Feature Request - Only track templates deployed with AzOps #424
Comments
|
|
By default we track policy and resource groups. I know at one point there was an option for all resources, but this really created a lot of sprawl. I am asking if there is a way to track only templates I push through the AzOps pipeline. What I really am getting at here is the ability to track out of band changes (portal or elsewhere) for things I deploy via AzOps. |
|
Short answer is No. Long answer: As per Enterprise-Scale, following resources are considered within the scope of the platform and are considered within the scope (can be overridden via settings.json or .gitignore in local repo) Default settings for the module/pipeline has resource templates turned off Having said that, one can enable specific template by resource type by enabling above settings for all resources, while respecting boundary between platform and workloads, and/or adjusting .gitignore with following consideration. There is no right or wrong way to author a template and AzOps do not enforce specific style of authoring template. When user brings their own template, lifecycle of the resource (future CURD operations) are rooted in the template. Due to various authoring styles i.e. one resource per template, multiple resource per template, linked, nested templates etc. there is no good way to reconcile changes automatically with user's style of authoring template. Hence, it is strongly recommended to ensure lifecycle changes of the resources deployed via BYOT are managed via code-first approach with push pipeline only to avoid duplication between resources authored in BYOT and templates that will be created with AzOps. Having said that, if there is no strong concern with authoring style, one can author BYOT template in the way AzOps deploy resources (consistent GET and PUT based on ARM schema e.g. Key Vault for simplicity and future operationalizing aspect in mind. |
|
Thanks, I'll close the issue, makes sense. One more question though on what is tracked. I see we list Microsoft.Authorization/roleAssignments But when I am doing role assignments I do not see these represented as code in the repo. Policy assignments I see, but issuing standard Azure RBAC role assignments are absent. |
|
These are settings that can be specified here: |
|
Must have missed that, thanks! |
It would be great to have AzOps automatically track templates that are deployed through the pipeline. So rather than track all resources in Azure which could be very noisy and complicated, I would love to see AzOps have the option to track any template deployed through the GH action.
Example:
Push base Azure Firewall template with rules. Once the template is deployed via AzOps the state is now tracked. So if a user makes changes in the portal, the changes made there are then merged in via the AzOps scheduled pull.
The text was updated successfully, but these errors were encountered: