Feature: Management Groups and Policies

[jamesgoodhouse]

We're looking into leverage the Azure Service Operator for managing higher level resources for managing individual subscriptions and related things like management groups and their policies among other thing. I do not believe this is currently part of the support resources, but i wanted to see if this is on the roadmap, or if PRs would be accepted for adding the resources?

[matthchr]

We're definitely interested in supporting these sorts of resources. Do you have a concrete list of what all you need? Obviously Microsoft.Management/managementGroups, Microsoft.Subscription/subscriptionDefinitions, and probably Microsoft.Subscription/policies.

What else?

We would be open to a PR, but just be aware that supporting these resources might be a bit more complicated than it first seems. The complexity here comes with these being root resources that impact how owner resolution is done. If you see resolver.go, resources that are "roots" (RG, Subscription, Tenant, Management Group) have to implement genruntime.NamespacedResourceReference. That's in itself not a problem but it means that we'd possibly want to add support for code-generating those resources (assuming they have Swaggers, I'd need to check). We don't codegen that right now because at least at the time we wrote the generator ResourceGroup didn't have a great Swagger spec.

It's also possible that some updates would need to be made to the azure_generic_arm_reconciler provisioning logic... although I took a look and it does seem like it might just work as is...

[jamesgoodhouse]

Those are the main resources that come to mind. We're still in the early stages of determining our account structure/hierarchy and I am still ramping up on what pieces we will need to automate.

I believe they would be able to leverage code-generation, as I see schemas existing in https://github.com/Azure/azure-resource-manager-schemas.

[matthchr]

Some implementation notes for this: Subscriptions Swagger is here and there's a JSON schema here.

The JSON schema roots up to https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json, rather than the normal https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json. We don't currently read https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json so we'll need to add that as part of supporting this.

[matthchr]

Creating and canceling subscriptions support was added in #2446. I've changed the title of this issue to correctly reflect the remaining work which is not yet supported (Creating/deleting management groups or policies).

[matthchr]

Still interested in doing this

[theunrepentantgeek]

No change from the above.

[jamesgoodhouse]

I'm no longer working with Azure at the moment, but I'm sure this would still be a great addition if someone is able to put together a PR