Deleting microsoft.web/certificates after moving between resource groups on Azure

1
votes

I have moved a number of Azure resources from one subscription to another. To do so, I needed to create a new "incoming" resources group in the target subscription. After successfully moving the resources to "incoming" I could move them to the right resource groups (Azure is a bit weird in this way, but acceptable). Now I want to delete the "incoming" resource group. When looking at the resources, I see a single hidden resource of type microsoft.web/certificates. When trying to move these to the other resource group, I get the following error:

{
   "code":"ResourceMoveValidationFailed",
   "message":"The resource batch move request has '1' validation errors. Diagnostic information: timestamp '20200511T100227Z', tracking Id 'e0d6ac02-69a2-46d2-a61d-beb4303a6ce9', request correlation Id '532eb53d-6ad3-43f3-8a31-3e0319b70702'.",
   "details":[
      {
         "code":"ResourceMoveNotSupported",
         "message":"Resource move is not supported for resource types 'Microsoft.Web/certificates'."
      }
   ]
}

Is it safe to delete this resource and then delete the resource group? I don't see any resources in the target resource group of this type.

1
azure

1 Answers

2
votes

Since there are no answers to this and I received an answer from Azure support, I'll post it here for future reference:

Microsoft.Web resources have a weird nuance to them when it comes to moving them cross-subscriptions...

  1. They must be in their original resource group they were initially deployed to
  2. You must move all related Microsoft.Web resources that were deployed to that RG
  3. The destination RG in the destination sub cannot already have Microsoft.Web resources in it.

Azure resource type Microsoft.web/certificates do not support move operation between resource groups. However, it supports move operations across subscriptions.

Support Link: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftweb

You can move a certificate bound to a web without deleting the TLS bindings, as long as the certificate is moved with all other resources in the resource group.

If your web app includes an SSL certificate that you purchased externally and uploaded to the app, you must delete the certificate before moving the web app. For example, you can perform the following steps:

  1. Delete the uploaded certificate from the web app
  2. Move the web app
  3. Upload the certificate to the web app