-
Notifications
You must be signed in to change notification settings - Fork 387
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Update avm/res/net-app/net-app-account
- Restructured as per ResourceType structure to & to enable additional capabilities
#4043
base: main
Are you sure you want to change the base?
Conversation
'Microsoft.NetApp/netAppAccounts/backupVaults', # Must be deleted before netapp account | ||
'Microsoft.NetApp/netAppAccounts/snapshotPolicies', # Must be deleted before netapp account | ||
'Microsoft.NetApp/netAppAccounts/capacityPools', # Must be deleted before netapp account |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't this part happening by default? children removed before their parent?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is true to an extend, but in this case the order of the child removal mattered (e.g., a volume must be removed before a policy for tha volume can - but they're children in seperate hierachies).
Also, it appears only to be the case for resources that are considered for a custom order like seen in this removal oder for the key vault max test:
Log Example
VERBOSE: Total number of deployments after final ordering of resources [33]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-0/providers/Microsoft.Authorization/locks/myCustomLockName]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-1/providers/Microsoft.Authorization/locks/myCustomLockName]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/providers/Microsoft.Authorization/locks/myCustomLockName]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/secrets/secretName/providers/Microsoft.Authorization/roleAssignments/0737205d-3668-50f9-8f2f-541acc674054]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/keys/keyName/providers/Microsoft.Authorization/roleAssignments/4f20b6c5-6436-59bb-99ec-90a6a43d95e5]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/keys/keyName/providers/Microsoft.Authorization/roleAssignments/7c2c4038-9529-5649-99b3-3bd1a2c7b1a5]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/keys/keyName/providers/Microsoft.Authorization/roleAssignments/588af744-315d-5897-9dcf-43014f610c10]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/secrets/secretName/providers/Microsoft.Authorization/roleAssignments/0e829fb1-41bd-5f0b-82df-c0bfb4ccfe88]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/secrets/secretName/providers/Microsoft.Authorization/roleAssignments/2fb8d755-cd2a-5481-a1f0-233a4675e9b7]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-0/providers/Microsoft.Authorization/roleAssignments/010e06c0-1c1b-506a-b2db-f2c35384d3f0]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/providers/Microsoft.Authorization/roleAssignments/f17ab95a-046d-5cef-ae8c-eb2d9c261a7b]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-0/providers/Microsoft.Authorization/roleAssignments/5d515c8c-358f-54a7-a334-36e0bea1e0ca]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/providers/Microsoft.Authorization/roleAssignments/da6013f0-225b-56f8-b74e-93be471f13c9]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/providers/Microsoft.Authorization/roleAssignments/b50cc72e-a2f2-4c4c-a3ad-86a43feb6ab8]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/providers/Microsoft.Insights/diagnosticSettings/customSetting]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-0/privateDnsZoneGroups/default]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-1/privateDnsZoneGroups/default]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-1]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-0]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.OperationalInsights/workspaces/dep-***-law-kvvmax]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/dep-***-msi-kvvmax]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.EventHub/namespaces/dep-***-evhns-kvvmax01/authorizationRules/RootManageSharedAccessKey]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/dep-***-vnet-kvvmax-vnetlink]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.EventHub/namespaces/dep-***-evhns-kvvmax01/eventhubs/dep-***-evh-kvvmax01]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/accessPolicies/add]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/secrets/secretName]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/keys/keyName]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Storage/storageAccounts/dep***diasakvvmax03]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.EventHub/namespaces/dep-***-evhns-kvvmax01]
VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/virtualNetworks/dep-***-vnet-kvvmax]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If that is the case can the comment be updated? Currently we're saying children must be deleted before the account. Instead from the above message I understand it's the relative order between children that matters.
I didn't get the second part, the kv mx test example, can you please elaborate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @eriqua,
I based my messages on the error messages returned by Azure when removing the services in the 'wrong' order, specifically when it tries to remove the ResourceGroup (as none of the child resources where explicitely specified to be removed). When trying to remove set resource group regardless you get for example,
[Microsoft.NetApp/netAppAccounts/backupVaults/backups] [Conflict : Cannot delete last backup as backup policy is assigned to the volume. Please retry after removing the backup policy from the volume.
[Microsoft.NetApp/netAppAccounts/backupVaults] [BadRequest : Cannot delete the backup vault resource as the backup vault contains backups. Please remove the backups before deleting the backup vault.
[Microsoft.NetApp/netAppAccounts/capacityPools] WARNING: [!] Removal moved back for retry. Reason: [CannotDeleteResource : Cannot delete resource while nested resources exist. Some existing nested resource IDs include: 'Microsoft.NetApp/netAppAccounts/***nanaamax001/capacityPools/cp-001/volumes/vol-001, Microsoft.NetApp/netAppAccounts/***nanaamax001/capacityPools/cp-001/volumes/vol-002'. Please delete all nested resources before deleting this resource.
[Microsoft.NetApp/netAppAccounts/snapshotPolicies] WARNING: [!] Removal moved back for retry. Reason: [SnapshotPolicyUsedInVolumes : SnapshotPolicy is used in 1 volumes.
What I'm hence trying to say with, for example, 'Microsoft.NetApp/netAppAccounts/capacityPools', # Must be deleted before netapp account
is that the capacityPool must be removed before the netapp account
as it will otherwise fail. So it is both a matter of 'children must be deleted before their parents' and 'certain children must be deleted before other children can' (example comment "# Must be deleted before netapp account capacity pool & attached policies").
Could you give me an example how you'd make the comments clearer? :)
Regarding the Key Vault example I just wanted to show that the logic works as follows
- All reource IDs for removal are fetched
- They're then sorted as per their level of nesting (with children coming first)
- And finally they're further sorted as per the
removalOrder
sequence which is why in the middle we see the 'resourceGroup'. Everything below is essentially ignored as we expect the RG-removal to take care of those / that they don't need a dedicated order.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated @eriqua :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What I'm challenging it's not the comment clarity. Stating some children must be deleted before their parents is crystal clear and does not need to be further elaborated. The point is that the removal logic already orders resources that way, BUT you are right, having the resource group in the list basically forces us to explicitly mention their order in the list anyway.
Do you recall why we added the resource group in the list and we don't for example delete it as last? In that case I believe the ordering logic alone would cover. Just a question for now, I don't want to block the PR on it, but I think it's worth checking
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @eriqua,
I don't recall - but the reason may be that back then, when we added it, the 'remove last' list didn't likely not exist yet (as it was only introduced in AVM thanks to the LZ PTN module).
I hence assume the reasoning was to ensure the removal logic does not try to remove every single child, but only where it is required as the RP can't do it itself, and for the others have the default RG-removal logic take care of it.
But again - not sure ... so don't quote me on that 😉
utilities/pipelines/e2eValidation/resourceRemoval/helper/Invoke-ResourceRemoval.ps1
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
utilities/pipelines/e2eValidation/resourceRemoval/Initialize-DeploymentRemoval.ps1
Outdated
Show resolved
Hide resolved
Pull request was converted to draft
## Description - Preparing PR for #4043 ## Pipeline Reference <!-- Insert your Pipeline Status Badge below --> | Pipeline | | -------- | | [![avm.res.net-app.net-app-account](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.net-app.net-app-account.yml/badge.svg?branch=users%2Falsehr%2FnetAppStructure&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.net-app.net-app-account.yml) | ## Type of Change <!-- Use the checkboxes [x] on the options that are relevant. --> - [x] Update to CI Environment or utilities (Non-module affecting changes) - [ ] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation
avm/res/net-app/net-app-account
- Restructured as per ResourceType structure to & to enable additional capabilities
Description
Depends on #4204
Pipeline Reference
Type of Change
version.json
:version.json
.version.json
.