azure-dev icon indicating copy to clipboard operation
azure-dev copied to clipboard

Published 20 hours ago verified publisher icon Azure

[Issue] azd down removes resource groups not created by azd

Open tvriesde opened this issue 2 years ago • 5 comments

  • [ ] Make sure you've installed the latest version using instructions in the wiki

Output from azd version Run azd version and copy and paste the output here: azd version 1.4.3 (commit d165bd2de96dae75de57604c0d8a5553ae214618)

Describe the bug Description of issue you're seeing... azd down seems to delete resources by deleting entire resource groups.

For resource groups created by azd up, this works, but if your bicep also contains resource creation in an existing rg, then this could lead to unwanted removal of resources.

A solution to prevent unwanted removals, is to lock the existing rg, but then azd down failes.

To Reproduce Scenario 1:

  1. create "existing" rg with vnet
  2. create azd project which creates a new rg and creates a subnet in the existing rg
  3. azd down

Scenario 2:

  1. create "existing" rg with vnet
  2. add lock to rg
  3. create azd project which creates a new rg and creates a subnet in the existing rg
  4. azd down

This issue was customer reported, I reproduced with the following azd project: https://github.com/tvriesde/azdstarter

Expected behavior azd down should not remove entire resource groups which already existed before azd up. Instead it should only remove resources part of the azd up deployment.

tvriesde avatar Oct 30 '23 10:10 tvriesde

Facing a similar issue. Scenario:

  • an infrastructure package, created with Bicep, deploys an Application Gateway, Public IP, User-Assigned Managed Identity and WAF Policy
  • package references an existing Key Vault in a different Resource Group, which contains a secret required by the App Gateway
  • during the deployment, we are performing an RBAC role deployment on the (existing) Key Vault, enabling the MSI of the Application Gateway to access the secret
  • all above steps work fine and the App Gateway deploys without issues

Issue: azd down not only removes the Resource Group deployed by the package, but also the resource group containing the Key Vault, which existed prior to the package deployment.

If necessary, I can provide a sample to reproduce the issue.

krbar avatar Nov 10 '23 23:11 krbar

Yep, same here. We have resource groups managed by a different division and we do not have the rights to delete it. So an option (flag) that leaves the rg but does delete the resources would be great.

obiwanjacobi avatar Nov 13 '23 08:11 obiwanjacobi

Any update on this issue?

BartNetJS avatar Feb 19 '24 17:02 BartNetJS

Any updates on this?

rrussell0 avatar Jun 13 '24 23:06 rrussell0

Any updates on this?

Holt59 avatar Jun 27 '24 06:06 Holt59

I have this issue too, it's really not how I'd expect this to work, although it is how I was afraid it would work. A fairly common pattern will be deploying shared resources (APIM, WAF, Key Vaults etc.) in an infrastructure package then allowing dev teams to create applications that depend on the shared infrastructure

dhayes-ccl avatar Jul 26 '24 15:07 dhayes-ccl

We are looking into leveraging deployment stacks which should address some of these issues cc @wbreza @ellismg

rajeshkamal5050 avatar Jul 26 '24 15:07 rajeshkamal5050

  • https://github.com/Azure/azure-dev/pull/4165 should help address this issue. Its part of the daily builds and should be available with azd - 1.10.0 sep/4.

rajeshkamal5050 avatar Sep 04 '24 00:09 rajeshkamal5050

Hello. Issue is still reproducing in case of changing account permission. In case when you have Contributor permission and create via bicep resource in existing resource group and manage them by azd up azd down it affect only resources declared by bicep. But in case your account role is changed to Owner azd down delete entire resource group even if already existed and wasn't created via bicep.

azd version 1.21.3 (commit b01891fc63b1faf9a9633cdc630deab0b4d569c4)

SkySkyTy avatar Nov 19 '25 22:11 SkySkyTy