Is there a way of excluding a management group resource declaration?

[BenjaminEngeset]

Hello project contributors and maintainers.

Is there currently a way of excluding a management group resource declaration?

In a situation where the platform team does not have an owner role or Microsoft.Resources/deployments/write at management group.

Reader is given at management group and at subscription they are contributors.

That works actually nice with AzOps; it is still able to traverse through management group since it can read it.

Problem is when it wants to push the tracked management resource declaration..

New-AzManagementGroupDeployment: The client 'xxx' with object id
'xxx' does not have authorization to perform
action 'Microsoft.Resources/deployments/write' over scope...

I see that "Core.SkipResourceType" is only for resource types which targets resource group scoped resources.

I understand that AzOps is intended and designed to be used with an owner role, but I had a slight hope that there might be some sort of way to get it to overlook this management resource declaration that got pulled in.

Thanks in advance =)

/b

[daltondhcp]

Before we dig into potential solutions for your use case, it would be interesting to understand why you grant reader permissions at MG level if they are only supposed to operate at subscription level? If you remove MG permissions, folders for each subscription will be created directly under the root folder, and subject to correct roleAssignments there shouldn't be any permission issues 😀

[BenjaminEngeset]

Good point, it is identical so should have nothing to say.

Will also save deployment history that can cause confusion and noise for the team or other teams that might be involved in the organization.

I am happy to see that there are many cases where AzOps can be used, not only high level permission.

If you only give the security principal access from RGs and down, will AzOps tackle that as well and understand the context?

[daltondhcp]

Yes, it works exactly the same as with subscription scoped SPNs, but RG folders will only be created subject to the RBAC permissions. (Similar to how it works when you have RG scoped permissions in a subscription and are using the Azure portal)

[BenjaminEngeset]

Do you have the example how it was solved for GH so I can try to see if same logic can be applied for ADO? Was trying to check the examples, but did not see it super clear (most probably due to lacking GH knowledge). Just trying to put together how to differentiate on this when both the human interaction and pull are both merging into main branch:

trigger:
  branches:
    include:
      - main
  paths:
    include:
      - root

[daltondhcp]

For GitHub it is actually the default behavior, so no extra config needed there.
For ADO, you need to add a condition, like commit message or source branch. Unfortunately the [skip ci] method doesn't work on PR merge.

See simple example how it can be implemented below:

push.yml

jobs:  
  - job: push
    condition: not(contains(variables['Build.SourceVersionMessage'], 'from automated into main'))

Obviously, you can use other build variables or messages than the one above, but you get the picture 😄

[BenjaminEngeset]

@daltondhcp

You are the man, thank you! I can't believe I was able to overlook this in the documentation.

I was trying to edit the default commit message to add [skip ci], but it never worked and I saw similar issues in the community.

Again, truly grateful.