[DevOps] PR Builds: Add PR deployment support to Deploy-Hub#2030
[DevOps] PR Builds: Add PR deployment support to Deploy-Hub#2030
Conversation
Extends Deploy-Hub.ps1 with CI/automation support: - -PR switch sets initials to "pr" for PR-based naming (e.g., pr-123) - -Scope configures cost data exports after deployment - -ManagedExports uses template-managed exports with RBAC setup Post-deployment handles both managed exports (grants Cost Management Contributor and RBAC Administrator on the monitored scope) and manual exports (creates FocusCost export via New-FinOpsCostExport). Also documents required RBAC roles for subscription/RG scopes in configure-scopes.md. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
flanakin
requested review from
MSBrett and
RolandKrummenacher
as code owners
microsoft-github-policy-service
bot
added
the
Needs: Review 👀
There was a problem hiding this comment.
Pull request overview
This PR extends Deploy-Hub.ps1 with three new parameters (-PR, -Scope, -ManagedExports) to support CI/PR-based deployments and export configuration. It also documents required RBAC roles for subscription/resource group scopes in configure-scopes.md.
Changes:
- Added
-PR,-Scope, and-ManagedExportsparameters toDeploy-Hub.ps1, including post-deployment logic to either grant managed identity RBAC roles or create a manual FocusCost export viaNew-FinOpsCostExport - Updated
src/scripts/README.mdwith new parameter documentation and usage examples - Updated
docs-mslearn/toolkit/hubs/configure-scopes.mdto document the required roles (Cost Management Contributor and RBAC Administrator) for subscription/resource group scopes
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
src/scripts/Deploy-Hub.ps1 |
Core changes: new parameters, initials logic for PR mode, managed/manual export configuration post-deployment |
src/scripts/README.md |
Updated parameter table and new usage examples for -PR, -Scope, and -ManagedExports |
docs-mslearn/toolkit/hubs/configure-scopes.md |
Added documentation for RBAC roles needed for subscription/resource group scopes with managed exports |
flanakin
changed the title
- Add "Optional." prefix to -PR parameter doc - Fix enableManagedExports default: explicitly set to $false for manual exports - Check New-AzRoleAssignment result before reporting success - Fix comment: "Build" → "Import" for module load Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
🤖 [AI][Claude] PR Update Summary Addressed: 4 thread(s)
|
flanakin
added
Skill: DevOps
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
| - Subscriptions and resource groups – [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal). | ||
| - Subscriptions and resource groups – [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal). Assign the following roles to the hub managed identity on each scope: | ||
| - **Cost Management Contributor** – create and manage exports. | ||
| - **RBAC Administrator** – required by Cost Management to grant itself access to write export data to the hub storage account. |
There was a problem hiding this comment.
RBAC Administrator — wrong scope?
The Microsoft.Authorization/roleAssignments/write permission is needed on the storage account, not on the monitored scope. This is so Cost Management can auto-assign itself StorageBlobDataContributor to write export data (per the exports prerequisites docs).
The Bicep template already handles this — ManagedExports/app.bicep:59-63 assigns RBAC Administrator on the storage account via storageRoles.
This means:
- The RBAC Administrator grant on
$ScopeinDeploy-Hub.ps1is unnecessary — the template already assigns it where it's actually needed (storage account). - The docs are misleading — granting RBAC Administrator on a subscription is overly permissive and doesn't serve the stated purpose.
Only Cost Management Contributor should be needed on the monitored scope.
|
|
||
| ```powershell | ||
| ./Deploy-Hub -PR 123 | ||
| ``` |
There was a problem hiding this comment.
-PR switch vs. positional parameter confusion
-PR is declared as [switch] but this example reads as if -PR takes a value. It works because 123 binds to the positional -Name parameter, but it's misleading. Consider either:
- Making the separation explicit:
./Deploy-Hub -PR -Name 123 - Or changing
-PRto a[string]that accepts the PR number directly
🛠️ Description
Extends Deploy-Hub.ps1 with three new parameters to support CI automation and simplified export configuration:
-PR— Sets initials toprfor PR-based naming (e.g.,pr-123-adx)-Scope— Configures cost data exports after deployment (managed or manual)-ManagedExports— Uses template-managed exports and grants the hub identity required RBAC roles on the monitored scopePost-deployment logic handles two paths:
scopesToMonitorto the templateNew-FinOpsCostExportAlso documents the required RBAC roles for subscription/RG scopes in configure-scopes.md.
This is PR A of a multi-PR effort to add per-PR deployment CI for FinOps hubs.
📋 Checklist
🔬 How did you test this change?
🙋♀️ Do any of the following that apply?
📑 Did you update
docs/changelog.md?📖 Did you update documentation?