AzOps icon indicating copy to clipboard operation
AzOps copied to clipboard

Published 20 hours ago verified publisher icon Azure

Ability to configure which subscriptions to track

Open Xitric opened this issue 6 months ago • 2 comments

Describe the solution you'd like

In our Azure tenant, we have different application landing zone subscriptions for production, staging, and testing of our primary product. In accordance with #747, we wish to use separate AzOps repositories to track deployments to each of these environments. At the same time, we make extensive use of Bicep modules from a private container registry, which is placed in a separate platform subscription:

  • root (mg)
    • (mg)
      • platform (mg)
        • management (mg)
          • management (sub)
            • container registry
      • landing zones (mg)
        • online (mg)
          • prod (sub)
          • stage (sub)
          • test (sub)

The service principal we use for deploying resources to prod (sub) has the following permissions:

  • Owner on prod (sub)
  • AcrPull on the container registry in management (sub)

As a result, when running the pull pipeline, AzOps tracks both the subscriptions prod and management. It isn't actually able to list role assignments, policies, resource groups, or anything else inside management (sub), but it does generate a directory along with a microsoft.subscription_subscriptions-<sub-id>.json file.

We would really like to be able to configure which subscription(s) to track via AzOps - something like Core.SubscriptionsToInclude or similar.

Xitric avatar Feb 15 '24 12:02 Xitric