Clean-up AMBA-ALZ Deployment
Why clean-up a deploymentClean-up an ARM-based deployemntClean-up a Terraform-based deploymentClean-up Script Execution
In some cases, you may need to remove all resources deployed by the AMBA-ALZ solution. The following instructions provide a detailed guide on cleaning up an existing environment using two different approaches based on the method used to deploy the AMBA-ALZ pattern.
Available deployment methods can be summarized into two big categories:
- ARM-based deployments including Azure PowerShell, Azure CLI, Azure Pipelines and GitHub Actions
- Terraform-based deployment
Because of this, a different guidance is required to ensure a proper clean-up of the existing environment.
The instructions in the Clean-up Script Execution provide a detailed guide on cleaning up ARM-based deployments by executing a PowerShell script to delete all deployed resources, including:
- Resource Groups (only if empty)
- Alerts
- Policy Assignments
- Policy Set Definitions
- Policy Definitions
- Role Assignments
- User assigned Managed Identity
- Action Groups
- Alert Processing Rules
All resources deployed as part of the initial AMBA-ALZ deployment, as well as those created dynamically by ‘deploy if not exist’ policies, are tagged, marked in metadata, or described (depending on resource capabilities) with the value _deployed_by_amba
or _deployed_by_amba=True
. This metadata is crucial for the cleanup process; if it has been removed or altered, the cleanup script will not target those resources.
Terraform has a native feature to remove resources it deploy. Thanks to this capability, it is enough to run the terraform destroy
command to remove the following resources:
- Resource Groups (only if empty)
- Policy Assignments
- Policy Set Definitions
- Policy Definitions
- Role Assignments
- User assigned Managed Identity
However, there are resources created outside of the Terraform deployment such as Alerts, Action Group and Alert Processing Rules, which are created during the policy remediation tasks. For these resources it is necessary to follow the guidance at Clean-up Script Execution and run the script after the terraform destroy
.
It is strongly advised to thoroughly test the script in a non-production environment before deploying it to production. These sample scripts are not covered by any Microsoft standard support program or service. They are provided “AS IS” without any warranty, express or implied. Microsoft disclaims all implied warranties, including but not limited to, implied warranties of merchantability or fitness for a particular purpose. The user assumes all risks associated with the use or performance of the sample scripts and documentation. Microsoft, its authors, or any contributors to the creation, production, or delivery of the scripts shall not be liable for any damages, including but not limited to, loss of business profits, business interruption, loss of business information, or other financial losses, arising from the use or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
To download the cleanup script file, follow these steps. Alternatively, you can clone the repository from GitHub and ensure you are working with the latest version by fetching the latest main
branch.
- Navigate to the AMBA project on GitHub.
- Browse to the
patterns/alz/scripts
directory. - Open the Start-AMBA-ALZ-Maintenance.ps1 script file.
- Click the Raw button.
- Save the file as Start-AMBA-ALZ-Maintenance.ps1.
Launch PowerShell.
Ensure the following modules are installed:
- Az.Accounts: if not installed, use
Install-Module Az.Accounts
to install it. - Az.Resources: if not installed, use
Install-Module Az.Resources
to install it. - Az.ResourceGraph: if not installed, use
Install-Module Az.ResourceGraph
to install it. - Az.ManagedServiceIdentity: if not installed, use
Install-Module Az.ManagedServiceIdentity
to install it.
- Az.Accounts: if not installed, use
Navigate to the directory containing the Start-ALZ-Maintenance.ps1 script.
Set the $pseudoRootManagementGroup variable using the following command:
$pseudoRootManagementGroup = "The pseudo root management group ID parenting the identity, management and connectivity management groups"
Sign in to your Azure account using the
Connect-AzAccount
command. Ensure that the account has the necessary permissions to remove Policy Assignments, Policy Definitions, and resources at the required Management Group scope.Run the script with one of the following options:
To execute the PowerShell scripts provided in the ALZ pattern, you may need to temporarily modify the execution policy if it is not set to Unrestricted. Check the current execution policy by running the following command:
Get-ExecutionPolicy
If the execution policy is not Unrestricted, change it to Unrestricted by running:
Set-ExecutionPolicy -ExecutionPolicy Unrestricted
After executing your scripts, you can revert the execution policy to its original setting if needed.
Get full help on script usage:
Get-help ./Start-AMBA-ALZ-Maintenance.ps1
Show output of what would happen if deletes executed:
./Start-AMBA-ALZ-Maintenance.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -cleanItems Amba-Alz -WhatIf
Execute the script asking for confirmation before deleting the resources deployed by AMBA-ALZ:
./Start-AMBA-ALZ-Maintenance.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -cleanItems Amba-Alz
Execute the script without asking for confirmation before deleting the resources deployed by AMBA-ALZ:
./Start-AMBA-ALZ-Maintenance.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -cleanItems Amba-Alz -Confirm:$false