Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: NetApp - Restructured as per ResourceType structure to & to enable additional capabilities #4043

Open
wants to merge 71 commits into
base: main
Choose a base branch
from

Conversation

AlexanderSehr
Copy link
Contributor

@AlexanderSehr AlexanderSehr commented Dec 21, 2024

Description

  • Restructured the deployment of backup to enable shared policies & future child-module publishing
  • Updated removal logic to handle backups
  • Introduced numerous UDTs
  • Aligned with several AVM specs (e.g., regarding naming)

Pipeline Reference

Pipeline
avm.res.net-app.net-app-account

Type of Change

  • Update to CI Environment or utilities (Non-module affecting changes)
  • Azure Verified Module updates:
    • Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in version.json:
      • Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description.
      • The bug was found by the module author, and no one has opened an issue to report it yet.
    • Feature update backwards compatible feature updates, and I have bumped the MINOR version in version.json.
    • Breaking changes and I have bumped the MAJOR version in version.json.
    • Update to documentation

@AlexanderSehr AlexanderSehr added Needs: Module Owner 📣 This module needs an owner to develop or maintain it Needs: Core Team 🧞 This item needs the AVM Core Team to review it labels Dec 21, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Triage 🔍 Maintainers need to triage still label Dec 21, 2024
@AlexanderSehr AlexanderSehr marked this pull request as ready for review December 22, 2024 08:24
@AlexanderSehr AlexanderSehr requested review from a team as code owners December 22, 2024 08:24
@AlexanderSehr AlexanderSehr enabled auto-merge (squash) December 22, 2024 08:24
@AlexanderSehr AlexanderSehr removed the Needs: Triage 🔍 Maintainers need to triage still label Dec 22, 2024
@AlexanderSehr AlexanderSehr linked an issue Dec 22, 2024 that may be closed by this pull request
@AlexanderSehr AlexanderSehr requested a review from a team as a code owner December 22, 2024 08:33
Comment on lines 101 to 103
'Microsoft.NetApp/netAppAccounts/backupVaults', # Must be deleted before netapp account
'Microsoft.NetApp/netAppAccounts/snapshotPolicies', # Must be deleted before netapp account
'Microsoft.NetApp/netAppAccounts/capacityPools', # Must be deleted before netapp account
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this part happening by default? children removed before their parent?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is true to an extend, but in this case the order of the child removal mattered (e.g., a volume must be removed before a policy for tha volume can - but they're children in seperate hierachies).

Also, it appears only to be the case for resources that are considered for a custom order like seen in this removal oder for the key vault max test:

Log Example
  VERBOSE: Total number of deployments after final ordering of resources [33]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-0/providers/Microsoft.Authorization/locks/myCustomLockName]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-1/providers/Microsoft.Authorization/locks/myCustomLockName]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/providers/Microsoft.Authorization/locks/myCustomLockName]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/secrets/secretName/providers/Microsoft.Authorization/roleAssignments/0737205d-3668-50f9-8f2f-541acc674054]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/keys/keyName/providers/Microsoft.Authorization/roleAssignments/4f20b6c5-6436-59bb-99ec-90a6a43d95e5]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/keys/keyName/providers/Microsoft.Authorization/roleAssignments/7c2c4038-9529-5649-99b3-3bd1a2c7b1a5]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/keys/keyName/providers/Microsoft.Authorization/roleAssignments/588af744-315d-5897-9dcf-43014f610c10]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/secrets/secretName/providers/Microsoft.Authorization/roleAssignments/0e829fb1-41bd-5f0b-82df-c0bfb4ccfe88]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/secrets/secretName/providers/Microsoft.Authorization/roleAssignments/2fb8d755-cd2a-5481-a1f0-233a4675e9b7]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-0/providers/Microsoft.Authorization/roleAssignments/010e06c0-1c1b-506a-b2db-f2c35384d3f0]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/providers/Microsoft.Authorization/roleAssignments/f17ab95a-046d-5cef-ae8c-eb2d9c261a7b]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-0/providers/Microsoft.Authorization/roleAssignments/5d515c8c-358f-54a7-a334-36e0bea1e0ca]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/providers/Microsoft.Authorization/roleAssignments/da6013f0-225b-56f8-b74e-93be471f13c9]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/providers/Microsoft.Authorization/roleAssignments/b50cc72e-a2f2-4c4c-a3ad-86a43feb6ab8]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/providers/Microsoft.Insights/diagnosticSettings/customSetting]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-0/privateDnsZoneGroups/default]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-1/privateDnsZoneGroups/default]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-1]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateEndpoints/pep-***kvvmax002-vault-0]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.OperationalInsights/workspaces/dep-***-law-kvvmax]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/dep-***-msi-kvvmax]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.EventHub/namespaces/dep-***-evhns-kvvmax01/authorizationRules/RootManageSharedAccessKey]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/dep-***-vnet-kvvmax-vnetlink]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.EventHub/namespaces/dep-***-evhns-kvvmax01/eventhubs/dep-***-evh-kvvmax01]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/accessPolicies/add]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/secrets/secretName]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.KeyVault/vaults/***kvvmax002/keys/keyName]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Storage/storageAccounts/dep***diasakvvmax03]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.EventHub/namespaces/dep-***-evhns-kvvmax01]
  VERBOSE: - Remove [/subscriptions/***/resourceGroups/dep-***-keyvault.vaults-kvvmax-rg/providers/Microsoft.Network/virtualNetworks/dep-***-vnet-kvvmax]

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If that is the case can the comment be updated? Currently we're saying children must be deleted before the account. Instead from the above message I understand it's the relative order between children that matters.

I didn't get the second part, the kv mx test example, can you please elaborate?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @eriqua,
I based my messages on the error messages returned by Azure when removing the services in the 'wrong' order, specifically when it tries to remove the ResourceGroup (as none of the child resources where explicitely specified to be removed). When trying to remove set resource group regardless you get for example,

  • [Microsoft.NetApp/netAppAccounts/backupVaults/backups] [Conflict : Cannot delete last backup as backup policy is assigned to the volume. Please retry after removing the backup policy from the volume.
  • [Microsoft.NetApp/netAppAccounts/backupVaults] [BadRequest : Cannot delete the backup vault resource as the backup vault contains backups. Please remove the backups before deleting the backup vault.
  • [Microsoft.NetApp/netAppAccounts/capacityPools] WARNING: [!] Removal moved back for retry. Reason: [CannotDeleteResource : Cannot delete resource while nested resources exist. Some existing nested resource IDs include: 'Microsoft.NetApp/netAppAccounts/***nanaamax001/capacityPools/cp-001/volumes/vol-001, Microsoft.NetApp/netAppAccounts/***nanaamax001/capacityPools/cp-001/volumes/vol-002'. Please delete all nested resources before deleting this resource.
  • [Microsoft.NetApp/netAppAccounts/snapshotPolicies] WARNING: [!] Removal moved back for retry. Reason: [SnapshotPolicyUsedInVolumes : SnapshotPolicy is used in 1 volumes.

What I'm hence trying to say with, for example, 'Microsoft.NetApp/netAppAccounts/capacityPools', # Must be deleted before netapp account is that the capacityPool must be removed before the netapp account as it will otherwise fail. So it is both a matter of 'children must be deleted before their parents' and 'certain children must be deleted before other children can' (example comment "# Must be deleted before netapp account capacity pool & attached policies").
Could you give me an example how you'd make the comments clearer? :)


Regarding the Key Vault example I just wanted to show that the logic works as follows

  • All reource IDs for removal are fetched
  • They're then sorted as per their level of nesting (with children coming first)
  • And finally they're further sorted as per the removalOrder sequence which is why in the middle we see the 'resourceGroup'. Everything below is essentially ignored as we expect the RG-removal to take care of those / that they don't need a dedicated order.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated @eriqua :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I'm challenging it's not the comment clarity. Stating some children must be deleted before their parents is crystal clear and does not need to be further elaborated. The point is that the removal logic already orders resources that way, BUT you are right, having the resource group in the list basically forces us to explicitly mention their order in the list anyway.
Do you recall why we added the resource group in the list and we don't for example delete it as last? In that case I believe the ordering logic alone would cover. Just a question for now, I don't want to block the PR on it, but I think it's worth checking

Copy link
Contributor Author

@AlexanderSehr AlexanderSehr Dec 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @eriqua,
I don't recall - but the reason may be that back then, when we added it, the 'remove last' list didn't likely not exist yet (as it was only introduced in AVM thanks to the LZ PTN module).
I hence assume the reasoning was to ensure the removal logic does not try to remove every single child, but only where it is required as the RP can't do it itself, and for the others have the default RG-removal logic take care of it.
But again - not sure ... so don't quote me on that 😉

@AlexanderSehr AlexanderSehr requested a review from eriqua December 23, 2024 13:06
Copy link
Contributor

@fbinotto fbinotto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Needs: Core Team 🧞 This item needs the AVM Core Team to review it Needs: Module Owner 📣 This module needs an owner to develop or maintain it Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Failed pipeline] avm.res.net-app.net-app-account
3 participants