Posted in:

I'm a huge fan of the Azure CLI - I've blogged about it and created a Pluralsight course on getting started with it.

I often use the Azure CLI to quickly try out various Azure resources like Web Apps or Cosmos DB databases. After playing for a while with them, I then delete the resource group I've put them in to clean up and stop paying.

Deleting is especially important when you experiment with expensive resources like a multi-node Service Fabric or AKS cluster. Forgetting to clean up after yourself could be an expensive mistake.

Enter "Noel's grab bag of Azure CLI goodies", an awesome extension to the Azure CLI created by Noel Bundick which adds a "self-destruct" mode along with a bunch of other handy functions.

Installing the extension

To install the extension, simply follow the instructions on GitHub, and use the az extension add command pointing at the latest version (0.0.12 at the time of writing this). You can then see it in the list of installed extensions with az extension list

# to install v0.0.12:
az extension add --source https://github.com/noelbundick/azure-cli-extension-noelbundick/releases/download/v0.0.12/noelbundick-0.0.12-py2.py3-none-any.whl

# to see the list of installed extensions
az extension list -o table

There is a one-time setup action needed for self-destruct, which will create a service principal with contributor rights that is used by the logic app that implements the self-destruct action.

az self-destruct configure
# OUTPUT (no these are not my real credentials!):
# Creating a service principal with `Contributor` rights over the entire subscription
# Retrying role assignment creation: 1/36
# {
#   "client-id": "c9e0fb8e-18d2-44bd-b0bc-52056965a362",
#   "client-secret": "0dbcece7-34c5-49fe-ac2e-dbab9cb310e1",
#   "tenant-id": "fc3d0620-79f6-4b16-80b4-3b486a33514e"
# }

Using self-destruct mode

To use self-destruct mode, you simply specify the --self-destruct flag on any resource you create with az <whatever> create. A good level to set this at is a resource group so you can create multiple resources that will get deleted together.

In this example, I'm creating a resource group called experiment that will self-destruct in 30 minutes, and then putting an App Service Plan inside it so there is something to be deleted inside the group.

$resGroup = "experiment"
# can use 1d, 6h, 2h30m etc
az group create -n $resGroup -l westeurope --self-destruct 30m

# create something to get deleted
az appservice plan create -g $resGroup -n TempPlan --sku B1

Note that the extension will tag the resources you create with a self-destruct-date tag.

If we look inside our resource group, we'll see that not only is there the app service plan we created, but a Logic App. This Logic App exists solely to implement the self-destruct and is even able to delete itself when it's done which is convenient.

# see what's in the resource group (there will be logic app
az resource list -g $resGroup -o table

# Name                                                ResourceGroup    Location    Type                       Status
# --------------------------------------------------  ---------------  ----------  -------------------------  --------
# self-destruct-resourceGroups-experiment-experiment  experiment       westeurope  Microsoft.Logic/workflows
# TempPlan                                            experiment       westeurope  Microsoft.Web/serverFarms

If you want to, you can explore the Logic App in the Azure portal to see how it works Logic App

See it in action

To see what resources are scheduled for self-destruct, you can use the az self-destruct list command:

az self-destruct list -o table
# Date                        Name        ResourceGroup
# --------------------------  ----------  ---------------
# 2018-11-30 13:12:42.750344  experiment  experiment

If you've changed your mind you can disarm self-destruct mode with az self-destruct disarm or re-enable it later with a different duration using az self-destruct arm

Finally, once the timer has expired, you can check whether it worked by searching for resources in the group. If all went well, there'll be nothing to see:

az resource list -g $resGroup -o table
# Resource group 'experiment' could not be found.

Summary

The self-destruct mode extension is a great way of protecting yourself against expensive mistakes and worth considering using for all short-lived experiments. It's a superb idea, and nicely executed. The idea could be developed further, for example it could email you asking if you are still using a resource group and if you don't respond within a set period of time it deletes it, to make a sort of "dead man's switch" for Azure.

Want to learn more about the Azure CLI? Be sure to check out my Pluralsight course Azure CLI: Getting Started.