s4parke
commented
2 years ago +1. Did find a way to solve the problem?
There is a file called "clean-subscription.ps1" which probably answers part of your question.
Open tikicoder opened 2 years ago
s4parke
commented
2 years ago +1. Did find a way to solve the problem?
There is a file called "clean-subscription.ps1" which probably answers part of your question.
tikicoder
commented
2 years ago I wrote my own. Looks to try to get all the policies and deletes the blueprints and then reconnects the blueprint. I will have to check that one out though thanks. I will try to share it for some feedback.
tikicoder
commented
2 years ago @s4parke If you want to see what I did here is it https://github.com/tikicoder/samples/tree/main/azure/scripts/cli/bash/clean_up_blueprints
I would be open to feedback I have a few other scripts I need to share.
I create all my blueprints via ARM, because I can deploy ARM templates via Terraform, and where I work the Goal is to deploy via terraform.
The scenario Lets say we have 4 subscriptions
They are all structure using Management Groups
All Blueprints are deployed at the Subscription Main Management Group
Lets say we have the blueprint RequireTags it is published to version 1 with 30 policies for 15 tags. Basically to require tags at the Resource group and resource level. I associate that with sub1-nonprod for testing. It is then decided that 5 of them could be really handled with just 2 tags. So that would be removing 10 policies and adding 2. When I do my deployment it adds the 2 just fine. To remove the 5 policies from the blueprint I have to manually delete the 10 policies. Then publish the new version. So now I have The blueprint RequireTags with 2 published version v1 and v2. So for this first part how can I have the system auto remove those policies. I could do some automagicness to try to script this using github actions, but that feels a bit hacky.
Part 2 is as mentioned RequiredTags v1 is assigned to sub1-nonprod. Since we now want v2 instead of 1, I remove v1 from the subscription and attach v2. In doing so it leaves the 10 policies form version 1 and again adds the 4 from version 2. I can now delete those 10 from v1 manually from the subscription. If you like we can focus on each part separately, as they are 2 separate issues but are connected. Again I could do some automaginess probably here as well, but I feel I shouldn’t have to. There should be a way to tell the system to do it for me.
Most of the demos look to use Import-AzBlueprintWithArtifact vs arm. Will that cause the blueprints to add new artifacts/policies and remove ones no longer part of the blueprint? If so is there a way to do it via an ARM template. Typically I would use complete mode, but since this is not deploying to a Resource group I have not been successful at getting it to work.