Skip to content

Commit 142ba1f

Browse files
jaredfholgatejaredfholgate
authored
fix: ensure defender roles and deployments are removed (#462)
# Pull Request ## Description Fix a bug where defender plans, orphaned role assignments, and deployments are not checked if the subscription does not contain any resource groups. ## License By submitting this pull request, I confirm that my contribution is made under the terms of the projects associated license.
1 parent c9abb51 commit 142ba1f

File tree

1 file changed

+55
-56
lines changed

1 file changed

+55
-56
lines changed

src/ALZ/Public/Remove-PlatformLandingZone.ps1

Lines changed: 55 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -1031,76 +1031,75 @@ function Remove-PlatformLandingZone {
10311031

10321032
if ($resourceGroups.Count -eq 0) {
10331033
Write-ToConsoleLog "No resource groups found for subscription: $($subscription.Name) (ID: $($subscription.Id)), skipping." -NoNewline
1034-
continue
1035-
}
1034+
} else {
1035+
Write-ToConsoleLog "Found resource groups for subscription: $($subscription.Name) (ID: $($subscription.Id)), count: $($resourceGroups.Count)" -NoNewline
10361036

1037-
Write-ToConsoleLog "Found resource groups for subscription: $($subscription.Name) (ID: $($subscription.Id)), count: $($resourceGroups.Count)" -NoNewline
1037+
$resourceGroupsToDelete = @()
1038+
$resourceGroupsToRetainNamePatterns = $using:ResourceGroupsToRetainNamePatterns
10381039

1039-
$resourceGroupsToDelete = @()
1040-
$resourceGroupsToRetainNamePatterns = $using:ResourceGroupsToRetainNamePatterns
1040+
foreach ($resourceGroup in $resourceGroups) {
1041+
$foundMatch = $false
10411042

1042-
foreach ($resourceGroup in $resourceGroups) {
1043-
$foundMatch = $false
1043+
foreach ($pattern in $resourceGroupsToRetainNamePatterns) {
1044+
if ($resourceGroup.name -match $pattern) {
1045+
Write-ToConsoleLog "Retaining resource group as it matches the pattern '$pattern': $($resourceGroup.name) in subscription: $($subscription.Name) (ID: $($subscription.Id))" -NoNewLine
1046+
$foundMatch = $true
1047+
break
1048+
}
1049+
}
10441050

1045-
foreach ($pattern in $resourceGroupsToRetainNamePatterns) {
1046-
if ($resourceGroup.name -match $pattern) {
1047-
Write-ToConsoleLog "Retaining resource group as it matches the pattern '$pattern': $($resourceGroup.name) in subscription: $($subscription.Name) (ID: $($subscription.Id))" -NoNewLine
1048-
$foundMatch = $true
1049-
break
1051+
if($foundMatch) {
1052+
continue
10501053
}
1051-
}
10521054

1053-
if($foundMatch) {
1054-
continue
1055+
$resourceGroupsToDelete += @{
1056+
ResourceGroupName = $resourceGroup.name
1057+
Subscription = $subscription
1058+
}
10551059
}
10561060

1057-
$resourceGroupsToDelete += @{
1058-
ResourceGroupName = $resourceGroup.name
1059-
Subscription = $subscription
1060-
}
1061-
}
1061+
$shouldRetry = $true
10621062

1063-
$shouldRetry = $true
1063+
$throttleLimit = $using:ThrottleLimit
1064+
$planMode = $using:PlanMode
10641065

1065-
$throttleLimit = $using:ThrottleLimit
1066-
$planMode = $using:PlanMode
1066+
while($shouldRetry) {
1067+
$shouldRetry = $false
1068+
$resourceGroupsToRetry = [System.Collections.Concurrent.ConcurrentBag[hashtable]]::new()
1069+
$resourceGroupsToDelete | ForEach-Object -Parallel {
1070+
$funcWriteToConsoleLog = $using:funcWriteToConsoleLog
1071+
${function:Write-ToConsoleLog} = $funcWriteToConsoleLog
1072+
$resourceGroupName = $_.ResourceGroupName
1073+
$subscription = $_.Subscription
10671074

1068-
while($shouldRetry) {
1069-
$shouldRetry = $false
1070-
$resourceGroupsToRetry = [System.Collections.Concurrent.ConcurrentBag[hashtable]]::new()
1071-
$resourceGroupsToDelete | ForEach-Object -Parallel {
1072-
$funcWriteToConsoleLog = $using:funcWriteToConsoleLog
1073-
${function:Write-ToConsoleLog} = $funcWriteToConsoleLog
1074-
$resourceGroupName = $_.ResourceGroupName
1075-
$subscription = $_.Subscription
1076-
1077-
Write-ToConsoleLog "Deleting resource group for subscription: $($subscription.Name) (ID: $($subscription.Id)), resource group: $($ResourceGroupName)" -NoNewLine
1078-
$result = $null
1079-
if($using:PlanMode) {
1080-
Write-ToConsoleLog `
1081-
"Deleting resource group for subscription: $($subscription.Name) (ID: $($subscription.Id)), resource group: $($ResourceGroupName)", `
1082-
"Would run: az group delete --name $ResourceGroupName --subscription $($subscription.Id) --yes" `
1083-
-IsPlan -LogFilePath $using:TempLogFileForPlan
1084-
} else {
1085-
$result = az group delete --name $ResourceGroupName --subscription $subscription.Id --yes 2>&1
1086-
}
1075+
Write-ToConsoleLog "Deleting resource group for subscription: $($subscription.Name) (ID: $($subscription.Id)), resource group: $($ResourceGroupName)" -NoNewLine
1076+
$result = $null
1077+
if($using:PlanMode) {
1078+
Write-ToConsoleLog `
1079+
"Deleting resource group for subscription: $($subscription.Name) (ID: $($subscription.Id)), resource group: $($ResourceGroupName)", `
1080+
"Would run: az group delete --name $ResourceGroupName --subscription $($subscription.Id) --yes" `
1081+
-IsPlan -LogFilePath $using:TempLogFileForPlan
1082+
} else {
1083+
$result = az group delete --name $ResourceGroupName --subscription $subscription.Id --yes 2>&1
1084+
}
10871085

1088-
if (!$result) {
1089-
Write-ToConsoleLog "Deleted resource group for subscription: $($subscription.Name) (ID: $($subscription.Id)), resource group: $($ResourceGroupName)" -NoNewLine
1086+
if (!$result) {
1087+
Write-ToConsoleLog "Deleted resource group for subscription: $($subscription.Name) (ID: $($subscription.Id)), resource group: $($ResourceGroupName)" -NoNewLine
1088+
} else {
1089+
Write-ToConsoleLog "Delete resource group failed for subscription: $($subscription.Name) (ID: $($subscription.Id)), resource group: $($ResourceGroupName)" -NoNewLine
1090+
Write-ToConsoleLog "It will be retried once the other resource groups in the subscription have reported their status." -NoNewLine
1091+
$retries = $using:resourceGroupsToRetry
1092+
$retries.Add($_)
1093+
}
1094+
} -ThrottleLimit $using:ThrottleLimit
1095+
1096+
if($resourceGroupsToRetry.Count -gt 0) {
1097+
Write-ToConsoleLog "Some resource groups failed to delete and will be retried in subscription: $($subscription.Name) (ID: $($subscription.Id))" -NoNewLine
1098+
$shouldRetry = $true
1099+
$resourceGroupsToDelete = $resourceGroupsToRetry.ToArray()
10901100
} else {
1091-
Write-ToConsoleLog "Delete resource group failed for subscription: $($subscription.Name) (ID: $($subscription.Id)), resource group: $($ResourceGroupName)" -NoNewLine
1092-
Write-ToConsoleLog "It will be retried once the other resource groups in the subscription have reported their status." -NoNewLine
1093-
$retries = $using:resourceGroupsToRetry
1094-
$retries.Add($_)
1101+
Write-ToConsoleLog "All resource groups deleted successfully in subscription: $($subscription.Name) (ID: $($subscription.Id))." -NoNewLine
10951102
}
1096-
} -ThrottleLimit $using:ThrottleLimit
1097-
1098-
if($resourceGroupsToRetry.Count -gt 0) {
1099-
Write-ToConsoleLog "Some resource groups failed to delete and will be retried in subscription: $($subscription.Name) (ID: $($subscription.Id))" -NoNewLine
1100-
$shouldRetry = $true
1101-
$resourceGroupsToDelete = $resourceGroupsToRetry.ToArray()
1102-
} else {
1103-
Write-ToConsoleLog "All resource groups deleted successfully in subscription: $($subscription.Name) (ID: $($subscription.Id))." -NoNewLine
11041103
}
11051104
}
11061105

0 commit comments

Comments
 (0)