I am trying to make a query that will allow me to view every Resource Lock within our Resource Groups and I have gotten nowhere with it. I am very new to Kusto and help would be appreciated!
As per my Knowledge, we can pull the list of resource that having locks in the subscription by using either rest Api or from Azure CLI
From Azure CLI ,we can use the below command
az lock list [--filter-string]
[--namespace]
[--parent]
[--query-examples]
[--resource]
[--resource-group]
[--resource-type]
[--subscription]
Here is the rest API, to pull the management locks, at subscription level
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/locks?api-version=2016-09-01
if you want to pull the Management locks at resource level you need to specify the particular resource group & lock name as well
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/locks/{lockName}?api-version=2016-09-01
Related
Problem
I have an azure pipeline YAML file. It is able to run through a service connection which accesses a service principal with all the proper authority, etc.
But I am now trying to clean up the code; we have multiple service principals running on multiple subscriptions and resource groups. They need to create storage accounts, which need to be unique.
So I am trying to create a storage account built partially from the associated subscription and resource group of the service principal creating the storage account.
Example Solution
For the subscription, it is fairly easy. I can do something like this, from within a PowerShell script called inside the pipeline:
$subscriptionId = $(az account show --query 'id' -o tsv)
Write-Output "##vso[task.setvariable variable=AZURE_SUBSCRIPTION_ID;isoutput=true;issecret=true]$subscriptionId"
Now I have the variables $subscription ID and AZURE_SUBSCRIPTION_ID set, and can access subscription information within the pipeline itself.
Question
But how can I do something similar with resource groups?
There is no equivalent to az account show with resource groups, without knowing the resource group name itself. (Eg, I have to type az group show -name <RG-name>, but it is precisely the name that I am trying to get.)
Again, to be clear, I am running inside of a particular resource group and subscription, it is those that are associated with the service connection. Now I simply want that information available to the pipeline.
I'm not sure if I completely understand what you are trying to accomplish. But I suspect that the options below might help.
Get role assignments
If you created separate service connections for each individual resource group you can simply check the role assignments for the SPN and determine the scope of the service connection.
If you, for example, use the Azure PowerShell task, you have configured it with a Service Connection. So when the task starts, it has the context of the service principal. You can then do Get-AzRoleAssignment which should output the Resource Groups to which its authorised. Again, this is only useful if you use a service connection per RG, as you otherwise get results for multiple RGs. (Or for subscriptions and Management groups, if you also assigned a role to those scropes)
Use the Azure DevOps API
You can use the Get Service Endpoint request of the Azure DevOps API to get the service connections. The JSON output will contain information regarding the scope of the service connection.
If you find working with the API directly a bit hard, you can try the PSDevOps PowerShell module to interact with the Azure DevOps API. It has the Get-ADOServiceEndpoint command that allows you to get the available service endpoints.
I have two SQL managed instance in two different region(One in Australia East another one in Australia Southeast. They are in a Pay-As-You-Go subscription. Now I want to move those resources to a CSP subscription. Is it possible to move SQL managed instance across subscription?
Azure SQL managed instance supports the move operation: move to another resource group or another subscription. You can get this from this document: Move operation support for resources.
If you want to move the managed instance subscription, you need to operate on the resource group overview. Choose all the resource about managed instance.
For more details, please see this Azure tutorial: Move resources to new resource group or subscription:
Summary:
This article shows you how to move Azure resources to either another Azure subscription or another resource group under the same subscription. You can use the Azure portal, Azure PowerShell, Azure CLI, or the REST API to move resources.
Both the source group and the target group are locked during the move operation. Write and delete operations are blocked on the resource groups until the move completes. This lock means you can't add, update, or delete resources in the resource groups, but it doesn't mean the resources are frozen. For example, if you move a SQL Server and its database to a new resource group, an application that uses the database experiences no downtime. It can still read and write to the database.
Moving a resource only moves it to a new resource group. The move operation can't change the location of the resource. The new resource group may have a different location, but that doesn't change the location of the resource.
It also gives you many examples about how to move resource group or subscription:
By using Azure portal.
By using Azure PowerShell.
By using Azure CLI.
By using REST API.
Hope this helps.
Suppose I set a Lock on some Azure resource (e.g. on Resource Group). Then I want to see JSON document in Azure Resource Explorer that corresponds to the created Lock. I can see the resource object document but the Lock is not shown there.
You could use powershell to see it.
Get-AzResourceLock -ResourceGroupName <resource group name> | ConvertTo-Json
For more details about azure cli or rest api, see this link.
I'm fairly certain those are not exposed under resource explorer. since the Microsoft.Authorization provider is not even listed in there
you could use any other means to retrieve those
Is it possible to share a particular resource (redis cache in my case) across multiple resource group?
Resource group is just logical container. It doesn't matter in which resource group resource is. You can use resources from any resource group.
Example:
Imagine that you create App Service Plan in RG1 and Web App Service in RG2. This Web App Service can use App Service Plan from RG1.
Your redis cache could be used from any code you write, whether in the cloud, on-premises, or wherever, given proper uri + access key.
As long as you have access keys/passwords/etc. to your resources, you can use your resources no matter what resource group they're in. This includes ssh keys, vm usernames/passwords, redis cache keys, storage keys, cosmos db keys, sql database logins, etc.
The only thing access-specific, with resource groups, is granted user permissions. That is: if you add someone as a contributor to resource group A, and not to resource group B, they won't be able to manipulate the settings in resource group B via the portal or any of the Management APIs. Still, they'd be able to work with all of the resources in resource group B, assuming they had the login details / keys / etc.
I want to delete the resource group on failure of any resources deployment.
and main note here is that i should not use logic app for this resource group deletion, i should use template.json file alone.
is there any possibility to delete a resource group via template.json
As far as I know, we couldn't delete a resource group via template.json.
If you want to achieve this, I suggest you could write your own logic (using script or codes) to check the template deployment result. If result throws an exception then you could run the script or code (azure management rest api send the request to azure) or powershell command to remove the resource group.
Besides, someone has same requirement and send the feedback (Link) to azure team. I suggest you could vote this and wait for azure product team reply.