Skip to main content

Export mode

In export mode the extension will read information from Azure and write it to JSON or YAML files.

The following metadata is collected:

  • Resource groups
  • Resource group tags
  • Role Assignments for:
    • resource groups
    • resources
    • subscriptions
    • management groups
    • tenants

The files will be committed to a git branch called "rbac_export" which can then be merged to the main branch via a pull request.

Export mode can be used both for the initial export, and on-going to capture changes made in the portal.

Example workflow

The example shows a workflow for a single RBAC change made in the portal. The work flow for multiple changes or the initial export is the same.

Initial state

Here are the initial role assignments for resource group "OSX-ARG-KEYVAULT-DEV":

Role Assignments Initial State

A change is made in Azure

A change is made manually in the portal.

In this example Jennifer Davies is added as a contributor.

Role Assignments After Change

The export pipeline is run

The export pipeline is run. This can be configured to be initiated manually or on a schedule.

In export mode the extension will:

  • read information from Azure
  • write it to json files
  • commit the files to a git branch called "rbac_export"

In the log we can see the files being created.

Osservante RBAC Export Pipeline

And that the changes are committed to the git branch.

Git Commit

A pull request is opened

A pull request can then be created to merge the changes back in to the main branch.

Azure DevOps Pull Request

Change merged to main branch

After the merge your code will then be back in sync with Azure.

This is what the final code looks like. We can see that Jennifer Davies is added as a contributor.

{
"resourceGroupName": "OSX-ARG-KEYVAULT-DEV",
"location": "eastus",
"assignments": [
{
"role": "Contributor",
"objectName": "Jennifer.Davies@osservantex.onmicrosoft.com",
"objectType": "User"
},
{
"role": "Owner",
"objectName": "Information Technology",
"objectType": "Group"
},
{
"role": "Reader",
"objectName": "Oliver.Walker@osservantex.onmicrosoft.com",
"objectType": "User"
}
],
"tags": {
"Created": "2022-02-04",
"Description": "Dev keyvault resource group",
"Environment": "Development",
}
}