Adrian Hall

Adrian Hall

Microsoft Program Manager by day; Mobile Developer by night

Deleting Azure resources the right way.

July 12, 2023  3 minute read  

If you are an Azure developer, you likely spin up an application, do some work, then shut it down again. However, shutting down resources and deleting them has an order to them. If your service is network isolated (in a virtual network), then you can’t delete the application until the private endpoints are shut down. Budgets don’t get deleted with the resource group. Diagnostic settings can’t be deleted if the resource no longer exists. There is an order you should do things:

  1. Private endpoints
  2. Diagnostic settings
  3. Budgets
  4. Resources that need to be purged (e.g. Key Vault and API Management)
  5. Resource groups

The resource groups are last and will delete the rest of the resources for you. I use the Azure Developer CLI for deployments, but cleaning up can be hard since the azd tool does not understand this ordering problem.

So, how do I do it? With a little bit of love from PowerShell. I have a script that I can run (imaginatively called cleanup.ps1). To start, I provide a list of resource groups that I want to clean up:

<#
.SYNOPSIS
  Cleans up the resources in a set of resource groups.
#>

Param(
  [Parameter(Mandatory)][string]$Prefix
  [switch]$AsJob = $false
)

$resourceGroups = [System.Collection.ArrayList]@()
Get-AzResourceGroup | Where-Object { $_.ResourceGroupName -like $Prefix } | Foreach-Object {
  $resourceGroups.Add($_.ResourceGroupName) | Out-Null
}

Deleting private endpoints, diagnostic settings, and budgets

Now that I have the list of resource groups, I can go through my ordering and start deleting things. Here is the code for private endpoints:

function Remove-ConsumptionBudgetForResourceGroup($resourceGroupName) {
    Get-AzConsumptionBudget -ResourceGroupName $resourceGroupName
    | Foreach-Object {
        "`tRemoving $resourceGroupName::$($_.Name)" | Write-Output
        Remove-AzConsumptionBudget -Name $_.Name -ResourceGroupName $_.ResourceGroupName
    }
}

function Remove-DiagnosticSettingsForResourceGroup($resourceGroupName) {
    Get-AzResource -ResourceGroupName $resourceGroupName
    | Foreach-Object {
        $resourceName = $_.Name
        $resourceId = $_.ResourceId
        Get-AzDiagnosticSetting -ResourceId $resourceId -ErrorAction SilentlyContinue | Foreach-Object {
            "`tRemoving $resourceGroupName::$resourceName::$($_.Name)" | Write-Output
            Remove-AzDiagnosticSetting -ResourceId $resourceId -Name $_.Name 
        }
    }
}

function Remove-PrivateEndpointsForResourceGroup($resourceGroupName) {
    Get-AzPrivateEndpoint -ResourceGroupName $resourceGroupName
    | Foreach-Object {
        "`tRemoving $resourceGroupName::$($_.Name)" | Write-Output
        Remove-AzPrivateEndpoint -Name $_.Name -ResourceGroupName $_.ResourceGroupName -Force
    }
}

"> Private Endpoints:" | Write-Output
foreach ($resourceGroupName in $resourceGroups) {
    Remove-PrivateEndpointsForResourceGroup -ResourceGroupName $resourceGroupName
}

"> Budgets:" | Write-Output
foreach ($resourceGroupName in $resourceGroups) {
    Remove-ConsumptionBudgetForResourceGroup -ResourceGroupName $resourceGroupName
}

"> Diagnostic Settings:" | Write-Output
foreach ($resourceGroupName in $resourceGroups) {
    Remove-DiagnosticSettingsForResourceGroup -ResourceGroupName $resourceGroupName
}

This pattern is repeated quite often. I get a list of the private endpoints within a resource group, then remove each one. You can do some more work to send the output to the verbose channel (together with all the other work for making this a verbose module), but I find I always want the output, so I just write it out.

Removing the resource groups

Once all the dependent services are done, I can remove the resource groups:

function Remove-ResourceGroupFromAzure($resourceGroupName, $asJob) {
    if (Test-ResourceGroupExists -ResourceGroupName $resourceGroupName) {
        "`tRemoving $resourceGroupName" | Write-Output
        if ($asJob) {
            Remove-AzResourceGroup -Name $resourceGroupName -Force -AsJob
        } else {
            Remove-AzResourceGroup -Name $resourceGroupName -Force
        }
    }
}

"`nRemoving resource groups..." | Write-Output
foreach ($resourceGroupName in $resourceGroups) {
    Remove-ResourceGroupFromAzure -ResourceGroupName $resourceGroupName -AsJob:$AsJob
}

Be careful to understand your dependencies though. For example, let’s say you have an App Service that is VNET integrated, and the App Service is in a different resource group to the virtual network. You cannot delete the virtual network until the App Service is deleted. Since they are in different resource groups, you will likely bump into a timing issue that is not easily resolved. Sometimes, it will work, and other times it won’t work. Fix this by ensuring you delete the resource group with the App Service first.

Finally

With the Azure Developer CLI, I can easily deploy a complete solution with diagnostics, a hub-spoke virtual network setup, and complete network isolation. Now, I can also tear down the solution easily without worrying about the lingering resources issues.

Leave a comment

You may also enjoy

Create an App Registration for RBAC with PowerShell and Microsoft Graph.

January 19, 2024  5 minute read  

I’m currently working on some automation within Azure to deploy a hub-spoke web application. This web application authenticates with Entra ID using an App Registration and Role-Based Access Controls (RBAS) using App Roles. So, I need to create an app registration, enterprise app, and create the app roles.

Azure Mobile Apps: Supporting tables with int Id

December 22, 2023  14 minute read  

One of the persistent questions I get asked about Azure Mobile Apps is how to support older tables. Let’s say you have an older application that was never designed for mobile applications. It likely has a model like this:

Purge Azure API Management soft-deleted services with ease.

January 20, 2023  4 minute read  

I work a lot with Azure API Management, which means I turn up and down services quite a few times a day. Azure API Management has an awesome feature that prevents you from accidentally deleting a service, called soft-delete. Instead of immediately deleting the service, it marks it as soft deleted and purges it later on. Unfortunately, that means that you can’t immediately reuse that service name. In production, this is a great thing to have. In development, it turns into a pain. That’s b...

Type-checking Bicep arrays and objects

November 28, 2022  3 minute read  

As you may have guessed by now, I’m delving heavily into the world of Bicep right now, mostly in order to describe the infrastructure for my personal projects in a readable way. JSON and YAML (used by ARM) is most definitely not readable for the average consumer. Part of that work was learning about bicep modules, which I love for modularizing my code. However, there is one distinctive problem with this.