[Bug]: Start-AMBACleanup is not removing role assignment

[anwather]

Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Description

I think that the Start-AMBACleanup script isn't removing the role assignments - it is leaving these orphaned roles.

At the management group levels underneath this there is the same thing as well - one for each of identity/management/connectivity management groups e.g.

I noticed this due to attempting to deploy the solution multiple times and it not being able to deploy the role assignments again (said it was unable to update them)

[arjenhuitema]

Thank you @anwather for raising this issue. I will add this to our backlog and report here when its been resolved. As a work around, after running the cleanup script you can delete the assignments manually before redeploying.

[mbrat2005]

Hi @anwather, thanks for raising this issue! I am working to reproduce what you are seeing so we can get it fixed. The cleanup scripts are written to be conservative in that they delete, so slight changes to the environment might mean the cleanup is incomplete. The way that we determine which Role Assignments to clean up with the Start-AMBACleanup script is:

1. Get a list of Policy Assignments with the metadata property '_deployed_by_amba=True'
2. From the list of Policy Assignments, we pull out the Assignment identity's principal ID
3. Query for Role Assignments to each Policy Assignment identity where the Role Assignment's description property is '_deployed_by_amba'

If you happen to have done any of the following, the script will not clean up the Role Assignments:

• Removed the metadata on the Policy Assignment
• Removed the Policy Assignment manually
• Manually changed the Policy Assignment identity and recreated the Role Assignment (such as in the Portal)
• Removed the Role Assignment description

To help troubleshoot, can you please confirm that the role assignments in your screenshot have the description value '_deployed_by_amba'? To see the Description in the Portal, if you navigate to your connectivity Management Group, go to Access Control (IAM), then choose 'Edit Columns' at the top of the screen and check the box next to Description.

[paulgrimley]

[heart] Paul Grimley (HE/HIM) reacted to your message:

…

________________________________ From: Matthew Bratschun ***@***.***> Sent: Thursday, October 19, 2023 7:22:36 PM To: Azure/azure-monitor-baseline-alerts ***@***.***> Cc: Subscribed ***@***.***> Subject: Re: [Azure/azure-monitor-baseline-alerts] [Bug]: Start-AMBACleanup is not removing role assignment (Issue #42) Hi @anwather<https://github.com/anwather>, thanks for raising this issue! I am working to reproduce what you are seeing so we can get it fixed. The cleanup scripts are written to be conservative in that they delete, so slight changes to the environment might mean the cleanup is incomplete. The way that we determine which Role Assignments to clean up with the Start-AMBACleanup script is: 1. Get a list of Policy Assignments with the metadata property '_deployed_by_amba=True' 2. From the list of Policy Assignments, we pull out the Assignment identity's principal ID 3. Query for Role Assignments to each Policy Assignment identity where the Role Assignment's description property is '_deployed_by_amba' If you happen to have done any of the following, the script will not clean up the Role Assignments: * Removed the metadata on the Policy Assignment * Removed the Policy Assignment manually * Manually changed the Policy Assignment identity and recreated the Role Assignment (such as in the Portal) * Removed the Role Assignment description To help troubleshoot, can you please confirm that the role assignments in your screenshot have the description value '_deployed_by_amba'? To see the Description in the Portal, if you navigate to your connectivity Management Group, go to Access Control (IAM), then choose 'Edit Columns' at the top of the screen and check the box next to Description. — Reply to this email directly, view it on GitHub<#42 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AGAYDPKXRRDGEFK254TXZMDYAF4X3BFKMF2HI4TJMJ2XIZLTSWBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVI2TQMJQGY3TKOJRGGSG4YLNMWUWQYLTL5WGCYTFNSBKK5TBNR2WLKRVHAYTANRXGU4TIOFENZQW2ZNJNBQXGX3MMFRGK3FMON2WE2TFMN2F65DZOBS2YSLTON2WKQ3PNVWWK3TUUZ2G64DJMNZZJAVEOR4XAZNKOJSXA33TNF2G64TZUV3GC3DVMWUTMNZUG4ZDIMBZG6BKI5DZOBS2K2LTON2WLJLWMFWHKZNKGE4TKMJRGA4TIMBRQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKRVHAYTANRXGU4TCMMCUR2HS4DFUVWGCYTFNSSXMYLMOVS2UNJYGEYDMNZVHE2DRJ3UOJUWOZ3FOKTGG4TFMF2GK>. You are receiving this email because you are subscribed to this thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[anwather]

Yes they have that description :)

Maybe it needs to remove the role assignment first before removing the assignment?

[mbrat2005]

I was unable to reproduce this issue, but the changes in the associated PR should help make the role assignment cleanup more reliable (less complex). If we see this again, we'll need to dig into activity and deployment logs to demonstrate that we, via our automation, are creating role assignments which are missing descriptions.

I've let @anwather know and he will close the issue after any other investigation on his side.

[arjenhuitema]

I was able to reproduce the issue and with #44 it was resolved.