Azure · AlexanderSehr · Apr 29, 2024 · Nov 7, 2023 · Nov 7, 2023 · Nov 8, 2023
@@ -0,0 +1,126 @@
+name: ".Platform - Clean up deployment history"
+
+on:
+  workflow_dispatch:
+    inputs:
+      handleSubscriptionScope:
+        type: boolean
+        description: "Include Subscription deployments"
+        required: false
+        default: true # Note: This requires your service principal to have permissions on the subscription scope.
+      handleManagementGroupScope:
+        type: boolean
+        description: "Include Management Group deployments"
+        required: false
+        default: true # Note: This requires your service principal to have permissions on the management group scope.
+      maxDeploymentRetentionInDays:
+        type: string
+        description: "The number of days to keep deployments with status [failed]" # 'Running' are always excluded
+        required: false
+        default: "14"
+  schedule:
+    - cron: "0 0 * * *"
+
+env:
+  workflowPath: ".github/workflows/platform.deployment.history.cleanup.yml"
+
+jobs:
+  ###########################
+  #   Initialize pipeline   #
+  ###########################
+  job_initialize_pipeline:
+    runs-on: ubuntu-latest
+    name: "Initialize pipeline"
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: "Set input parameters to output variables"
+        id: get-workflow-param
+        uses: ./.github/actions/templates/avm-getWorkflowInput
+        with:
+          workflowPath: "${{ env.workflowPath}}"
+    outputs:
+      workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }}
+
+  ###############
+  #   Removal   #
+  ###############
+  job_cleanup_subscription_deployments:
+    runs-on: ubuntu-20.04
+    name: "Remove Subscription deployments"
+    needs:
+      - job_initialize_pipeline
+    if: ${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).handleSubscriptionScope == 'true' }}
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set environment
+        uses: ./.github/actions/templates/avm-setEnvironment
+
+      - name: Azure Login
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          enable-AzPSSession: true
+
+      - name: Remove deployments
+        uses: azure/powershell@v1
+        with:
+          inlineScript: |
+            # Load used functions
+            . (Join-Path $env:GITHUB_WORKSPACE 'avm' 'utilities' 'pipelines' 'platform' 'deploymentRemoval' 'Clear-SubscriptionDeploymentHistory.ps1')
+
+            $functionInput = @{
+              SubscriptionId               = '${{ secrets.ARM_SUBSCRIPTION_ID }}'
+              maxDeploymentRetentionInDays = '${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).maxDeploymentRetentionInDays }}'
+            }
+
+            Write-Verbose "Invoke task with" -Verbose
+            Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose
+
+            Clear-SubscriptionDeploymentHistory @functionInput
+          azPSVersion: "latest"
+
+  job_cleanup_managementGroup_deployments:
+    runs-on: ubuntu-20.04
+    name: "Remove Management Group deployments"
+    needs:
+      - job_initialize_pipeline
+    if: ${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).handleManagementGroupScope == 'true' }}
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set environment
+        uses: ./.github/actions/templates/avm-setEnvironment
+
+      - name: Azure Login
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          enable-AzPSSession: true
+
+      - name: Remove deployments
+        uses: azure/powershell@v1
+        with:
+          inlineScript: |
+            # Load used functions
+            . (Join-Path $env:GITHUB_WORKSPACE 'avm' 'utilities' 'pipelines' 'platform' 'deploymentRemoval' 'Clear-ManagementGroupDeploymentHistory.ps1')
+
+            $functionInput = @{
+              ManagementGroupId            = '${{ secrets.ARM_MGMTGROUP_ID }}'
+              maxDeploymentRetentionInDays = '${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).maxDeploymentRetentionInDays }}'
+            }
+
+            Write-Verbose "Invoke task with" -Verbose
+            Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose
+
+            Clear-ManagementGroupDeploymentHistory @functionInput
+          azPSVersion: "latest"
@@ -0,0 +1,118 @@
+
+<#
+.SYNOPSIS
+Bulk delete all deployments on the given management group scope
+
+.DESCRIPTION
+Bulk delete all deployments on the given management group scope
+
+.PARAMETER ManagementGroupId
+Mandatory. The Resource ID of the Management Group to remove the deployments from.
+
+.PARAMETER DeploymentStatusToExclude
+Optional. The status to exlude from removals. Can be multiple. By default, we exclude any deployment that is in state 'running' or 'failed'.
+
+.PARAMETER maxDeploymentRetentionInDays
+Optional. The time to keep deployments with a status to exclude. In other words, if a deployment is in a status to exclude, but older than the threshold, it will be deleted.
+
+.EXAMPLE
+Clear-ManagementGroupDeploymentHistory -ManagementGroupId 'MyManagementGroupId'
+
+Bulk remove all 'non-running' & 'non-failed' deployments from the Management Group with ID 'MyManagementGroupId'
+
+.EXAMPLE
+Clear-ManagementGroupDeploymentHistory -ManagementGroupId 'MyManagementGroupId' -DeploymentStatusToExclude @('running')
+
+Bulk remove all 'non-running' deployments from the Management Group with ID 'MyManagementGroupId'
+#>
+function Clear-ManagementGroupDeploymentHistory {
+
+
+    [CmdletBinding(SupportsShouldProcess)]
+    param (
+        [Parameter(Mandatory = $true)]
+        [string] $ManagementGroupId,
+
+        [Parameter(Mandatory = $false)]
+        [string[]] $DeploymentStatusToExclude = @('running', 'failed'),
+
+        [Parameter(Mandatory = $false)]
+        [int] $maxDeploymentRetentionInDays = 14
+    )
+
+    # Load helper functions
+    . (Join-Path (Split-Path $PSScriptRoot) 'helper' 'Split-Array.ps1')
+
+    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 # Enables web reponse
+    $deploymentThreshold = (Get-Date).AddDays(-1 * $maxDeploymentRetentionInDays)
+
+    $getInputObject = @{
+        Method  = 'GET'
+        Uri     = "https://management.azure.com/providers/Microsoft.Management/managementGroups/$ManagementGroupId/providers/Microsoft.Resources/deployments/?api-version=2021-04-01"
+        Headers = @{
+            Authorization = 'Bearer {0}' -f (Get-AzAccessToken).Token
+        }
+    }
+    $response = Invoke-RestMethod @getInputObject
+
+    if (($response | Get-Member -MemberType 'NoteProperty').Name -notcontains 'value') {
+        throw ('Fetching deployments failed with error [{0}]' -f ($reponse | Out-String))
+    }
+
+    Write-Verbose ('Found [{0}] deployments in management group [{1}]' -f $response.value.Count, $ManagementGroupId) -Verbose
+
+    $relevantDeployments = $response.value | Where-Object {
+        $_.properties.provisioningState -notin $DeploymentStatusToExclude -or
+        ([DateTime]$_.properties.timestamp) -lt $deploymentThreshold -and
+        $_.properties.provisioningState -ne 'running' # we should never delete 'running' deployments
+    }
+
+    Write-Verbose ('Filtering [{0}] deployments out as they are in state [{1}] or newer than [{2}] days ({3})' -f ($response.value.Count - $relevantDeployments.Count), ($DeploymentStatusToExclude -join '/'), $maxDeploymentRetentionInDays, $deploymentThreshold.ToString('yyyy-MM-dd')) -Verbose
+
+    if (-not $relevantDeployments) {
+        Write-Verbose 'No deployments found' -Verbose
+        return
+    }
+
+    $rawDeploymentChunks = Split-Array -InputArray $relevantDeployments -SplitSize 100
+    if ($relevantDeployments.Count -le 100) {
+        $relevantDeploymentChunks = , $rawDeploymentChunks
+    } else {
+        $relevantDeploymentChunks = $rawDeploymentChunks
+    }
+
+    Write-Verbose ('Triggering the removal of [{0}] deployments from management group [{1}]' -f $relevantDeployments.Count, $ManagementGroupId) -Verbose
+
+    foreach ($deployments in $relevantDeploymentChunks) {
+
+        $requests = $deployments | ForEach-Object {
+            @{ httpMethod            = 'DELETE'
+                name                 = (New-Guid).Guid # Each batch request needs a unique ID
+                requestHeaderDetails = @{
+                    commandName = 'HubsExtension.Microsoft.Resources/deployments.BulkDelete.execute'
+                }
+                url                  = '/providers/Microsoft.Management/managementGroups/{0}/providers/Microsoft.Resources/deployments/{1}?api-version=2019-08-01' -f $ManagementGroupId, $_.name
+            }
+        }
+
+        if ($requests -is [hashtable]) {
+            $requests = , $requests
+        }
+
+        $removeInputObject = @{
+            Method  = 'POST'
+            Uri     = 'https://management.azure.com/batch?api-version=2020-06-01'
+            Headers = @{
+                Authorization  = 'Bearer {0}' -f (Get-AzAccessToken).Token
+                'Content-Type' = 'application/json'
+            }
+            Body    = @{
+                requests = $requests
+            } | ConvertTo-Json -Depth 4
+        }
+        if ($PSCmdlet.ShouldProcess(('Removal of [{0}] deployments' -f $requests.Count), 'Request')) {
+            $null = Invoke-RestMethod @removeInputObject
+        }
+    }
+    Write-Verbose 'Script execution finished. Note that the removal can take a few minutes to propagate.' -Verbose
+}
@@ -0,0 +1,122 @@
+
+<#
+.SYNOPSIS
+Bulk delete all deployments on the given subscription scope
+
+.DESCRIPTION
+Bulk delete all deployments on the given subscription scope
+
+.PARAMETER subscriptionId
+Optional. The ID of the subscription to remove the deployments from. Defaults to the current context.
+
+.PARAMETER DeploymentStatusToExclude
+Optional. The status to exlude from removals. Can be multiple. By default, we exclude any deployment that is in state 'running' or 'failed'.
+
+.PARAMETER maxDeploymentRetentionInDays
+Optional. The time to keep deployments with a status to exclude. In other words, if a deployment is in a status to exclude, but older than the threshold, it will be deleted.
+
+.EXAMPLE
+Clear-SubscriptionDeploymentHistory -subscriptionId '11111111-1111-1111-1111-111111111111'
+
+Bulk remove all 'non-running' & 'non-failed' deployments from the subscription with ID '11111111-1111-1111-1111-111111111111'
+
+.EXAMPLE
+Clear-SubscriptionDeploymentHistory -subscriptionId '11111111-1111-1111-1111-111111111111' -DeploymentStatusToExclude @('running')
+
+Bulk remove all 'non-running' deployments from the subscription with ID '11111111-1111-1111-1111-111111111111'
+#>
+function Clear-SubscriptionDeploymentHistory {
+
+
+    [CmdletBinding(SupportsShouldProcess)]
+    param (
+        [Parameter(Mandatory = $false)]
+        [string] $subscriptionId = (Get-AzContext).Subscription.Id,
+
+        [Parameter(Mandatory = $false)]
+        [string[]] $DeploymentStatusToExclude = @('running', 'failed'),
+
+        [Parameter(Mandatory = $false)]
+        [int] $maxDeploymentRetentionInDays = 14
+    )
+
+    # Load helper functions
+    . (Join-Path (Split-Path $PSScriptRoot) 'helper' 'Split-Array.ps1')
+
+    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 # Enables web reponse
+    $deploymentThreshold = (Get-Date).AddDays(-1 * $maxDeploymentRetentionInDays)
+
+    # Setting context explicitely in case the principal has permissions on multiple
+    Write-Verbose ('Setting context to subscription [{0}]' -f $subscriptionId)
+    $null = Set-AzContext -Subscription $subscriptionId
+
+    $getInputObject = @{
+        Method  = 'GET'
+        Uri     = "https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.Resources/deployments?api-version=2020-06-01"
+        Headers = @{
+            Authorization = 'Bearer {0}' -f (Get-AzAccessToken).Token
+        }
+    }
+    $response = Invoke-RestMethod @getInputObject
+
+    if (($response | Get-Member -MemberType 'NoteProperty').Name -notcontains 'value') {
+        throw ('Fetching deployments failed with error [{0}]' -f ($reponse | Out-String))
+    }
+
+    Write-Verbose ('Found [{0}] deployments in subscription [{1}]' -f $response.value.Count, $subscriptionId) -Verbose
+
+    $relevantDeployments = $response.value | Where-Object {
+        $_.properties.provisioningState -notin $DeploymentStatusToExclude -or
+        ([DateTime]$_.properties.timestamp) -lt $deploymentThreshold -and
+        $_.properties.provisioningState -ne 'running' # we should never delete 'running' deployments
+    }
+
+    Write-Verbose ('Filtering [{0}] deployments out as they are in state [{1}] or newer than [{2}] days ({3})' -f ($response.value.Count - $relevantDeployments.Count), ($DeploymentStatusToExclude -join '/'), $maxDeploymentRetentionInDays, $deploymentThreshold.ToString('yyyy-MM-dd')) -Verbose
+
+    if (-not $relevantDeployments) {
+        Write-Verbose ('No deployments for subscription [{0}] found' -f $subscriptionId) -Verbose
+        return
+    }
+
+    $rawDeploymentChunks = Split-Array -InputArray $relevantDeployments -SplitSize 100
+    if ($relevantDeployments.Count -le 100) {
+        $relevantDeploymentChunks = , $rawDeploymentChunks
+    } else {
+        $relevantDeploymentChunks = $rawDeploymentChunks
+    }
+
+    Write-Verbose ('Triggering the removal of [{0}] deployments from subscription [{1}]' -f $relevantDeployments.Count, $subscriptionId) -Verbose
+
+    foreach ($deployments in $relevantDeploymentChunks) {
+
+        $requests = $deployments | ForEach-Object {
+            @{ httpMethod            = 'DELETE'
+                name                 = (New-Guid).Guid # Each batch request needs a unique ID
+                requestHeaderDetails = @{
+                    commandName = 'HubsExtension.Microsoft.Resources/deployments.BulkDelete.execute'
+                }
+                url                  = '/subscriptions/{0}/providers/Microsoft.Resources/deployments/{1}?api-version=2019-08-01' -f $subscriptionId, $_.name
+            }
+        }
+
+        if ($requests -is [hashtable]) {
+            $requests = , $requests
+        }
+
+        $removeInputObject = @{
+            Method  = 'POST'
+            Uri     = 'https://management.azure.com/batch?api-version=2020-06-01'
+            Headers = @{
+                Authorization  = 'Bearer {0}' -f (Get-AzAccessToken).Token
+                'Content-Type' = 'application/json'
+            }
+            Body    = @{
+                requests = $requests
+            } | ConvertTo-Json -Depth 4 -EnumsAsStrings
+        }
+        if ($PSCmdlet.ShouldProcess(('Removal of [{0}] deployments' -f $requests.Count), 'Request')) {
+            $null = Invoke-RestMethod @removeInputObject
+        }
+    }
+    Write-Verbose 'Script execution finished. Note that the removal can take a few minutes to propagate.' -Verbose
+}