[CI environment] Extend and optimize resource removal of nested deployments with higher scope than the parent

utilities/pipelines/resourceRemoval/Initialize-DeploymentRemoval.ps1

@@ -66,6 +66,7 @@ function Initialize-DeploymentRemoval {
         # The initial sequence is a general order-recommendation
         $removalSequence = @(
             'Microsoft.Authorization/locks',
+            'Microsoft.Authorization/roleAssignments',
             'Microsoft.Insights/diagnosticSettings',
             'Microsoft.Network/privateEndpoints/privateDnsZoneGroups',
             'Microsoft.Network/privateEndpoints',

utilities/pipelines/resourceRemoval/helper/Get-DeploymentTargetResourceList.ps1

@@ -58,19 +58,14 @@ function Get-DeploymentTargetResourceListInner {
     )
 
     $resultSet = [System.Collections.ArrayList]@()
+
+    ##############################################
+    # Get all deployment children based on scope #
+    ##############################################
     switch ($Scope) {
         'resourcegroup' {
             if (Get-AzResourceGroup -Name $resourceGroupName -ErrorAction 'SilentlyContinue') {
                 [array]$deploymentTargets = (Get-AzResourceGroupDeploymentOperation -DeploymentName $name -ResourceGroupName $resourceGroupName).TargetResource | Where-Object { $_ -ne $null }
-                foreach ($deployment in ($deploymentTargets | Where-Object { $_ -notmatch '/deployments/' } )) {
-                    Write-Verbose ('Found deployed resource [{0}]' -f $deployment) -Verbose
-                    [array]$resultSet += $deployment
-                }
-                foreach ($deployment in ($deploymentTargets | Where-Object { $_ -match '/deployments/' } )) {
-                    $name = Split-Path $deployment -Leaf
-                    $resourceGroupName = $deployment.split('/resourceGroups/')[1].Split('/')[0]
-                    [array]$resultSet += Get-DeploymentTargetResourceListInner -Name $name -ResourceGroupName $ResourceGroupName -Scope 'resourcegroup'
-                }
             } else {
                 # In case the resource group itself was already deleted, there is no need to try and fetch deployments from it
                 # In case we already have any such resources in the list, we should remove them
@@ -80,68 +75,55 @@ function Get-DeploymentTargetResourceListInner {
         }
         'subscription' {
             [array]$deploymentTargets = (Get-AzDeploymentOperation -DeploymentName $name).TargetResource | Where-Object { $_ -ne $null }
-            foreach ($deployment in ($deploymentTargets | Where-Object { $_ -notmatch '/deployments/' } )) {
-                Write-Verbose ('Found deployed resource [{0}]' -f $deployment) -Verbose
-                [array]$resultSet += $deployment
-            }
-            foreach ($deployment in ($deploymentTargets | Where-Object { $_ -match '/deployments/' } )) {
-                [array]$resultSet = $resultSet | Where-Object { $_ -ne $deployment }
-                if ($deployment -match '/resourceGroups/') {
-                    # Resource Group Level Child Deployments
-                    $name = Split-Path $deployment -Leaf
-                    $resourceGroupName = $deployment.split('/resourceGroups/')[1].Split('/')[0]
-                    [array]$resultSet += Get-DeploymentTargetResourceListInner -Name $name -ResourceGroupName $ResourceGroupName -Scope 'resourcegroup'
-                } else {
-                    # Subscription Level Deployments
-                    [array]$resultSet += Get-DeploymentTargetResourceListInner -name (Split-Path $deployment -Leaf) -Scope 'subscription'
-                }
-            }
             break
         }
         'managementgroup' {
             [array]$deploymentTargets = (Get-AzManagementGroupDeploymentOperation -DeploymentName $name -ManagementGroupId $ManagementGroupId).TargetResource | Where-Object { $_ -ne $null }
-            foreach ($deployment in ($deploymentTargets | Where-Object { $_ -notmatch '/deployments/' } )) {
-                Write-Verbose ('Found deployed resource [{0}]' -f $deployment) -Verbose
-                [array]$resultSet += $deployment
-            }
-            foreach ($deployment in ($deploymentTargets | Where-Object { $_ -match '/deployments/' } )) {
-                [array]$resultSet = $resultSet | Where-Object { $_ -ne $deployment }
-                if ($deployment -match '/subscriptions/') {
-                    # Subscription Level Child Deployments
-                    if ($deployment -match '/resourceGroups/') {
-                        # Resource Group Level Child Deployments (Used only if management group scope --> resource Group scope)
-                        $name = Split-Path $deployment -Leaf
-                        $resourceGroupName = $deployment.split('/resourceGroups/')[1].Split('/')[0]
-                        [array]$resultSet += Get-DeploymentTargetResourceListInner -Name $name -ResourceGroupName $ResourceGroupName -Scope 'resourcegroup'
-                    } else {
-                        [array]$resultSet += Get-DeploymentTargetResourceListInner -Name (Split-Path $deployment -Leaf) -Scope 'subscription'
-                    }
-                } else {
-                    # Management Group Level Deployments
-                    [array]$resultSet += Get-DeploymentTargetResourceListInner -name (Split-Path $deployment -Leaf) -scope 'managementgroup' -ManagementGroupId $ManagementGroupId
-                }
-            }
             break
         }
         'tenant' {
             [array]$deploymentTargets = (Get-AzTenantDeploymentOperation -DeploymentName $name).TargetResource | Where-Object { $_ -ne $null }
-            foreach ($deployment in ($deploymentTargets | Where-Object { $_ -notmatch '/deployments/' } )) {
-                Write-Verbose ('Found deployed resource [{0}]' -f $deployment) -Verbose
-                [array]$resultSet += $deployment
-            }
-            foreach ($deployment in ($deploymentTargets | Where-Object { $_ -match '/deployments/' } )) {
-                [array]$resultSet = $resultSet | Where-Object { $_ -ne $deployment }
-                if ($deployment -match '/managementgroups/') {
-                    # Management Group Level Child Deployments
-                    [array]$resultSet += Get-DeploymentTargetResourceListInner -Name (Split-Path $deployment -Leaf) -scope 'managementgroup' -ManagementGroupId $ManagementGroupId
-                } else {
-                    # Tenant Level Deployments
-                    [array]$resultSet += Get-DeploymentTargetResourceListInner -name (Split-Path $deployment -Leaf)
-                }
-            }
             break
         }
     }
+
+    ###########################
+    # Manage nested resources #
+    ###########################
+    foreach ($deployment in ($deploymentTargets | Where-Object { $_ -notmatch '/deployments/' } )) {
+        Write-Verbose ('Found deployed resource [{0}]' -f $deployment) -Verbose
+        [array]$resultSet += $deployment
+    }
+
+    #############################
+    # Manage nested deployments #
+    #############################
+    foreach ($deployment in ($deploymentTargets | Where-Object { $_ -match '/deployments/' } )) {
+        $name = Split-Path $deployment -Leaf
+        if ($deployment -match '/resourceGroups/') {
+            # Resource Group Level Child Deployments #
+            ##########################################
+            Write-Verbose ('Found [resource group] deployment [{0}]' -f $deployment) -Verbose
+            $resourceGroupName = $deployment.split('/resourceGroups/')[1].Split('/')[0]
+            [array]$resultSet += Get-DeploymentTargetResourceListInner -Name $name -Scope 'resourcegroup' -ResourceGroupName $ResourceGroupName
+        } elseif ($deployment -match '/subscriptions/') {
+            # Subscription Level Child Deployments #
+            ########################################
+            Write-Verbose ('Found [subscription] deployment [{0}]' -f $deployment) -Verbose
+            [array]$resultSet += Get-DeploymentTargetResourceListInner -Name $name -Scope 'subscription'
+        } elseif ($deployment -match '/managementgroups/') {
+            # Management Group Level Child Deployments #
+            ############################################
+            Write-Verbose ('Found [management group] deployment [{0}]' -f $deployment) -Verbose
+            [array]$resultSet += Get-DeploymentTargetResourceListInner -Name $name -Scope 'managementgroup' -ManagementGroupId $ManagementGroupId
+        } else {
+            # Tenant Level Child Deployments #
+            ##################################
+            Write-Verbose ('Found [tenant] deployment [{0}]' -f $deployment) -Verbose
+            [array]$resultSet += Get-DeploymentTargetResourceListInner -Name $name -Scope 'tenant'
+        }
+    }
+
     return $resultSet
 }
 #endregion
@@ -228,7 +210,7 @@ function Get-DeploymentTargetResourceList {
         if ($targetResources) {
             break
         }
-        Write-Verbose ('Did not to find deployments by name [{0}] in scope [{1}]. Retrying in [{2}] seconds [{3}/{4}]' -f $name, $scope, $searchRetryInterval, $searchRetryCount, $searchRetryLimit) -Verbose
+        Write-Verbose ('No deployment found by name [{0}] in scope [{1}]. Retrying in [{2}] seconds [{3}/{4}]' -f $name, $scope, $searchRetryInterval, $searchRetryCount, $searchRetryLimit) -Verbose
         Start-Sleep $searchRetryInterval
         $searchRetryCount++
     } while ($searchRetryCount -le $searchRetryLimit)