ResourceDeletion

AzOps Resource Deletion

• Introduction
• Supported Action
• How to use
• Integration with AzOps Accelerator

Introduction

The purpose of this wiki is to provide detailed information about AzOps Resource Deletion.

AzOps Resource Deletion performs deletion of role and policy assignments in Azure, based on AzOps - Pull generated templates at all Azure scope levels.

Supported Actions

• Deleting custom or built-in roleAssignments: When Invoke-AzOpsPull runs, it fetches the existing environment which includes custom and built-in roleAssignments. By removing the assignment file, roleAssignments at all Azure scope levels (Management Group/Subscription/Resource Group) can be managed from the repository directly.

• Deleting custom or built-in policyAssignments: When Invoke-AzOpsPull runs, its fetches the existing environment which includes custom and built-in policyAssignments. By removing the assignment file, policyAssignments at all Azure scope levels (Management Group/Subscription/Resource Group) can be managed from the repository directly.

How to use

Detailed steps:

1. Trigger the pull to fetch the fresh data of existing Azure environment. Navigate to Actions and run AzOps - Pull

   

2. It's recommended to capture the current stage either from portal or via any script to validate the behaviour after completion of the deletion.

   

3.Browse to the repository and to the feature branch and delete the Role or Policy assignment file or both which are required to be deleted.

4. Once file has been deleted from the branch, create pull request from Feature Branch to Main Branch.

5. Once Pull Requested has been created, it will trigger the AzOps - Validate pipeline to do initial check. Wait for the pipeline to complete.

6. Now the Approver can review the pull request. It contains detailed information about which file to delete and pull request can be approved based on that.

7. With the approval, AzOps - Push pipeline will get triggered to apply/implement the requested changes.

8. Now the changes can be validated via Portal or Script

Please Note

• Resource Deletion is supported for templates generated by AzOps - Pull for resource type roleAssignments and policyAssignments.

• For any other resource type deletion is not supported in AzOps at this time.

• SPN used for deletion/change action, should have the below scope in its role definition.

  • For Azure Policy assignment removal

              Microsoft.Authorization/policyAssignments/delete
                                      OR
              Microsoft.Authorization/policyAssignments/*
                                      OR
              Microsoft.Authorization/* OR  * (For everything)

  • For Azure Role assignment removal

              Microsoft.Authorization/roleAssignments/delete
                                      OR
              Microsoft.Authorization/roleAssignments/*
                                      OR
              Microsoft.Authorization/* OR  * (For everything)

Integration with AzOps Accelerator

The AzOps Accelerator pipelines (including Git Hub Actions & Azure Pipelines) incorporates the execution of resource deletion.

Conditional logic has been implemented to call Invoke-AzOpsPush with required change set in case of resource deletion operation, while existing logic without resource deletion remains same.

How to Add AzOps Resource Deletion to existing AzOps - Push and Validate pipelines (applicable to implementations created prior to AzOps release v1.6.0)

1. Update the AzOps - Push pipeline by copying content from the latest upstream push.yml file into your existing file.
2. Update the AzOps - Validate pipeline by copying content from the latest upstream validate.yml file into your existing file.