Delete Security Group Rules

This task allows the user to delete security rules from an existing security group in Azure

It requires credentials for an Azure service principal with permissions to read & update network security groups.

Playbook Files

# The task was built to work with these plugin versions.
plugins:
  azure: ~1.1.0
  ppa: ~3
  hashicorp_vault: ~4

steps:
  - name: Introduction
    actions:
      - ppa.ui.output_markdown:
          doc: >
            {{ globals.icons.azure.full }}


            ### Delete network security group rules


            Use this task to view a list of security rules for an existing Security Group in Azure.


            You can then choose to exit the task or delete one or more selected rules


            You will need to:

              - Provide Azure access credentials

              - Select a Resource Group and Security Group

              - Select rule(s) to delete or exit

      - ppa.ui.input_accept:
          text: Start

  - name: Get Azure Secrets
    actions:
      - hashicorp_vault.key_value.read_secret_keys:
          secret: azure
          keys: []
          sensitive_keys:
            - tenant_id
            - client_id
            - client_secret
          create_missing: true
        save: azure_secrets

      - hashicorp_vault.key_value.read_secret_keys:
          secret: azure
          keys: []
          sensitive_keys:
            - subscription_id
          create_missing: true
        save: subscription

  - name: Select resource group
    actions:
      - ppa.ui.output_progress:
          text: Finding all Resource Groups...
          percent: null
          element_id: get_resource_groups

      - azure.mgmt.resource_groups.get_all:
        load:
          azure_client: azure_secrets
          subscription_id: subscription["subscription_id"]
        save: resource_groups

      - count:
        load:
          item: resource_groups
        save: resource_group_count

      - ppa.ui.output_progress:
          text: Found {{ resource_group_count }} Resource Groups
          percent: 100
          element_id: get_resource_groups

      - azure.mgmt.resource_groups.input_table:
          text: Select Resource Group
          minimum: 1
          maximum: 1
        load:
          groups: resource_groups
        save: resource_groups

      - set:
          name: resource_group_name
          value: "{{ resource_groups.0.name }}"


  - name: Get all Security Groups
    actions:
      - ppa.ui.output_progress:
          text: Finding all Security Groups for {{ resource_group_name }}...
          percent: null
          element_id: get_groups

      - azure.network.security_groups.get_all:
        load:
          azure_client: azure_secrets
          subscription_id: subscription["subscription_id"]
          resource_group_name: resource_group_name
        save: groups

      - count:
        load:
          item: groups
        save: group_count

      - ppa.ui.output_progress:
          text: Found {{ group_count }} Security Groups for {{ resource_group_name }}
          percent: 100
          element_id: get_groups


  - name: Exit when no Security Groups
    when: group_count == 0
    actions:
      - exit:
          exit_code: 0


  - name: Select Security Group
    actions:
      - azure.network.security_groups.input_table:
          text: Please Select a Security Group
          minimum: 1
          maximum: 1
        load:
          groups: groups
        save: chosen_group

      - debug:
          identifier: chosen_group

      - azure.network.security_groups.output_security_rules_table:
          text: Current Inbound Rules
        load:
          group: chosen_group[0]

      - ppa.ui.input_confirm:
          text: Do you want to delete security rule(s) or exit?
          confirm: Delete rule(s)
          cancel: Exit
        save: confirm_delete


  - name: Exit
    when: not confirm_delete
    actions:
      - exit:
          exit_code: 0


  - name: Select rule to delete
    when: confirm_delete
    until: delete_rule_confirmed
    actions:
      - azure.network.security_groups.input_security_rules_table:
          text: Select rule(s) to delete
          minimum: 1
        load:
          group: chosen_group[0]
        save: chosen_rules

      - ppa.ui.input_confirm:
          text: Delete Rule(s) or Start over?
          confirm: Delete Rule(s)
          cancel: Start Over
          element_id: input_confirm
        save: delete_rule_confirmed


  - name: Delete rules
    when: confirm_delete
    actions:
      - ppa.ui.output_progress:
          text: Delete security rules...
          percent: null
          element_id: delete_rule

      - azure.network.security_groups.delete_rule:
        load:
          name: chosen_group.0.name
          resource_group_name: resource_group_name
          rule_name: loop.action.item.value.name
          azure_client: azure_secrets
          subscription_id: subscription["subscription_id"]
        sequence: chosen_rules

      - ppa.ui.output_progress:
          text: Successfully deleted security rules...
          percent: 100
          element_id: delete_rule


  - name: View Updated Rules
    actions:
      - ppa.ui.input_confirm:
          text: View Updated Rules?
          confirm: Yes
          cancel: No
        save: view_updated_rules

      - exit:
          exit_code: 0
        when: not view_updated_rules

      - azure.network.security_groups.get_by_name:
        load:
          name: chosen_group.0.name
          resource_group_name: resource_group_name
          azure_client: azure_secrets
          subscription_id: subscription["subscription_id"]
        save: updated_group

      - azure.network.security_groups.output_security_rules_table:
          text: Updated Inbound Rules
        load:
          group: updated_group

Running this Playbook

Click download playbook
Import the downloaded file via the Playbooks page on PPA
Build the playbook from the Edit & Build tab
Run the playbook from the Preview & Deploy tab

* Requires PPA v2.9.x or newer

Integrations

PPA User Interface & Events
Hashicorp Vault Key-Value engine
Azure Compute Security Groups

Required Vault Details

Azure

Tenant ID
Client ID
Client Secret
Subscription ID

The service principal must have permissions to read & update network security groups in Azure.

Vault Configuration Wizard

The first time you run a task built from this playbook, PPA will check the required Vault details exist.

If they don't exist, PPA will ask you to supply the details at the start of the task.

Below you can see a user providing details the first time they run an Active Directory task.

vault-config-wizard

Once the details are added to Vault, the task won't ask for them again.

If you don't know the required details, ask an administrator to run the task or configure Vault manually.

What the Task Does

Once started this task will:

Ask user to provide Azure access credentials
Ask user to select a resource group and security group
Show details of the existing security group rules
Select rule(s) to delete or exit
Deletes selected rules
Shows details of the updated security group rules

See our other playbooks

Get PPA for free!

Start automating your estate with a free 30 day trial today. No signup required!

Get PPA Express

Documentation

Installation Guide
See how easy it is to get started with our installation guide
Playbooks
View our task writing reference guide
Plugins
See how to integrate with different systems using our plugins reference guide.