Azure · benbp · Oct 17, 2023 · Oct 12, 2023 · Oct 12, 2023 · Oct 12, 2023
@@ -771,7 +771,6 @@ try {
                     -TemplateParameterObject $templateFileParameters `
                     -Force:$Force
         }
-
         if ($deployment.ProvisioningState -ne 'Succeeded') {
             Write-Host "Deployment '$($deployment.DeploymentName)' has state '$($deployment.ProvisioningState)' with CorrelationId '$($deployment.CorrelationId)'. Exiting..."
             Write-Host @'
@@ -803,6 +802,9 @@ try {
             Write-Verbose "Removing compiled bicep file $($templateFile.jsonFilePath)"
             Remove-Item $templateFile.jsonFilePath
         }
+
+        Write-Host "Deleting ARM deployment as it may contain secrets. Deployed resources will not be affected."
+        $null = $deployment | Remove-AzResourceGroupDeployment
     }
 
 } finally {

@@ -41,7 +41,12 @@ foreach ($group in $groups) {
                 Write-Error $_
                 throw
             }
-            $ctx | Get-AzStorageContainer | Get-AzStorageBlob | Remove-AzStorageBlob -Force
+            # Sometimes we get a 404 blob not found but can still delete containers,
+            # and sometimes we must delete the blob if there's a legal hold.
+            # Try to remove the blob, but keep running regardless.
+            try {
+                $ctx | Get-AzStorageContainer | Get-AzStorageBlob | Remove-AzStorageBlob -Force
+            } catch {}
             # Use AzRm cmdlet as deletion will only work through ARM with the immutability policies defined on the blobs
             $ctx | Get-AzStorageContainer | % { Remove-AzRmStorageContainer -Name $_.Name -StorageAccountName $ctx.StorageAccountName -ResourceGroupName $group.ResourceGroupName -Force }
             Remove-AzStorageAccount -StorageAccountName $account.StorageAccountName -ResourceGroupName $account.ResourceGroupName -Force

@@ -52,6 +52,9 @@ param (
   [Parameter()]
   [switch] $DeleteNonCompliantGroups,
 
+  [Parameter()]
+  [switch] $DeleteArmDeployments,
+
   [Parameter()]
   [int] $DeleteAfterHours = 24,
 
@@ -269,7 +272,7 @@ function FindOrCreateDeleteAfterTag {
     [object]$ResourceGroup
   )
 
-  if (!$ResourceGroup) {
+  if (!$DeleteNonCompliantGroups -or !$ResourceGroup) {
       return
   }
 
@@ -326,6 +329,14 @@ function HasDeleteLock([object]$ResourceGroup) {
   return $false
 }
 
+function DeleteArmDeployments([object]$ResourceGroup) {
+  if (!$DeleteArmDeployments) {
+      return
+  }
+  Write-Host "Deleting ARM deployments for group $($ResourceGroup.ResourceGroupName) as they may contain secrets. Deployed resources will not be affected."
+  $null = Get-AzResourceGroupDeployment -ResourceGroupName $ResourceGroup.ResourceGroupName | Remove-AzResourceGroupDeployment
+}
+
 function DeleteOrUpdateResourceGroups() {
   [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')]
   param()
@@ -338,6 +349,7 @@ function DeleteOrUpdateResourceGroups() {
   [Array]$allGroups = Retry { Get-AzResourceGroup }
   $toDelete = @()
   $toUpdate = @()
+  $toClean = @()
   Write-Host "Total Resource Groups: $($allGroups.Count)"
 
   foreach ($rg in $allGroups) {
@@ -351,31 +363,25 @@ function DeleteOrUpdateResourceGroups() {
       }
       continue
     }
-    if (!$DeleteNonCompliantGroups) {
-      continue
-    }
-    if (HasDoNotDeleteTag $rg) {
+    if ((IsChildResource $rg) -or (HasDeleteLock $rg)) {
       continue
     }
-    if (IsChildResource $rg) {
-      continue
-    }
-    if (HasValidAliasInName $rg) {
-      continue
-    }
-    if (HasValidOwnerTag $rg) {
-      continue
-    }
-    if (HasDeleteLock $rg) {
+    if ((HasDoNotDeleteTag $rg) -or (HasValidAliasInName $rg) -or (HasValidOwnerTag $rg)) {
+      $toClean += $rg
       continue
     }
     $toUpdate += $rg
   }
 
+
   foreach ($rg in $toUpdate) {
     FindOrCreateDeleteAfterTag $rg
   }
 
+  foreach ($rg in $toClean) {
+    DeleteArmDeployments $rg
+  }
+
   # Get purgeable resources already in a deleted state.
   $purgeableResources = @(Get-PurgeableResources)