dolevshor / azure-orphan-resources

Centralize orphan resources in Azure environments
MIT License
533 stars 141 forks source link

Add orphaned API connections #9

Closed azurekid closed 1 year ago

dolevshor commented 1 year ago

@azurekid Hi, First, thanks a lot for your PR. I checked the query and it bring API Connections in use. (not only orphaned) - can you please double check it?

azurekid commented 1 year ago

@azurekid Hi, First, thanks a lot for your PR. I checked the query and it bring API Connections in use. (not only orphaned) - can you please double check it?

Will Check it later today

azurekid commented 1 year ago

Seems like I am only getting orphaned items when testing it in multiple scenario's

Also validated the query 🤔

rajeshsura189 commented 1 year ago

How do we add the additional service information in same query??

On Mon, 6 Mar, 2023, 02:55 Rogier Dijkman, @.***> wrote:

Seems like I am only getting orphaned items when testing it in multiple scenario's

Also validated the query 🤔

— Reply to this email directly, view it on GitHub https://github.com/dolevshor/azure-orphan-resources/pull/9#issuecomment-1455211129, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN35KMZLTHYU5ZXBPEJT64LW2UAGJANCNFSM6AAAAAAUH54BUI . You are receiving this because you are subscribed to this thread.Message ID: @.***>

dolevshor commented 1 year ago

@azurekid Thanks a lot for your double check and update.

image

In this example you can find 2 API Connections:

The KQL Query you suggested return both of them even though 'azureblob-1' is associated and not an orphaned resource.

azurekid commented 1 year ago

Thanks for the comment. I will double check this after my lunch in about 1 hour

azurekid commented 1 year ago

Hi @dolevshor, I have done some extensive testing on the API connections and it seems to work as it should. When adding or removing an API connection from a LogicApp it can take up to 5 minutes before this is visible in the Resource Graph query.

Logically the LogicApp needs to be saved before the change of orphaned api connections is visible. For the first 5 minutes it will sometimes show as connected and then not connected. After 5 minutes it is always showing the correct status.

technically this query is looking at the connection in the parameters

        "$connections": {
            "value": {
                "office365_2": {
                    "id": "/subscriptions/dd07ba65-eaa4-416d-b492-bd8cde619247/providers/Microsoft.Web/locations/westeurope/managedApis/office365",
                    "connectionName": "office365-4",
                    "connectionId": "/subscriptions/dd07ba65-eaa4-416d-b492-bd8cde619247/resourceGroups/api-connections/providers/Microsoft.Web/connections/office365-4"
                }
            }
        }
    }

As shown in the image below connectionName office365-4 is not shown as it is connected to the LogicApp

image image

image

So this Query is not looking if the api connection is associated with the logicApp, but only looking if it is also used within the logicApp.
There can also be a delay in the API Connections blade in the portal, which can take about 5 up to 10 minutes before updated. I did notice, once the response from the query is updated, most of the time the API Connection blade also shows the same status.

Sometimes the API Connection Blade is earlier updated that the query results.

image

image

azurekid commented 1 year ago

@dolevshor Did you already have the time to take a look at this?

dolevshor commented 1 year ago

Hi @azurekid, Not yet, I was sick last week. I'm plan to check it out this week, again thanks a lot for your double-check and the comprehensive explanation.

azurekid commented 1 year ago

If you even need an extra pair of eyes, testing or offload some work, please let me know. Here to help 😉

azurekid commented 1 year ago

Ping at @dolevshor

yodobrin commented 1 year ago

Hey @auerkid good stuff, and thanks for your support! Dolev & I were working on this today, and we noticed that for some of the connections on Dolev subscription are marked wrongly as orphans. We managed to narrow it to the blob connections. When tested on my side I selected account key as the authentication method. once removed from the editor, it became orphan as expected. Dolev was using managed Identity authentication. I am not sure yet why, but it looks like the extraction of the connectionId from the blob with managed identity authentication fails, and that is why it shown wrongly as orphan.

Since false positive here might have bad results, we want to find the underlying cause of this.

azurekid commented 1 year ago

re yet why

Hi @yodobrin, thank you for the detailed feedback on this. I will also do some further investigation on this behaviour and see what I can find.

Maybe create an iff statement or condition, but not sure yet if the limited KQL set in workbooks is going to support this.

If you need any support or an extra pair of eyes, please reach out.

dolevshor commented 1 year ago

Hi @azurekid,

I continued testing today, and I seem to have found the source of the problem. It seems that the regular expression in the extract() was not accurate.

Your code: _connectionId = extract("\"connectionId\":\"(.*)\"", 1, tostring(varconnection))

Here is the fix: _connectionId = extract("connectionId\":\"(.*?)\"", 1, tostring(varconnection))

I'm still running a number of tests to make sure its fix the issue and we can add this to the Workbook.

azurekid commented 1 year ago

onnectionId":

Rockstar!

dolevshor commented 1 year ago

Hi @azurekid ,

Now the orphaned API Connections is include in the workbook as part of the v2.0 release. I close the PR.

Thanks again for this contribution!