From 7e527206388a4f4fb0948468254191cec937b832 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 25 Feb 2022 16:23:40 +1100 Subject: [PATCH 1/4] Add resource Group support for mg level deployments --- .../helper/Get-DeploymentTargetResourceList.ps1 | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/utilities/pipelines/resourceRemoval/helper/Get-DeploymentTargetResourceList.ps1 b/utilities/pipelines/resourceRemoval/helper/Get-DeploymentTargetResourceList.ps1 index 38a91cbe8f..d26ba51621 100644 --- a/utilities/pipelines/resourceRemoval/helper/Get-DeploymentTargetResourceList.ps1 +++ b/utilities/pipelines/resourceRemoval/helper/Get-DeploymentTargetResourceList.ps1 @@ -108,7 +108,14 @@ function Get-DeploymentTargetResourceListInner { [array]$resultSet = $resultSet | Where-Object { $_ -ne $deployment } if ($deployment -match '/subscriptions/') { # Subscription Level Child Deployments - [array]$resultSet += Get-DeploymentTargetResourceListInner -Name (Split-Path $deployment -Leaf) -Scope 'subscription' + if ($deployment -match '/resourceGroups/') { + # Resource Group Level Child Deployments + $name = Split-Path $deployment -Leaf + $resourceGroupName = $deployment.split('/resourceGroups/')[1].Split('/')[0] + [array]$resultSet += Get-DeploymentTargetResourceListInner -Name $name -ResourceGroupName $ResourceGroupName -Scope 'resourcegroup' + } else { + [array]$resultSet += Get-DeploymentTargetResourceListInner -Name (Split-Path $deployment -Leaf) -Scope 'subscription' + } } else { # Management Group Level Deployments [array]$resultSet += Get-DeploymentTargetResourceListInner -name (Split-Path $deployment -Leaf) -scope 'managementgroup' -ManagementGroupId $ManagementGroupId From 94c583dcae07451ab13a3305adbbefc555437962 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 25 Feb 2022 16:33:16 +1100 Subject: [PATCH 2/4] testing rg level removal with role def --- .../ms.authorization.roledefinitions.yml | 5 ++-- .../.parameters/rg.parameters.json | 24 +++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json diff --git a/.github/workflows/ms.authorization.roledefinitions.yml b/.github/workflows/ms.authorization.roledefinitions.yml index f5d47a3eca..70bd3d6f7a 100644 --- a/.github/workflows/ms.authorization.roledefinitions.yml +++ b/.github/workflows/ms.authorization.roledefinitions.yml @@ -81,7 +81,8 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['parameters.json', 'min.parameters.json'] + parameterFilePaths: + ['parameters.json', 'min.parameters.json', 'rg.parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -98,7 +99,7 @@ jobs: - name: 'Using parameter file [${{ matrix.parameterFilePaths }}]' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: '${{ env.modulePath }}/.bicep/nested_roleDefinitions_sub.bicep' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json b/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json new file mode 100644 index 0000000000..4378f6073d --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleName": { + "value": "<>-az-testRole-rg-min" + }, + "description": { + "value": "Test Custom Role Definition Min RG" + }, + "actions": { + "value": [ + "Microsoft.Compute/galleries/read", + "Microsoft.Compute/galleries/images/read" + ] + }, + "subscriptionId": { + "value": "<>" + }, + "resourceGroupName": { + "value": "<>" + } + } +} From baedc7adfb240b3cabe1be7282d6ab65495dd529 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 25 Feb 2022 16:52:46 +1100 Subject: [PATCH 3/4] reverted back role definitions --- .../ms.authorization.roledefinitions.yml | 5 ++-- .../.parameters/rg.parameters.json | 24 ------------------- 2 files changed, 2 insertions(+), 27 deletions(-) delete mode 100644 arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json diff --git a/.github/workflows/ms.authorization.roledefinitions.yml b/.github/workflows/ms.authorization.roledefinitions.yml index 70bd3d6f7a..f5d47a3eca 100644 --- a/.github/workflows/ms.authorization.roledefinitions.yml +++ b/.github/workflows/ms.authorization.roledefinitions.yml @@ -81,8 +81,7 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: - ['parameters.json', 'min.parameters.json', 'rg.parameters.json'] + parameterFilePaths: ['parameters.json', 'min.parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -99,7 +98,7 @@ jobs: - name: 'Using parameter file [${{ matrix.parameterFilePaths }}]' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateFilePath: '${{ env.modulePath }}/.bicep/nested_roleDefinitions_sub.bicep' parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json b/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json deleted file mode 100644 index 4378f6073d..0000000000 --- a/arm/Microsoft.Authorization/roleDefinitions/.parameters/rg.parameters.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleName": { - "value": "<>-az-testRole-rg-min" - }, - "description": { - "value": "Test Custom Role Definition Min RG" - }, - "actions": { - "value": [ - "Microsoft.Compute/galleries/read", - "Microsoft.Compute/galleries/images/read" - ] - }, - "subscriptionId": { - "value": "<>" - }, - "resourceGroupName": { - "value": "<>" - } - } -} From aeb93d79930beeb8a26bf56e484852d8460b858a Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Mon, 28 Feb 2022 19:36:36 +1100 Subject: [PATCH 4/4] added comment for mg deployment --- .../resourceRemoval/helper/Get-DeploymentTargetResourceList.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utilities/pipelines/resourceRemoval/helper/Get-DeploymentTargetResourceList.ps1 b/utilities/pipelines/resourceRemoval/helper/Get-DeploymentTargetResourceList.ps1 index d26ba51621..680c94b7f5 100644 --- a/utilities/pipelines/resourceRemoval/helper/Get-DeploymentTargetResourceList.ps1 +++ b/utilities/pipelines/resourceRemoval/helper/Get-DeploymentTargetResourceList.ps1 @@ -109,7 +109,7 @@ function Get-DeploymentTargetResourceListInner { if ($deployment -match '/subscriptions/') { # Subscription Level Child Deployments if ($deployment -match '/resourceGroups/') { - # Resource Group Level Child Deployments + # Resource Group Level Child Deployments (Used only if management group scope --> resource Group scope) $name = Split-Path $deployment -Leaf $resourceGroupName = $deployment.split('/resourceGroups/')[1].Split('/')[0] [array]$resultSet += Get-DeploymentTargetResourceListInner -Name $name -ResourceGroupName $ResourceGroupName -Scope 'resourcegroup'