locked
Readonly Managed App Resource Group RRS feed

  • Question

  • When a managed app is instantiated you get 2 resource groups. One resource groups is in the customer's subscription and contains the managed app itself. The other resource group contains all the managed app resources.

    The lock-level for the managed app definition is set to ReadOnly.

    I expected that the customer would have this managed app resource group in ReadOnly mode, which seems to be the case. They can't add resources and don't have permission to change existing resources.

    However I expected that I, as the owner, would have full access rights to the managed app resources.

    I do have rights to change resources in the customer's managed app resource group, but I can't add resources to the group. The group seems to be readonly for me as well.

    How to I update / manage the customer's managed app if I can't add any resources to this group. Some management action just involve updating existing resources, so that is fine. But what is the strategy for adding resources.

    To be more specific. Our managed app definition contains a load balancer and several VMs. With this readonly lock I, as the owner, can change the size of my VMs, but I can't add more VMs to scale up.

    I do want the readonly lock for the customer as they shouldn't be making changes, but as the owner I should not be readonly.

    Is there a way to configure the managed app definition in such a way that I can add resources to the managed app resource group?

    - Johan

    Friday, March 23, 2018 5:53 PM

Answers

  • I would like to post the outcome of my discussion with the product team.

    It turns out that the issue is related to the Portal.

    The managed resource group that is in readonly mode for the consumer and for which the provider has the owner rights works as expected when you access the resource group through powershell. 

    The portal will let you modify existing resources, but doesn't allow you to add/remove resources. 

    The product team will look into the behavior in the portal, but if you run into this problem then you should either use powershell or cli to add/remove resources in this managed resource group.

    - Johan

    Friday, April 13, 2018 3:41 PM

All replies

  • This resource group holds the managed application instance. This resource group may only contain one resource. The resource type of the managed application is Microsoft.Solutions/applications.

    Note: The consumer has full access to the resource group and uses it to manage the lifecycle of the managed application.

    For more details, refer “Resource groups for managed applications”.

    -----------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members

    Saturday, March 24, 2018 5:22 AM
  • I am not talking about the resource group that holds the managed application instance. That group is under control of the consumer and so it should be, as they should be able to control the lifecycle of the managed application.

    I am talking about the associated resource group that contains the resources created by the managed application, the resource group for which the consumer wants the provider's expertise to manage it.

    The provider can specify the lock level for this group, which we set to readonly. However it turns out that this resource group becomes readonly for both the consumer and provider. We also add an authorization to the managed application definition that provides "Owner" permission to the provider. This allows us to modify the resource created, but due to the read lock the provider can't add / remove resources.

    How can a provider properly manage an application if all it can do is modify existing resources and have no ability to add resources.

    As mentioned in my example. The managed application consist out of a load balancer and several VMs. With a readonly group the provider can only change the size of the VMs, but can't add additional VMs.

    We need this resource group to be readonly for the consumer, but fully manageable for the provider.

    - Johan

    Monday, March 26, 2018 4:56 PM
  • The query posted by you has not reached the right forum. In order to assist best on your query, I would request you to post your query in SO => Azure managed apps for dedicated support. Additionally, adding the [Azure] tag on SO will increase visibility as it is a Microsoft Sponsored tag.

    https://stackoverflow.com/questions/tagged/azure-managedapps

    This will assist you with a faster reply to your query.

    -----------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Tuesday, March 27, 2018 4:50 AM
  • Why are you pointing me to SO that has absolutely Zero questions on managed apps, isn't this the forum for Azure Marketplace. This is a Azure Marketplace question. I want to publish a managed app in the Azure Marketplace!

    However I want to know how I can publish a managed app in the Azure Marketplace that has the managed resource group in readonly mode for the consumer and allow the publisher to still have full control.

    - Johan

    Tuesday, March 27, 2018 3:51 PM
  • To discuss further on your requirement, our Product Team would engage with you shortly.

    -----------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Friday, March 30, 2018 3:26 AM
  • I would like to post the outcome of my discussion with the product team.

    It turns out that the issue is related to the Portal.

    The managed resource group that is in readonly mode for the consumer and for which the provider has the owner rights works as expected when you access the resource group through powershell. 

    The portal will let you modify existing resources, but doesn't allow you to add/remove resources. 

    The product team will look into the behavior in the portal, but if you run into this problem then you should either use powershell or cli to add/remove resources in this managed resource group.

    - Johan

    Friday, April 13, 2018 3:41 PM
  • Glad to hear that your issue has been resolved.

    -----------------------------------------------------------------------------------------------

    If this answer was helpful, click “Mark as Answer” or “Up-Vote”. To provide additional feedback on your forum experience, click here

    Saturday, April 14, 2018 3:02 AM