Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blueprints #70

Open
tikicoder opened this issue Feb 24, 2022 · 3 comments
Open

Blueprints #70

tikicoder opened this issue Feb 24, 2022 · 3 comments

Comments

@tikicoder
Copy link

I create all my blueprints via ARM, because I can deploy ARM templates via Terraform, and where I work the Goal is to deploy via terraform.

The scenario
Lets say we have 4 subscriptions

  • sub1-prod
  • sub1-nonprod
  • sub2-prod
  • sub2-nonprod

They are all structure using Management Groups

  • Tenant (main one)
    • Subscription Main
      • Sub1
        • Prod
          • sub1-prod
        • nonprod
          • sub1-nonprod
      • Sub2
        • Prod
          • Sub2-prod
        • Nonprod
          • Sub2-nonprodprod

All Blueprints are deployed at the Subscription Main Management Group

Lets say we have the blueprint
RequireTags it is published to version 1 with 30 policies for 15 tags. Basically to require tags at the Resource group and resource level. I associate that with sub1-nonprod for testing. It is then decided that 5 of them could be really handled with just 2 tags. So that would be removing 10 policies and adding 2. When I do my deployment it adds the 2 just fine. To remove the 5 policies from the blueprint I have to manually delete the 10 policies. Then publish the new version. So now I have The blueprint RequireTags with 2 published version v1 and v2. So for this first part how can I have the system auto remove those policies. I could do some automagicness to try to script this using github actions, but that feels a bit hacky.

Part 2 is as mentioned RequiredTags v1 is assigned to sub1-nonprod. Since we now want v2 instead of 1, I remove v1 from the subscription and attach v2. In doing so it leaves the 10 policies form version 1 and again adds the 4 from version 2. I can now delete those 10 from v1 manually from the subscription. If you like we can focus on each part separately, as they are 2 separate issues but are connected. Again I could do some automaginess probably here as well, but I feel I shouldn’t have to. There should be a way to tell the system to do it for me.

Most of the demos look to use Import-AzBlueprintWithArtifact vs arm. Will that cause the blueprints to add new artifacts/policies and remove ones no longer part of the blueprint? If so is there a way to do it via an ARM template. Typically I would use complete mode, but since this is not deploying to a Resource group I have not been successful at getting it to work.
@s4parke
Copy link

s4parke commented Jun 27, 2022

+1. Did find a way to solve the problem?

There is a file called "clean-subscription.ps1" which probably answers part of your question.

@tikicoder
Copy link
Author

tikicoder commented Jun 27, 2022
edited
Loading

I wrote my own. Looks to try to get all the policies and deletes the blueprints and then reconnects the blueprint. I will have to check that one out though thanks. I will try to share it for some feedback.

@tikicoder
Copy link
Author

@s4parke If you want to see what I did here is it
https://github.com/tikicoder/samples/tree/main/azure/scripts/cli/bash/clean_up_blueprints

I would be open to feedback I have a few other scripts I need to share.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@s4parke @tikicoder