Azure resources can be moved to a new subscription, or across regions. This can be accomplished by clicking through the Azure portal, but can be also automated using the azure-cli.
Both the source group and the target group are locked during the move operation. Write and delete operations are blocked on the resource groups until the move completes. This lock means you can’t add, update, or delete resources in the resource groups. It doesn’t mean the resources are frozen. For example, if you move an Azure SQL logical server and its databases to a new resource group or subscription, applications that use the databases experience no downtime. They can still read and write to the databases. The lock can last for a maximum of four hours, but most moves complete in much less time.
Pre-requisites
- You need a service principal which have at minimum
contributorpermission on the source subscription and on the target subscription. - The service principal has an Application (client) ID and a client secret, which you need to know
The bash script
The follow bash script can be used to move a resource group in Azure to a different subscription.
#!/bin/bash
set -e
POSITIONAL=()
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
-u|--username)
USERNAME="$2"
shift # past argument
shift # past value
;;
-p|--password)
PASSWORD="$2"
shift # past argument
shift # past value
;;
-t|--tenant)
TENANT="$2"
shift # past argument
shift # past value
;;
-r|--resource-group)
RESOURCEGROUP="$2"
shift # past argument
shift # past value
;;
-s|--subscription-current)
SUBSCRIPTIONCURRENT="$2"
shift # past argument
shift # past value
;;
-n|--subscription-next)
SUBSCRIPTIONNEXT="$2"
shift # past argument
shift # past value
;;
*) # unknown option
POSITIONAL+=("$1") # save it in an array for later
shift # past argument
;;
esac
done
set -- "${POSITIONAL[@]}" # restore positional parameters
azure_client_id=${USERNAME}
azure_client_secret=${PASSWORD}
azure_tenant_id=${TENANT}
azure_resource_group=${RESOURCEGROUP}
azure_subscription_current=${SUBSCRIPTIONCURRENT}
azure_subscription_next=${SUBSCRIPTIONNEXT}
az login --service-principal --username $azure_client_id --p=$azure_client_secret --tenant $azure_tenant_id --output none
azure_resources=$(az resource list --subscription $azure_subscription_current --resource-group $azure_resource_group --out tsv --query '[].[id]' | tr "\n\r" " " | tr ${azure_resource_group^^} $azure_resource_group)
az resource move --destination-group $azure_resource_group --ids ${azure_resources} --destination-subscription-id $azure_subscription_next --subscription $azure_subscription_current --verbose --output table
Command line parameter values
-u [your_azure_client_id]
[your_azure_client_id] is the azure service principal’s application (client) id. You can look it up in Azure portal.
Example: -u f2ebgage-ac9a-1134-de4c-cf50dabd763f
-p [your_azure_client_secret]
[your_azure_client_secret] is the azure service principal’s client secret.
Example: -p 134zrl7I5O4BmlAm_rRaZYwSkeWi1Aqr6c
-t [your_azure_tenant_id]
[your_azure_tenant_id] is the azure tenant id. You can look it up in Azure portal
Example: -t ab1g4a8c-b362-21f2-bb2a-13817fc14cba
-r [your_azure_resource_group]
[your_azure_resource_group] is the name of the azure resource group which you would like to move.
Example: -r myresourcegroup
-s [your_azure_subscription_current]
[your_azure_subscription_current] is the azure subscription id, which currently contains the resource group
Example: -s a0c51b0a-3c5a-2f23-a4e3-d16d16cbbd6f
-n [your_azure_subscription_next]
[your_azure_subscription_next] is the new azure subscription id where the resource group should moved to.
Example: -n c7b32b1c-3a3a-114f-c8e3-d66d34ffbd71
Using the script
- Save the script for example as
azure_subscription_move.sh - make is executable using
chmod +x azure_subscription_move.sh - Execute the script using the necessary command line parameter values
./azure_subscription_move.sh \
-u [your_azure_client_id] \
-p [your_azure_client_secret] \
-t [your_azure_tenant_id] \
-r [your_azure_resource_group] \
-s [your_azure_subscription_current]
-n [your_azure_subscription_next]
Example:
./azure_subscription_move.sh \
-u f2ebgage-ac9a-1134-de4c-cf50dabd763f \
-p 134zrl7I5O4BmlAm_rRaZYwSkeWi1Aqr6c \
-t ab1g4a8c-b362-21f2-bb2a-13817fc14cba \
-r myresourcegroup \
-s a0c51b0a-3c5a-2f23-a4e3-d16d16cbbd6f
-n c7b32b1c-3a3a-114f-c8e3-d66d34ffbd71