azure-service-operator icon indicating copy to clipboard operation
azure-service-operator copied to clipboard

Published 20 hours ago verified publisher icon Azure

Feature: Management Groups and Policies

Open jamesgoodhouse opened this issue 3 years ago • 9 comments
trafficstars

We're looking into leverage the Azure Service Operator for managing higher level resources for managing individual subscriptions and related things like management groups and their policies among other thing. I do not believe this is currently part of the support resources, but i wanted to see if this is on the roadmap, or if PRs would be accepted for adding the resources?

jamesgoodhouse avatar Apr 25 '22 21:04 jamesgoodhouse

We're definitely interested in supporting these sorts of resources. Do you have a concrete list of what all you need? Obviously Microsoft.Management/managementGroups, Microsoft.Subscription/subscriptionDefinitions, and probably Microsoft.Subscription/policies.

What else?

We would be open to a PR, but just be aware that supporting these resources might be a bit more complicated than it first seems. The complexity here comes with these being root resources that impact how owner resolution is done. If you see resolver.go, resources that are "roots" (RG, Subscription, Tenant, Management Group) have to implement genruntime.NamespacedResourceReference. That's in itself not a problem but it means that we'd possibly want to add support for code-generating those resources (assuming they have Swaggers, I'd need to check). We don't codegen that right now because at least at the time we wrote the generator ResourceGroup didn't have a great Swagger spec.

It's also possible that some updates would need to be made to the azure_generic_arm_reconciler provisioning logic... although I took a look and it does seem like it might just work as is...

matthchr avatar Apr 26 '22 00:04 matthchr

Those are the main resources that come to mind. We're still in the early stages of determining our account structure/hierarchy and I am still ramping up on what pieces we will need to automate.

I believe they would be able to leverage code-generation, as I see schemas existing in https://github.com/Azure/azure-resource-manager-schemas.

jamesgoodhouse avatar Apr 26 '22 16:04 jamesgoodhouse

Some implementation notes for this: Subscriptions Swagger is here and there's a JSON schema here.

The JSON schema roots up to https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json, rather than the normal https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json. We don't currently read https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json so we'll need to add that as part of supporting this.

matthchr avatar Jul 07 '22 16:07 matthchr

Creating and canceling subscriptions support was added in #2446. I've changed the title of this issue to correctly reflect the remaining work which is not yet supported (Creating/deleting management groups or policies).

matthchr avatar Aug 15 '22 17:08 matthchr

Still interested in doing this

matthchr avatar Apr 08 '24 23:04 matthchr