Help with Bicep Template for Deleting Azure Resources Based on Resource Name

Gupta, Shalu 30

I have created Bicep templates for provisioning various Azure resources such as Azure OpenAI, Azure Cognitive Search, Azure App Service, and Azure Cosmos DB.

In a similar way, I would like to write a Bicep template or script that allows for the deletion of a specific resource, based on a resource name provided by the user at runtime. This deletion should completely remove the resource from the resource group.

Could someone please guide me on how to achieve this? Any insights or examples would be greatly appreciated. Thank you in advance!

romungi-MSFT 46,746 Reputation points Microsoft Employee

2024-10-14T11:40:43.88+00:00
@Gupta, Shalu Looking at the Github bicep repo there are similar questions on how a delete is handled by bicep. See these issues.

https://github.com/Azure/bicep/discussions/8504

https://github.com/Azure/bicep/issues/14644

In the first issue, the recommendation provided was to remove the resource from the template or commenting it out and deploying the template again using Complete mode.

New-AzResourceGroupDeployment -ResourceGroupName acr-rg -TemplateFile .\acr.bicep -Mode Complete

This might has repercussions if deployment scope is not correctly set as mentioned in the issue.

The second issue might be the way forward to manage resources in deployment stacks since it can delete or detach a resource. See this page for examples and scenarios of deployment stacks.

You could also add an issue on GH repo for bicep for guidance on future issues related to bicep. Thanks!!
VenkateshDodda-MSFT 21,491 Reputation points Microsoft Employee

2024-10-14T11:53:08.05+00:00
@Gupta, Shalu Thanks for posting your question in Microsoft Q&A, apologize for any inconvenience caused on this.

To achieve your requirement, you need to create a custom bicep template using deployment scripts option in Bicep.

In the deployment scripts task, you need to create script content by taking the following considerations

Script Should accept the resource name dynamically using parameters or vairables.

By using the az resource list cmdlet you can pull the resource details if the resource exists.

If the resource exists, then you need to use az resource delete cmdlet to delete the resource by the resource id from the step 2 cmdlet output.

Note : If you want to run this script across multiple azure accounts & subscriptions then you need to include authentication to azure account & setting subscription context in your script as well.

Hope this helps, let me know if you have any further questions on this.
VenkateshDodda-MSFT 21,491 Reputation points Microsoft Employee

2024-10-15T08:42:48.76+00:00

@Gupta, Shalu following up to see if you have a chance to check my previous response and helped, let me know if you have any further questions on this.
romungi-MSFT 46,746 Reputation points Microsoft Employee

2024-10-16T11:03:45.6266667+00:00

@Gupta, Shalu Did any of the above help to delete the required resources using bicep and cli?
Gupta, Shalu 30 Reputation points

2024-10-18T12:40:18.84+00:00
Thank you all for your answers, but unfortunately, the script still isn't working as expected.

Below is the Bicep script I am using. It seems to execute properly when I run the commands directly in the Azure CLI, but when using the Bicep template, it doesn’t delete the resource as intended. The script creates and deploys successfully, but the resources are not being deleted.

Here's the bicep script:
@description('Name of the resource to delete')

param resourceName string

@description('Subscription ID where the resource exists')

param subscriptionId string

@description('Resource Group where the resource is located')

param resourceGroup string

resource deleteScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {

name: 'deleteResourceScript'

location: 'swedencentral'

kind: 'AzureCLI'

properties: {

azCliVersion: '2.30.0' scriptContent: ''' # Set subscription context az account set --subscription $SUBSCRIPTION_ID # Get the resource ID using the az resource list command RESOURCE_ID=$(az resource list --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query "[0].id" --output tsv) if [ -n "$RESOURCE_ID" ]; then # If the resource exists, delete it az resource delete --ids $RESOURCE_ID echo "Resource $RESOURCE_NAME deleted successfully." else echo "Resource $RESOURCE_NAME not found in resource group $RESOURCE_GROUP." fi ''' retentionInterval: 'P1D' timeout: 'PT30M' environmentVariables: [ { name: 'SUBSCRIPTION_ID' value: subscriptionId } { name: 'RESOURCE_GROUP' value: resourceGroup } { name: 'RESOURCE_NAME' value: resourceName } ]

}

}

I am deploying the script with the following command:
az deployment group create --resource-group <your-resource-group> --template-file deleteResource.bicep --parameters resourceName='<resource-name>' subscriptionId='<subscription-id>' resourceGroup='<resource-group>'

Could you help me understand why the script isn’t working as expected, even though the CLI command works directly? Any suggestions or corrections would be greatly appreciated!
Gupta, Shalu 30 Reputation points

2024-10-18T12:42:55.9633333+00:00
Thank you all for your answers, but unfortunately, the script still isn't working as expected.

Below is the Bicep script I am using. It seems to execute properly when I run the commands directly in the Azure CLI, but when using the Bicep template, it doesn’t delete the resource as intended. The script creates and deploys successfully, but the resources are not being deleted.

Here's the bicep script: @description('Name of the resource to delete')

param resourceName string

@description('Subscription ID where the resource exists')

param subscriptionId string

@description('Resource Group where the resource is located')

param resourceGroup string

resource deleteScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {

name: 'deleteResourceScript'

location: 'swedencentral'

kind: 'AzureCLI'

properties: {

azCliVersion: '2.30.0' scriptContent: ''' # Set subscription context az account set --subscription $SUBSCRIPTION_ID # Get the resource ID using the az resource list command RESOURCE_ID=$(az resource list --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query "[0].id" --output tsv) if [ -n "$RESOURCE_ID" ]; then # If the resource exists, delete it az resource delete --ids $RESOURCE_ID echo "Resource $RESOURCE_NAME deleted successfully." else echo "Resource $RESOURCE_NAME not found in resource group $RESOURCE_GROUP." fi ''' retentionInterval: 'P1D' timeout: 'PT30M' environmentVariables: [ { name: 'SUBSCRIPTION_ID' value: subscriptionId } { name: 'RESOURCE_GROUP' value: resourceGroup } { name: 'RESOURCE_NAME' value: resourceName } ]

}

}

I am deploying the script with the following command: az deployment group create --resource-group <your-resource-group> --template-file deleteResource.bicep --parameters resourceName='<resource-name>' subscriptionId='<subscription-id>' resourceGroup='<resource-group>'

Could you help me understand why the script isn’t working as expected, even though the CLI command works directly? Any suggestions or corrections would be greatly appreciated!

Accepted answer

VenkateshDodda-MSFT 21,491 Microsoft Employee

@Gupta, Shalu Thanks for your response,

Deployment scripts use a managed identity to authenticate to Azure. deploymentScripts resources are either PowerShell or Bash scripts that run in a Docker container as part of your template deployment.

As mentioned above, I have made couple of changes to the above template and tested it in my subscription by creating a sample logic app and deleting it through the bicep template it is working fine.

Here are the modified templates:

**Main.bicep template:


@description('Name of the resource to delete')

param resourceName string

@description('Subscription ID where the resource exists')

param subscriptionId string

@description('Resource Group where the resource is located')

param resourceGroup string

var userAssignedIdentityName = 'configDeployer57'
var roleAssignmentName = guid(userAssignedIdentity.id, 'contributor')
var contributorRoleDefinitionId = resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
var deploymentScriptName = 'ResourceDeleted57'

resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
  name: userAssignedIdentityName
  location: 'westus'
}

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: roleAssignmentName
  properties: {
    roleDefinitionId: contributorRoleDefinitionId
    principalId: userAssignedIdentity.properties.principalId
    principalType: 'ServicePrincipal'
  }
}

resource deleteScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
    name: deploymentScriptName
    location: 'swedencentral'
    kind: 'AzureCLI'
    identity: {
      type: 'UserAssigned'
        userAssignedIdentities: { 
          '${userAssignedIdentity.id}': {}}
        }
    properties: {
        azCliVersion: '2.30.0'
        arguments: '${resourceName} ${subscriptionId} ${resourceGroup}'
        scriptContent: '''
          #!/bin/bash
          set -e 
          # Set subscription context
          az account set --subscription "$2"

          # Get the resource ID using the az resource list command
          RESOURCE_ID=$(az resource list --subscription "$2" --resource-group "$3" --name "$1" --query "[0].id" --output tsv)
          if [ -n "$RESOURCE_ID" ]; then
            # If the resource exists, delete it
            az resource delete --ids $RESOURCE_ID
              echo "Resource $1 deleted successfully."
          else
             echo "Resource $1 not found in resource group $RESOURCE_GROUP."
           fi
        '''
    retentionInterval: 'P1D'
    timeout: 'PT30M'
  }
  dependsOn: [
    roleAssignment
  ]
}

Here is the parameters template :

using 'main.bicep'
param resourceName  = '<resourceName>'
param subscriptionId  = '<subscriptionId>'
param resourceGroup = '<ResourceGroupName>'

The output will be shown in the deployment script resource logs as shown in the below.

User's image

You can go through learn tutorial on how to work with deployment scripts in Bicep for better understanding.

Note : Please do modify the bicep template based on your requirement.

Hope this helps let me know if you have any further questions on this.

Gupta, Shalu 30 Reputation points

2024-10-21T04:08:34.6666667+00:00

@VenkateshDodda-MSFT Thank you for the detailed response and the updated Bicep template! I’ll review this newer version that utilizes the managed identity for authentication and test it within my environment. Your modifications and explanations are very clear, and I appreciate the guidance on deploying and testing with a sample Logic App.

If I encounter any issues or have additional questions, I'll reach out. Thanks again for your help!
VenkateshDodda-MSFT 21,491 Reputation points Microsoft Employee

2024-10-22T08:54:23.47+00:00

Gupta, Shalu I hope the provided answer is helpful, let me know if you have any further questions on this.

Please accept as "Yes" if the answer is helpful so that it can help others in the community.

Share via

Help with Bicep Template for Deleting Azure Resources Based on Resource Name

0 additional answers

Your answer