resource types include: locks, policyAssignments, policyDefinitions, policyExemptions, policySetDefinitions, roleAssignments and resourceGroups in Azure._

- For any other `AzOps - Pull` generated resource **deletion** is **not** supported by AzOps at this time.

**_Please Note_**

- SPN used for deletion/change action, requires below actions in its role definition. Choose which combination best suites your implementation.
Expand Down Expand Up @@ -68,7 +96,15 @@ By removing a AzOps generated file of a supported resource type AzOps removes th
OR
Microsoft.Authorization/roleAssignments/*
```
## Deletion dependency validation

- For Azure Resource group removal

```bash
Microsoft.Resources/subscriptions/resourceGroups/delete
OR
Microsoft.Resources/subscriptions/resourceGroups/*
```
### Deletion dependency validation
When deletion of a supported object is sent to AzOps it evaluates to ensure resource dependencies are included in the deletion job. If a dependency is missing the module will throw (exit with error) and post the result of missing dependencies to the pull request conversation asking you to add it and try again.

**_Please Note: For the validation pipeline to fail in the manner intended (applicable to implementations created prior to AzOps release v1.9.0)_**
Expand All @@ -91,6 +127,41 @@ Scenario: Deletion of a policy definition and policy assignment where the assign
- a) In the branch delete the dependent file corresponding to the resulting error.
- b) Delete the dependency in Azure and re-run validation.

## Deletion of Custom Template
Deletion of custom templates is a opt-in feature that you need to enable [see](#enable-deletion-of-custom-template).

Once enabled, deletion of `yourCustomTemplate.bicep`, `yourCustomTemplate.bicepparam`, `yourCustomTemplate.json` or `yourCustomTemplate.parameters.json` results in AzOps attempting deletion of the resolved Azure resources.

How does AzOps attempt deletion of custom template?

```mermaid
flowchart TD
A(((Invoke-AzOpsPush))) --> B[Validate Template
filename.parameters.json]
B -- Failed --> K[Skip]
B -- Success --> C[Resolve template files]
C -- No template found --> D
C -- Found template
filename.json --> D[Sort Templates
Attempt locks before other resources]
D --> E[(Process templates for deletion in series)]
E -- Success ---> A
E --> F([Identify resources within template by attempting a WhatIf deployment and gather returned resource ids])
F --> G([Attempt resource deletion for each identified resource id])
G -- Success ---> E
G -- Fail --> H([If resource fails deletion, recursively retry deletion in different order])
H -- Success ---> E
H -- Fail --> I([For resources still failing deletion, collect them for a last deletion attempt, once all other templates are processed])
I -- Success ---> A
I --Fail --> J([If resource deletion still fails, module will log error and throw])
J --Fail ---> A
```

### Enable Deletion of Custom Template
Set the `Core.CustomTemplateResourceDeletion` value in `settings.json` to `true`.

`AzOps - Push` will now evaluate and attempt deletion of corresponding resource (_from template_) in Azure when a custom template is deleted.

## Integration with AzOps Accelerator

The [AzOps Accelerator pipelines](https://github.com/azure/azops-accelerator) (including `Git Hub Actions` & `Azure Pipelines`) incorporates the execution of resource deletion.
Expand Down
Loading

0 comments on commit 350dc96

Please sign in to comment.