Feature: reference without import

[nitang22]

Could we reference a resource on Azure without importing it in our cluster? Eg: resource groups managed separately without the need to destroy the RG if we want to test or if working with ASO on multiple namespace, without the need to import the same resource each time?

Like Terraform can import resource in its state but can also reference a object that is not part of the state.

[theunrepentantgeek]

Yes, you can, in multiple ways.

When specifying the Owner of a resource, you're using a KnownResourceReference. This can be either an in-cluster reference:

owner:
  name: resource-group-foo

or it can be an in-Azure ARM reference:

owner:
  armId: /subscriptions/<guid>/resourceGroups/resource-group-foo

I believe this later form will do what you want.

In some cases, you're looking at an ArbitraryOwnerReference, but that's similar, giving you an option between in-cluster references and in-Azure references.

---

If the resource contains any secrets or other information you want to import into the cluster, you may want to create it in the cluster with the annotation serviceoperator.azure.com/reconcile-policy set to skip: ASO will then GET information from Azure (allowing config maps and secrets to work), but will never try to modify or delete the resource.

[nitang22]

Thank you @theunrepentantgeek this is exactly what I was looking for. And thanks for the advice.

One additional question: I currently use the ARM template as reference for the CRD's definition but there are some difference like networkruleset inside a blob storage that has a reference field in the CRD. Is there any other documentation I can refer to?

https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?pivots=deployment-language-arm-template#networkruleset-1

[matthchr]

Yes, we have our own documentation here: https://azure.github.io/azure-service-operator/reference/storage/v1api20230101/#storage.azure.com/v1api20230101.StorageAccount

[nitang22]

Thank you