I create all my blueprints via ARM, because I can deploy ARM templates via Terraform, and where I work the Goal is to deploy via terraform.
The scenario
Lets say we have 4 subscriptions
- sub1-prod
- sub1-nonprod
- sub2-prod
- sub2-nonprod
They are all structure using Management Groups
All Blueprints are deployed at the Subscription Main Management Group
Lets say we have the blueprint
RequireTags it is published to version 1 with 30 policies for 15 tags. Basically to require tags at the Resource group and resource level. I associate that with sub1-nonprod for testing. It is then decided that 5 of them could be really handled with just 2 tags. So that would be removing 10 policies and adding 2. When I do my deployment it adds the 2 just fine. To remove the 5 policies from the blueprint I have to manually delete the 10 policies. Then publish the new version. So now I have The blueprint RequireTags with 2 published version v1 and v2. So for this first part how can I have the system auto remove those policies. I could do some automagicness to try to script this using github actions, but that feels a bit hacky.
Part 2 is as mentioned RequiredTags v1 is assigned to sub1-nonprod. Since we now want v2 instead of 1, I remove v1 from the subscription and attach v2. In doing so it leaves the 10 policies form version 1 and again adds the 4 from version 2. I can now delete those 10 from v1 manually from the subscription. If you like we can focus on each part separately, as they are 2 separate issues but are connected. Again I could do some automaginess probably here as well, but I feel I shouldn’t have to. There should be a way to tell the system to do it for me.
Most of the demos look to use Import-AzBlueprintWithArtifact vs arm. Will that cause the blueprints to add new artifacts/policies and remove ones no longer part of the blueprint? If so is there a way to do it via an ARM template. Typically I would use complete mode, but since this is not deploying to a Resource group I have not been successful at getting it to work.
I create all my blueprints via ARM, because I can deploy ARM templates via Terraform, and where I work the Goal is to deploy via terraform.
The scenario
Lets say we have 4 subscriptions
They are all structure using Management Groups
All Blueprints are deployed at the Subscription Main Management Group
Lets say we have the blueprint
RequireTags it is published to version 1 with 30 policies for 15 tags. Basically to require tags at the Resource group and resource level. I associate that with sub1-nonprod for testing. It is then decided that 5 of them could be really handled with just 2 tags. So that would be removing 10 policies and adding 2. When I do my deployment it adds the 2 just fine. To remove the 5 policies from the blueprint I have to manually delete the 10 policies. Then publish the new version. So now I have The blueprint RequireTags with 2 published version v1 and v2. So for this first part how can I have the system auto remove those policies. I could do some automagicness to try to script this using github actions, but that feels a bit hacky.
Part 2 is as mentioned RequiredTags v1 is assigned to sub1-nonprod. Since we now want v2 instead of 1, I remove v1 from the subscription and attach v2. In doing so it leaves the 10 policies form version 1 and again adds the 4 from version 2. I can now delete those 10 from v1 manually from the subscription. If you like we can focus on each part separately, as they are 2 separate issues but are connected. Again I could do some automaginess probably here as well, but I feel I shouldn’t have to. There should be a way to tell the system to do it for me.
Most of the demos look to use Import-AzBlueprintWithArtifact vs arm. Will that cause the blueprints to add new artifacts/policies and remove ones no longer part of the blueprint? If so is there a way to do it via an ARM template. Typically I would use complete mode, but since this is not deploying to a Resource group I have not been successful at getting it to work.