I successfully moved several resources via REST API into other resource groups (using this howto) but it failed when I tried to move a WebApp and its service plan. I know there are limitations: I have to move the entire resource group and the target resource group mustn't contain a WebApp. So my target resource group is empty and my source resource group only contains the WebApp and the service plan.
As suggested in the howto, I wrote this JSON:
{
"targetResourceGroup": "/subscriptions/Subscription-B/resourceGroups/newRG",
"resources": [
"/subscriptions/Subscription-A/resourceGroups/oldRG/providers/Microsoft.Web/serverFarms/test",
"/subscriptions/Subscription-A/resourceGroups/oldRG/providers/Microsoft.Web/sites/test"
]
}
and run it via command:
armclient post https://management.azure.com/subscriptions/Subscription-A/resourceGroups/oldRG/moveResources?api-version=2015-01-01 #path/to/my/json -verbose
I get "202: accepted" in the command window and in the portal I see in both resource groups (oldRG and newRG) the info text "resources being moved" but after a minute, nothing has changed.
Edit:
When I click on "delete" in the oldRG, I see all the contained ressources: there are 4 alertrules, 1 autoscalesetting and 1 certificate.
As mentioned in the limitations, I have to move all of them. But how can I access these 3 types of ressources? I don't have their ressource ID because I don't find them when I search for them.
The certificate resource Id looks like:
/subscriptions/Subscription-A/resourceGroups/oldRG/providers/Microsoft.Web/certificates/<certificateThumbprint>
You don't have to pass in autoscale settings or alert rules.
The solution was a combination of Zain Rizvi's answer and this:
I thought it does not matter, that's why I told you the names of the both resource groups are oldRG and newRG - but actually they have the same name. That was the problem. Even if they are in different subscriptions, I wasn't able to move my resources into a resource-group with the same name as the current resource has. So I created a new empty resourcegroup (tmpRG) inside subscriptionB and moved my resources from subscriptionA\myRG to subscriptionB\tmpRG and then from subscriptionB\tmpRG to subscriptionB\myRG.
Related
I have moved a number of Azure resources from one subscription to another. To do so, I needed to create a new "incoming" resources group in the target subscription. After successfully moving the resources to "incoming" I could move them to the right resource groups (Azure is a bit weird in this way, but acceptable). Now I want to delete the "incoming" resource group. When looking at the resources, I see a single hidden resource of type microsoft.web/certificates. When trying to move these to the other resource group, I get the following error:
{
"code":"ResourceMoveValidationFailed",
"message":"The resource batch move request has '1' validation errors. Diagnostic information: timestamp '20200511T100227Z', tracking Id 'e0d6ac02-69a2-46d2-a61d-beb4303a6ce9', request correlation Id '532eb53d-6ad3-43f3-8a31-3e0319b70702'.",
"details":[
{
"code":"ResourceMoveNotSupported",
"message":"Resource move is not supported for resource types 'Microsoft.Web/certificates'."
}
]
}
Is it safe to delete this resource and then delete the resource group? I don't see any resources in the target resource group of this type.
Since there are no answers to this and I received an answer from Azure support, I'll post it here for future reference:
Microsoft.Web resources have a weird nuance to them when it comes to moving them cross-subscriptions...
They must be in their original resource group they were initially deployed to
You must move all related Microsoft.Web resources that were deployed to that RG
The destination RG in the destination sub cannot already have Microsoft.Web resources in it.
Azure resource type Microsoft.web/certificates do not support move operation between resource groups. However, it supports move operations across subscriptions.
Support Link: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftweb
You can move a certificate bound to a web without deleting the TLS bindings, as long as the certificate is moved with all other resources in the resource group.
If your web app includes an SSL certificate that you purchased externally and uploaded to the app, you must delete the certificate before moving the web app. For example, you can perform the following steps:
Delete the uploaded certificate from the web app
Move the web app
Upload the certificate to the web app
I have an Azure App Service Plan and a Web App. I want to move them to another subscription. There is a limitation that app service plan and app service must be moved together from the origin resource group of the app service plan. Someone had moved the resources from their origin resource group and deleted the resource group. Now, how can I find the name of the origin resource group ?
In some cases it can be found in the WebSpace property of app service plan. For example [ "webSpace": "RG-SK-MarkIII-CentralUSwebspace" ], RG-SK-MarkIII is the origin resource group of the app plan. But in my case the webSpace is like this ["webSpace": "AustraliaEastwebspace" ]. Is there any other way to find it through CloudShell ?
You can look up the actions taken by a particular user, even for a resource group that no longer exists.
az monitor activity-log list -g ExampleGroup --caller someone#contoso.com --offset 5d
Kindly try these steps:
If you don't remember the original resource group, you can find it through diagnostics.
For your web app, select Diagnose and solve problems.
Then, select Configuration and Management.
Select Migration Options.
Select the option for recommended steps to move the web app.
You see the recommended actions to take before moving the resources. The information includes the original resource group for the web app.
- I understand you're referring to RG deletion scenario, kindly try this and let me know how it goes.
Reference document move across subscription.
Furthermore, you can only change to a plan that was created in the same "webspace" as your original app. Webspace is an internal concept that's not exposed, but you can verify whether your source and destination plans are in the same webspace or not.
To verify, do the following:
https://resources.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/serverfarms/{serverFarmName}
Confirm whether the webSpace property of your source plan matches the webSpace property of your new plan
When I create an AKS cluster using Azure portal I can see that new resource groups are created. It seems that I have no control over how they are named, especially the one with with "MC_" prefix. I also don't see an option to change its name when using ARM template.
In addition, if I create a cluster in customer's subscription, where I only have access to 1 resource group, I don't even see the newly created RG and can't manage it.
Is there a way to force deployment of all AKS components into a single resource group?
No, there is no way to force it at this point in time. As for the access, you should request access to that RG. No real workarounds.
Secondary resource group name can be inferred, I think, its something like:
MC_original-resource-group-name_aks-resource-name_location
it also creates OMS resource group (if you enable OMS) and Network Watcher (this can be disabled, btw, but its a provider setting). you have no control over that as well.
there is a not implemented yet nodeResourceGroup property: https://learn.microsoft.com/en-us/rest/api/aks/managedclusters/createorupdate#examples
EDIT: this is actually working right now, so the nodeResourceGroup property can be used. But it would still be a new resource group, so you would still need to request access to that group and using this property is not possible with the portal (so ARM Templates\pulumi\terraform)
So, I've setup a lab environment in a azure resource group with a domain controller, sql-server and a web server. I would like to clone that whole resource group to a new one when needed and by stat I mean with everything intact. Is that possible?
I don't know of anyway to do a direct copy, but you can export a JSON template from the portal or PowerShell that will come close to giving you something you can automate. I say "close" because the feature is still in preview and some resources can't be exported.
In portal.azure.com go to:
Resource Groups > [your rg] > Settings > Export...
In PowerShell see:
Export-AzureRMResourceGroup
So, the solution I came up with was to simply creating a new Resource group, copy the template (not sysprepped) vhds to that new Resource group and creating new VMs with the vhd's attached.
I do wish that there was a "Clone resource group" button somewhere :)
To clone a resource group
1. Go to: Resource groups > [resource group to copy] > Settings (sidebar grouping) > Export template > Deploy
My resource group:
Issues on my way with solutions:
Parameter osDisk.managedDisk.id is not allowed
'Edit Template' button
Remove id field under osDisk.managedDisk
See: osDisk.managedDisk.id’ is not allowed
Disk [disk subscription] cannot be attached as the disk is already owned by VM [VM subscription]
Make the data disk snapshot
Create a new disk based on the snapshot (important: the disk name cannot be changed)
Change proper id parameter value in settings or edit parameters (under 'Edit parameters' button)
Changing property 'dataDisk.name' is not allowed.
As mentioned above. Do not change the disk name when coping the disk.
Required parameter 'adminPassword' is missing (null)."
'Edit Parameters'
Add:
"adminPassword": {
"value": null
}
'Edit Template'
Add:
"adminPassword": {
"defaultValue": null,
"type": "SecureString"
}
Set the adminPassword in settings
Check out Jeff Bow's scripts to copy / clone a resource group:
Copy-AzureRMresourceGroup.ps1
Copies Azure V2 (ARM) resources from one Azure Subscription to
another.
Unlike the Move-AzureRMresource cmdlet, this script allows
you to move between subscriptions in different Tenants and different
Azure Environments. Requires AzureRM module version 6.7 or later.
Clone-AzureRMresourceGroup.ps1
Clones Azure V2 (ARM) resources from one resource group into a new
resource group in the same Azure Subscriptions.
Requires AzureRM module version 6.7 or later.
This is intended mostly for Azure V2 virtual machines and will include
copying virtual disks, virtual network, load balancers, Public IPs and
other associated storage accounts, blob files and now managed disks.
PS suggest you upvote this Azure feedback to provide an Azure-native command, Copy resource groups:
https://feedback.azure.com/forums/281804-azure-resource-manager/suggestions/14142671-copy-resource-groups
While it doesn't look to be specifically designed for this use case, I have successfully moved RGs using Azure Resource Mover, released in 2021. Since it isn't mandatory to remove any resources from the source RG, this has worked better for me than exporting the RG JSON and redeploying, etc.
After the new model was implemented, all of my websites now belong to individual Resource Groups called "Default-Web-East" and all of my SQL databases belong to individual Resource Groups called "Default-SQL-East".
This is confusing to say the least.
I would like to rename the groups to have some semantic meaning. I would also like to group the associated SQL database and Web Site in the same Resource Group.
However, I do not see anyway to do either. Is this possible?
1) Rename the Resource Group?
2) Combine an existing SQL DB and Website together into one Resource Group?
Edit: You can't rename an Azure Resource Group.
What you can do is move your resources to a new Resource Group instead. Moving all resources in Resource Group A to Resource Group B is the poor man's rename.
Unfortunately not all resource providers let you move resources between resource groups, and some that do might have strings attached that only let you move resources under certain conditions.
For Azure Web Apps (previously called Azure Websites) you can currently only move all the websites related resources in a single invocation. That "all websites related resources" means all resource under the provider "Microsoft.Web". This includes all websites, app hosting platforms, and certificates that are in the source resource group.
Via the portal
When viewing a group's resources, you can use the "Move" tab
Clicking the "Move" tab will show something this, allowing you to choose or create a new group:
Via Azure Powershell
The easiest way to do this is to use the Move-AzureRmResource powershell cmdlet.
The command would look like this:
Get-AzureRmResource -ResourceGroupName <sourceResourceGroupName> | Move-AzureRmResource -DestinationResourceGroupName <destResourceGroupName>
source: https://azure.microsoft.com/en-us/documentation/articles/resource-group-move-resources/
Via Rest API
The other way to do this is to use the MoveResource Rest API or with the ArmClient.
Here's the API call you'll want to make:
POST https://<endpoint>/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/moveResources?api-version={api-version}
Where {resourceGroupName} is the source resource group.
I'm pretty sure the endpoint should be "https://management.azure.com", but if you use the ArmClient the tool will just take care of the endpoint for you.
Request Body:
{
"targetResourceGroup": "/subscriptions/{subscriptionId}/resourceGroups/{targetResourceGroupNameName}",
"resources":
[
"/subscriptions/{id}/resourceGroups/{source}/providers/{namespace}/{type}/{name}",
"/subscriptions/{id}/resourceGroups/{source}/providers/{namespace}/{type}/{name}"
]
}
In addition to the main answer, Azure Portal has a feature of moving the Resources that is allowed to be moved to a new Resource group.
Go to your Resource Group that has Resources you want to move to an existing or a new created Resource Group.
Select the one, multiple or all (1) Resources you want to move and click on the Move (2) bottom as shown in image. (you can select moving to Resources with in the same subscription or to another subscription) A third option if you need just to change the Region) see the the figure at the end.
It will ask you to chose which Resource Group to move to.
Note: This process might take some time, be patient. When done, you
will see that the resource disappear from the old one and will be
found in the new one. That said some resources might be restricted
from been moved to other resources.
Move (Fixing) only region