The aim of this blog is to demonstrate how to automate the scheduled deletion of resource groups across your sandbox / development subscriptions as part of your FinOps practice, in an effort to manage your cloud sprawl as well as manage your security vulnerabilities.
Deployment Plan
In the blog we will be deploying;
One Azure Automation account,
enabling the System Assigned Managed identity,
the SAMI will be scoped across the targeted subscription,
the SAMI will be granted the PoLP RBAC role of contributor,
one PowerShell-based runbook will be created,
the PowerShell script will perform 2 functions, namely:
identify any resource groups to be excluded from the deletion task,
deletion of all the other remaining resource groups not included in the exclusion list.
Deployment Steps
Step 1 – Automation Account
Provision your Azure Automation Account.
Step 2 – System Assigned Managed identity
Enable your SAMI,
Step 3 – RBAC Role
Assign the SAMI to the target scope as a Contributor,
Step 4 – Runbook
Create a new PowerShell runbook
##Azure Automation Account - delete all resource groups in a subscription (with exclusions)
#STEP 1 - LOGIN
#Authenticate with the System Account Managed Identity (SAMI)
#Ensure that you have enabled the SAMI on your automation account and assigned the RBAC role to the target subscription scope.
Connect-AzAccount -Identity
#STEP 2 - SET SUBSCRIPTION FOCUS
Set-AzContext -Subscription "5cf7052e-0000-0000-0000-000000000000" #Sandbox Environment
# STEP 3 - CREATE THE RESOURCE GROUP EXCLUSION LIST
$excludedResourceGroups = `
@("allen-actiongroup", "allen-AI-keyvault", "allen-sandbox-storageaccount", "Devops-Terraform", "NetworkWatcherRG", "rg-devops-terraform", "allen-automation") # Add the names of resource groups to exclude
# STEP 4- GET ALL RESOURCE GROUPS IN THE TARGET SUBSCRIPTION
$allResourceGroups = Get-AzResourceGroup
# Loop through each resource group and delete it if not in the exclusion list
foreach ($rg in $allResourceGroups) {
if ($excludedResourceGroups -notcontains $rg.ResourceGroupName) {
Write-Host "Deleting resource group: $($rg.ResourceGroupName)"
Remove-AzResourceGroup -Name $rg.ResourceGroupName -Force
}
}
Step 5 – PowerShell script
Paste your PowerShell script into the run book,
Save,
Test pane > Start,
Verification
Below shows the 7 resource groups which were added to the exclusion list remaining after the automation account runbook has executed, while all the other (2) resource groups have been deleted.
Publish your runbook once you have confirmed that it works as expected,
Step 6 – Schedule
Create a schedule and attach to the runbook.
—I hope this blog demonstrated the deployment of your Automation Runbook on how to quickly and easily clean up your sandbox / development enviroments as part of your FinOps practice —
Thank you for your articles. I find them very helpful. Could you help me with something?
I think this is among the most important information for me. And i am glad reading your article. But want to remark on some general things, The site style is perfect, the articles is really great : D. Good job, cheers
I would like to voice my gratitude for your kindness supporting those who should have assistance with the idea. Your personal dedication to getting the message all-around has been amazingly functional and have continually enabled men and women much like me to achieve their aims. The insightful tutorial indicates a great deal a person like me and a whole lot more to my fellow workers. Thanks a lot; from each one of us.
whoah this blog is fantastic i love reading your articles. Keep up the great work! You know, many people are hunting around for this information, you can aid them greatly.
I抣l right away seize your rss as I can not in finding your email subscription link or newsletter service. Do you’ve any? Kindly permit me understand in order that I may subscribe. Thanks.