AzOps not pulling ARM templates for child resources?

[kahawai-sre]

Issue and observations
When "Core.SkipResource" is set to "False", and the intent is for AzOps to keep state with Azure Landing Zones platform resources, and manage those resources in ARM format, AzOps pull does not appear to import templates for child resources.

The context and intent here is using AzOps to perform ongoing management of core platform resources that have been initially deployed using the Azure Landing Zones portal experience only.
i.e. excluding non-platform (Landing Zone) subscriptions and treating those as push only, or using other IaC and pipeline capabilities in those contexts.

Specifically, the following are not imported and are therefore not manageable:

• Microsoft.Network/virtualHubs/hubVirtualNetworkConnections
• Microsoft.Network/virtualHubs/hubRouteTables
• Microsoft.Network/firewallPolicies/ruleCollectionGroups
• [Other child resources that might be part of the platform subs?]

Steps to reproduce

• Using the portal experience, bootstrap the Azure Landing Zones management groups, subscriptions, and core platform resources including Virtual WAN, Virtual Hub, and Azure Firewall Premium tier, and Github integration.
• Wait for the initial Enterprise-Scale Deployment AzOps - Pull action to complete in github
• Observe the results of imported resources (AzOps state) under the root/Intermediate MG/Platform MG/Connectivity MG/Connectivity Subscription/xxx-vnethub- Resource Group
• Verify for example that no ARM template files are created in that path for Microsoft.Network/virtualHubs/hubVirtualNetworkConnections or Microsoft.Network/virtualHubs/hubRouteTable resources
• As a comparison, run Export-AzResourceGroup -ResourceGroupName xxx-vnethub- and verify that the ARM export includes the Microsoft.Network/virtualHubs/hubVirtualNetworkConnections and Microsoft.Network/virtualHubs/hubRouteTable child resources (defined as 'top-level' resources with reference to parent).

Not 100% sure on the intent here, but if one of the capabilities of AzOps is to maintain state with Azure - at least in the context of platform-level resources bootstrapped by Azure Landing Zones accelerator portal experience, then it would be valuable to have this functionality.

[daltondhcp]

This happens because the resources API/Get-AzResources cmdlet doesn't enumerate/list the child resources. We will put into our backlog and investigate what can be done to support this, but for now, managing these resources with custom templates is the way to go.

[kahawai-sre]

Many thanks for the update @daltondhcp and for taking this into the backlog.
As per the request it would be great to have the child resources deployed via the Azure Landing Zones accelerator experience brought into the repo during first bootstrap. Code first approach is a good option going forward.

[edm-ms]

I came here to make the same ask. The firewall policies in particular would be incredibly useful. A traditional network engineer who is new to these concepts is very likely to make resource changes in the Azure Portal, and it would be amazing to have these automatically integrated into source control.

[jasonbrisbin]

I think it would also be key to be able to capture things like Diagnostic Settings and resource scoped access assignments.

[mortenp1337]

Hi, i was investigating why AzOps did not pull my "Microsoft.Network/firewallPolicies/ruleCollectionGroups" so +1 for adding this feature.

[daltondhcp]

Just wanted to let you all know that this has now been released with 1.7.1 that we shipped yesterday. To enable pull for child resources, just add/set the "Core.SkipChildResource" setting to false.
See https://github.com/Azure/AzOps-Accelerator/pull/99/files for further details.

Please give it a try and do let us know if you have any feedback or if you find issues.