-
Notifications
You must be signed in to change notification settings - Fork 0
/
cleanRgResources.ps1
71 lines (56 loc) · 2.7 KB
/
cleanRgResources.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
try
{
Disable-AzContextAutosave -Scope Process
#System Managed
$AzureContext = (Connect-AzAccount -Identity).context
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext
}
catch {
Write-Error -Message $_.Exception
throw $_.Exception
}
# Get all ARM resources from all resource groups
Write-Output "Get Resource Groups"
$rgsToPurge = Get-AzResourceGroup -Tag @{'Cleanup'='Automatically'}
$rgsToPurge | % {
$RG=$_
$rgName=$RG.ResourceGroupName
Write-Output "Evaluating Resource Group = $rgName"
#Get list of stuff to remove
$rgResources = Get-AzResource -ResourceGroupName $RG.ResourceGroupName
$rgResourceCount = $rgResources.length
Write-Output "$rgResourceCount resources to remove from $rgName"
if ($rgResources.length -gt 0) {
$keyvaults = Get-AzResource -ResourceGroupName $RG.ResourceGroupName | ? {$_.ResourceType -eq "Microsoft.KeyVault/vaults"}
Write-Output "$($keyvaults.length) keyvaults to remove from $rgName"
#Remove all but public ip addresses
$rgResources | ? {$_.ResourceType -ne "Microsoft.Network/publicIPAddresses"} | Remove-AzResource -Force
#Remove public ip addresses
$rgResources | ? {$_.ResourceType -eq "Microsoft.Network/publicIPAddresses"} | Remove-AzResource -Force
$rgResources = Get-AzResource -ResourceGroupName $RG.ResourceGroupName
Write-Output "Post check. $($rgResources.length) resources left to remove from $rgName"
if($rgResourceCount -gt 1 -and $rgResourceCount -eq $rgResources.length) {
Write-Error "Issue deleting resources"
}
#Final run to clean other dependant resources in parent-child graph
Get-AzResource -ResourceGroupName $RG.ResourceGroupName | Remove-AzResource -Force
#Check for Soft Deleted KV's and remove
if ($keyvaults.length -gt 0) {
Write-Output "Purging KeyVaults"
$kvToPurge = $keyvaults | %{Get-AzKeyVault -VaultName $_.Name -InRemovedState -Location $_.Location}
Write-Output "Post check. $($kvToPurge.length) key vaults to purge from $rgName"
$kvToPurge | %{Remove-AzKeyVault -VaultName $_.VaultName -InRemovedState -Location $_.Location -Force}
#Again
$kvToPurge | %{Remove-AzKeyVault -VaultName $_.VaultName -InRemovedState -Location $_.Location -Force}
}
}
#Remove invalid RBAC assignments
Write-Output "Checking $rgName for Invalid RBAC assignments"
$assignments=Get-AzRoleAssignment -ResourceGroupName $rgName -Debug
Write-Output $assignments
$invalidAssignments=$assignments | ? {$_.ObjectType -eq "Unknown" -and $_.Scope -like "*/$rgName"}
if ($invalidAssignments -ne $null) {
write-output "$invalidAssignments invalid RBAC assignments found, removing"
$invalidAssignments | % { $_ | Remove-AzRoleAssignment}
}
}