Merge pull request #323 from Brunoga-MS/main

Ensure -WhatIf parameter is honored by all scripts commands and fix hybrid disconnected alert bug
Azure · Sep 5, 2024 · f165454 · f165454
2 parents f36eb4b + 1ad4114
commit f165454
Show file tree

Hide file tree

Showing 12 changed files with 294 additions and 309 deletions.
diff --git a/docs/content/patterns/alz/Cleaning-up-a-Deployment.md b/docs/content/patterns/alz/Cleaning-up-a-Deployment.md
@@ -39,29 +39,29 @@ Follow the instructions below to download the cleanup script file. Alternatively
 3. Change directories to the location of the **Start-AMBACleanup.ps1** script
 4. Configure the _**$pseudoRootManagementGroup**_ variable using the command below:
 
-  ```powershell
-  $pseudoRootManagementGroup = "The pseudo root management group id parenting the identity, management and connectivity management groups"
-  ```
+    ```powershell
+    $pseudoRootManagementGroup = "The pseudo root management group id parenting the identity, management and connectivity management groups"
+    ```
 
 5. Sign in to the Azure with the `Connect-AzAccount` command. The account you sign in as needs to have permissions to remove Policy Assignments, Policy Definitions, and resources at the desired Management Group scope.
 6. Execute the script using one of the options below:
 
     {{% include "PowerShell-ExecutionPolicy.md" %}}
 
-    **Generate a list of the resource IDs which would be deleted by this script:**
+    **Show output of what would happen if deletes executed:**
 
     ```powershell
-    ./Start-AMBACleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -ReportOnly
+    ./Start-AMBACleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -WhatIf
     ```
 
-    **Show output of what would happen if deletes executed:**
+    **Execute the script asking for confirmation before deleting the resources deployed by AMBA-ALZ:**
 
     ```powershell
-    ./Start-AMBACleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -WhatIf
+    ./Start-AMBACleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup
     ```
 
-    **Delete all resources deployed by the ALZ-Monitor IaC without prompting for confirmation:**
+    **Execute the script <ins>without</ins> asking for confirmation before deleting the resources deployed by AMBA-ALZ.**
 
     ```powershell
-    ./Start-AMBACleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Force
+    ./Start-AMBACleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Confirm:$false
     ```
diff --git a/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2023-11-14.md b/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2023-11-14.md
@@ -25,20 +25,20 @@ Updating from release [2023-11-14](../../Whats-New#2023-11-14) will require runn
 
   {{% include "PowerShell-ExecutionPolicy.md" %}}
 
-  **Generate a list of the resource IDs which would be deleted by this script:**
+  **Show output of what would happen if deletes executed:**
 
   ```powershell
-  ./Start-AMBAOldArpCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -ReportOnly
+  ./Start-AMBAOldArpCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -WhatIf
   ```
 
-  **Show output of what would happen if deletes executed:**
+  **Execute the script asking for confirmation before deleting old Service Health action group(s) deployed by AMBA-ALZ:**
 
   ```powershell
-  ./Start-AMBAOldArpCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -WhatIf
+  ./Start-AMBAOldArpCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup
   ```
 
-  **Delete all resources deployed by the ALZ-Monitor IaC without prompting for confirmation:**
+  **Execute the script <ins>without</ins> asking for confirmation before deleting old Service Health action group(s) deployed by AMBA-ALZ.**
 
   ```powershell
-  ./Start-AMBAOldArpCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Force
+  ./Start-AMBAOldArpCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Confirm:$false
   ```
diff --git a/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2024-03-01.md b/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2024-03-01.md
@@ -28,20 +28,20 @@ To run the script, complete the following step:
 
   {{% include "PowerShell-ExecutionPolicy.md" %}}
 
-  **Generate a list of the resource IDs which would be deleted by this script:**
+  **Show output of what would happen if deletes executed:**
 
   ```powershell
-  ./Remove-AMBANotificationAssets.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -ReportOnly
+  ./Remove-AMBANotificationAssets.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -WhatIf
   ```
 
-  **Show output of what would happen if deletes executed:**
+  **Execute the script asking for confirmation before deleting notification asset resources deployed by AMBA-ALZ:**
 
   ```powershell
-  ./Remove-AMBANotificationAssets.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -WhatIf
+  ./Remove-AMBANotificationAssets.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup
   ```
 
-  **Delete notification asset resources deployed by the ALZ pattern without prompting for confirmation:**
+  **Execute the script <ins>without</ins> asking for confirmation before deleting notification asset resources deployed by AMBA-ALZ.**
 
   ```powershell
-  ./Remove-AMBANotificationAssets.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Force
+  ./Remove-AMBANotificationAssets.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Confirm:$false
   ```
diff --git a/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2024-06-05.md b/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2024-06-05.md
@@ -9,7 +9,7 @@ weight: 97
 
 # Pre update actions
 
-Before updating to release [2024-06-30](../../Whats-New#2024-06-30), it's required to remove existing policy definitions, policy set definitions, policy assignments and role assignments. This action is required because of a breaking change caused by the redefinition of some parameters, which allows for more flexibility in disabling the policy remediation or, in some cases, the alerts. Unfortunately not all the alerts can be disabled after creation; only log-based alerts can be. Even if disabling the effect of policy was already possible in AMBA-ALZ, with this release we made sure that all the policies will honor both the ***PolicyEffect*** and the ***MonitorDisable*** parameters.
+Before updating to release [2024-06-05](../../Whats-New#2024-06-05), it's required to remove existing policy definitions, policy set definitions, policy assignments and role assignments. This action is required because of a breaking change caused by the redefinition of some parameters, which allows for more flexibility in disabling the policy remediation or, in some cases, the alerts. Unfortunately not all the alerts can be disabled after creation; only log-based alerts can be. Even if disabling the effect of policy was already possible in AMBA-ALZ, with this release we made sure that all the policies will honor both the ***PolicyEffect*** and the ***MonitorDisable*** parameters.
 
 In particular, the *MonitorDisable* feature has been redesigned to allow customer to specify they own existing tag and tag value instead of forcing a hard coded one. Given the ALZ guidance and the best practice of having a consistent tagging definition, it's only allowed to one parameter name fo r the entire deployment. Instead, parameter value can be different. You can specify an array of values assigned to the same parameter. For instance, you have the ```Environment``` tag name consistently applied to several environments, saying ```Production```, ```Test```, ```Sandbox```, and so on and you want to disable alerts for resources, which are in both ```Test``` and ```Sandbox```. Now it's possible by just configuring the parameters for tag name and tag values as reported in the sample screenshot (these are the default values) below:
 
@@ -36,14 +36,20 @@ To run the script, complete the following steps:
 
   {{% include "PowerShell-ExecutionPolicy.md" %}}
 
-  **Generate a list of policy definitions, policy set definitions, policy assignments and role assignments resources which would be deleted by this script:**
+  **Show output of what would happen if deletes executed:**
 
   ```powershell
-  ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -ReportOnly
+  ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -WhatIf
   ```
 
-  **Delete policy definitions, policy set definitions, policy assignments and role assignments resources deployed by the AMBA-ALZ pattern without prompting for confirmation:**
+  **Execute the script asking for confirmation before deleting the policy definitions, policy set definitions, policy assignments and role assignments deployed by AMBA-ALZ:**
 
   ```powershell
-  ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Force
+  ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup
+  ```
+
+  **Execute the script <ins>without</ins> asking for confirmation before deleting the policy definitions, policy set definitions, policy assignments and role assignments deployed by AMBA-ALZ.**
+
+  ```powershell
+  ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Confirm:$false
   ```
diff --git a/patterns/alz/alzArm.param.json b/patterns/alz/alzArm.param.json
@@ -1544,7 +1544,7 @@
           "value": "PT10M"
         },
         "HybridVMDisconnectedAlertAutoMitigate": {
-          "value": "false"
+          "value": "true"
         },
         "HybridVMDisconnectedAlertPolicyEffect": {
           "value": "deployIfNotExists"

diff --git a/patterns/alz/policyDefinitions/policies-Hybrid.json b/patterns/alz/policyDefinitions/policies-Hybrid.json
diff --git a/patterns/alz/scripts/Remove-AMBADeployments.ps1 b/patterns/alz/scripts/Remove-AMBADeployments.ps1
@@ -1,4 +1,25 @@
-<#
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+<#
 .SYNOPSIS
     This script cleans up the deployment entries at the management group hierarchy level performed by the AMBA-ALZ automation.
 
@@ -12,37 +33,29 @@
     https://github.com/Azure/azure-monitor-baseline-alerts
 
 .EXAMPLE
-    ./Remove-AMBADeployments.ps1 -pseudoManagementGroup Contoso -ReportOnly
-    # generate a list of the deployments which would be deleted by this script
+    ./Remove-AMBADeployments.ps1 -pseudoRootManagementGroup Contoso -WhatIf
+    # show output of what would happen if deletes executed.
 
 .EXAMPLE
-    ./Remove-AMBADeployments.ps1 -pseudoManagementGroup Contoso -WhatIf
-    # show output of what would happen if deletes executed
+    ./Remove-AMBADeployments.ps1 -pseudoRootManagementGroup Contoso
+    # execute the script and will ask for confirmation before taking the configured action.
 
 .EXAMPLE
-    ./Remove-AMBADeployments.ps1 -pseudoManagementGroup Contoso -Force
-    # delete all deployments entries for deployments performed by the AMBA-ALZ IaC without prompting for confirmation
+    ./Remove-AMBADeployments.ps1 -pseudoRootManagementGroup Contoso -Confirm:$false
+    # execute the script without asking for confirmation before taking the configured action.
+
 #>
 
 [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
 param(
     # the pseudo managemnt group to start from
     [Parameter(Mandatory = $True,
         ValueFromPipeline = $false)]
-    [string]$pseudoRootManagementGroup,
-    # output a list of the resources to be deleted
-    [Parameter(Mandatory = $False,
-        ValueFromPipeline = $false)]
-    [switch]$reportOnly,
-    # if not specified, delete will prompt for confirmation
-    [Parameter(Mandatory = $False,
-        ValueFromPipeline = $false)]
-    [switch]$force
+        [string]$pseudoRootManagementGroup
 )
 
 Function Iterate-ManagementGroups($mg) {
-
-    $script:managementGroups += $mg.Name
+  $script:managementGroups += $mg.Name
     if ($mg.Children) {
         foreach ($child in $mg.Children) {
             if ($child.Type -eq 'Microsoft.Management/managementGroups') {
@@ -68,11 +81,10 @@ ForEach ($mg in $allMgs) {
     Iterate-ManagementGroups $mg
 }
 
-Write-Host "Found '$($managementGroups.Count)' management groups to query for AMBA-ALZ deployments."
-
+Write-Host "Found '$($managementGroups.Count)' management group(s) (including the parent one) which are part of the '$pseudoRootManagementGroup' management group hierarchy, to be queried for AMBA-ALZ deployments."
 
 If ($managementGroups.count -eq 0) {
-    Write-Error "The command 'Get-AzManagementGroups' returned '0' groups. This script needs to run with Owner permissions on the Azure Landing Zones intermediate root management group to effectively clean up Policies and all related resources."
+    Write-Error "The command 'Get-AzManagementGroups' returned '0' groups. This script needs to run with Owner permissions on the Azure Landing Zones intermediate root management group to effectively query all the AMBA-ALZ deployment records."
 }
 
 # get AMBA-ALZ deployments to delete
@@ -82,33 +94,17 @@ ForEach ($mg in $managementGroups) {
     $allDeployments += $deployments
 }
 
-Write-Host "Found '$($allDeployments.Count)' deployments for AMBA-ALZ pattern with name starting with 'amba-'."
-
-If (!$reportOnly.IsPresent) {
+Write-Host "- Found '$($allDeployments.Count)' deployments for AMBA-ALZ pattern with name starting with 'amba-' performed on the '$pseudoRootManagementGroup' Management Group hierarchy."
 
-    Write-Warning "This script will delete the AMBA-ALZ deployments discovered above."
+If ($allDeployments.Count -gt 0) {
+    If ($PSCmdlet.ShouldProcess($pseudoRootManagementGroup, "Delete AMBA-ALZ deployments performed on the '$pseudoRootManagementGroup' Management Group hierarchy ..." )) {
+        # overriding confirmation behavior using local copy of $ConfirmPreference
+        $ConfirmPreference = 'None'
 
-    If (!$force.IsPresent) {
-        While ($prompt -notmatch '[yYnN]') {
-            $prompt = Read-Host -Prompt 'Would you like to proceed with the deletion? (y/n)'
-        }
-        If ($prompt -match '[yY]') {
-            $force = $true
-        }
-        Else {
-            Write-Host "Exiting script..."
-            return
-        }
+        # delete AMBA-ALZ deployments
+        Write-Host "-- Deleting AMBA-ALZ deployments performed on the '$pseudoRootManagementGroup' Management Group hierarchy ..."
+        $allDeployments | ForEach-Object -Parallel { Remove-AzManagementGroupDeployment -InputObject $_ } -throttlelimit 100
     }
-
-    # delete alert processing rules
-    Write-Host "Deleting AMBA-ALZ deployments..."
-    $allDeployments | ForEach-Object -Parallel { Remove-AzManagementGroupDeployment -InputObject $_ } -throttlelimit 100
-
-    Write-Host "AMBA-ALZ deployments cleanup complete."
 }
-Else {
-    $resourceToBeDeleted = $allDeployments.Name
 
-    return $resourceToBeDeleted
-}
+Write-Host "=== Script execution completed. ==="