search

Azure / azure-service-operator

Azure Service Operator allows you to create Azure resources using kubectl
https://azure.github.io/azure-service-operator/
MIT License
739 stars 194 forks source link

Feature: Management Groups and Policies #2249

Open jamesgoodhouse opened 2 years ago

jamesgoodhouse commented 2 years ago

We're looking into leverage the Azure Service Operator for managing higher level resources for managing individual subscriptions and related things like management groups and their policies among other thing. I do not believe this is currently part of the support resources, but i wanted to see if this is on the roadmap, or if PRs would be accepted for adding the resources?

matthchr commented 2 years ago

We're definitely interested in supporting these sorts of resources. Do you have a concrete list of what all you need? Obviously Microsoft.Management/managementGroups, Microsoft.Subscription/subscriptionDefinitions, and probably Microsoft.Subscription/policies.

What else?

We would be open to a PR, but just be aware that supporting these resources might be a bit more complicated than it first seems. The complexity here comes with these being root resources that impact how owner resolution is done. If you see resolver.go, resources that are "roots" (RG, Subscription, Tenant, Management Group) have to implement genruntime.NamespacedResourceReference. That's in itself not a problem but it means that we'd possibly want to add support for code-generating those resources (assuming they have Swaggers, I'd need to check). We don't codegen that right now because at least at the time we wrote the generator ResourceGroup didn't have a great Swagger spec.

It's also possible that some updates would need to be made to the azure_generic_arm_reconciler provisioning logic... although I took a look and it does seem like it might just work as is...

jamesgoodhouse commented 2 years ago

Those are the main resources that come to mind. We're still in the early stages of determining our account structure/hierarchy and I am still ramping up on what pieces we will need to automate.

I believe they would be able to leverage code-generation, as I see schemas existing in https://github.com/Azure/azure-resource-manager-schemas.

matthchr commented 2 years ago

Some implementation notes for this: Subscriptions Swagger is here and there's a JSON schema here.

The JSON schema roots up to https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json, rather than the normal https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json. We don't currently read https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json so we'll need to add that as part of supporting this.

matthchr commented 2 years ago

Creating and canceling subscriptions support was added in #2446. I've changed the title of this issue to correctly reflect the remaining work which is not yet supported (Creating/deleting management groups or policies).

matthchr commented 6 months ago

Still interested in doing this

theunrepentantgeek commented 2 weeks ago

No change from the above.

jamesgoodhouse commented 1 week ago

I'm no longer working with Azure at the moment, but I'm sure this would still be a great addition if someone is able to put together a PR