Resource Locks or "How to avoid deleting stuff you really ought not to"

  • Article

It's a pretty crap feeling when you've spent ages in the Azure Portal creating your ultimate network of resources only to accidently delete something or an entire resource group. There are two solutions to this:

1. Have a grown-up on hand to put sharpe knives out of your reach.

2. Given you are probably meant to be the grown-up, you should instead apply a lock to your resource or resource group. This prevents it from being either deleted or modified (or both).

Locks can be applied via either:

A) PowerShell - Get/Set/Remove AzureRMResourceLock cmdlets (e.g. set-azurermresourcelock) - https://msdn.microsoft.com/en-us/library/mt652504.aspx

B) An ARM template - https://azure.microsoft.com/en-gb/documentation/articles/resource-manager-template-lock/\#

Below are some examples which will apply locks to a StorageAccount. The first in PowerShell will prevent the resource from being deleted, the second shown in an ARM Template shows two locks to prevent both deletion and modification.

In both cases, the normal "Delete" link from the right context menu in the Azure Portal will be removed and when you try to modify the resource in the portal it will fail to update them (at time of writing the portal doesn't tell you that however).

Additionally if you try to delete the resource via PowerShell it will fail until the lock is removed.

PowerShell

Here we will apply and remove a lock to a StorageAccount resource called "blahstorename55" in a ResourceGroup called "AzureResourceGroup1".

Locking

 New-AzureRMResourceLock -LockName "StorageDeleteLock" -LockLevel CanNotDelete -LockNotes "You can't touch this fool...." -Resourcegroup AzureResourceGroup1 -ResourceName "blahstorename55" -ResourceType "Microsoft.Storage/storageAccounts"
  • You can omit the -ResourceName and -ResourceType parameter to apply the lock to the whole ResourceGroup.
  • The -LockLevel parameter can be either "CanNotDelete" or "ReadOnly" to prevent any changes to the resource.

Unlocking

 $lock = Get-AzureRmResourceLock -LockName "StorageDeleteLock" -Resourcename blahstorename55 -ResourceType Microsoft.Storage/storageAccounts -Resourcegroup AzureResourceGroup1
Remove-AzureRmResourceLock -ResourceId $lock.ResourceId

ARM Template.

 

 {
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
  },
  "variables": {
  },
  "resources": [
    {
      "name": "blahstorename55",
      "type": "Microsoft.Storage/storageAccounts",
      "location": "[resourceGroup().location]",
      "apiVersion": "2015-06-15",
      "dependsOn": [ ],
      "tags": {
        "displayName": "mainstore"
      },
      "properties": {
        "accountType": "Standard_LRS"
      }
    },
    {
      "name": "blahstorename55/Microsoft.Authorization/StorageDeleteLock",
      "type": "Microsoft.Storage/storageAccounts/providers/locks",
      "apiVersion": "2015-01-01",
      "properties": {
        "level": "CannotDelete",
        "notes": "You can't delete this resource becuase it is locked."
      },
      "dependsOn": [
        "Microsoft.Storage/storageAccounts/blahstorename55"
      ]
    },
    {
      "name": "blahstorename55/Microsoft.Authorization/StorageReadOnlyLock",
      "type": "Microsoft.Storage/storageAccounts/providers/locks",
      "apiVersion": "2015-01-01",
      "properties": {
        "level": "ReadOnly",
        "notes": "You can't change anything about the settings for this resource."
      },
      "dependsOn": [
        "Microsoft.Storage/storageAccounts/blahstorename55"
      ]
    }
  ],
  "outputs": { }
}

Running the PowerShell cmdlet "get-azurermresourcelock" will show the following:

 PS c:\temp\> get-azurermresourcelock


Name                  : StorageDeleteLock
ResourceId            : /subscriptions//resourcegroups/AzureResourceGroup1/providers/Microsoft.Storage/storageAccounts/blahstorename55/providers/Microsoft.Authorization/locks/StorageDeleteLock
ResourceName          : blahstorename55
ResourceType          : Microsoft.Storage/storageAccounts
ExtensionResourceName : mylock
ExtensionResourceType : Microsoft.Authorization/locks
ResourceGroupName     : AzureResourceGroup1
SubscriptionId        : 30eb243b-127d-452b-a744-e3ffffac46ac
Properties            : @{Level=CanNotDelete; Notes=You can't touch this fool....}
LockId                : /subscriptions//resourcegroups/AzureResourceGroup1/providers/Microsoft.Storage/storageAccounts/blahstorename55/providers/Microsoft.Authorization/locks/StorageDeleteLock

Name                  : StorageReadOnlyLock
ResourceId            : /subscriptions/resourcegroups/AzureResourceGroup1/providers/Microsoft.Storage/storageAccounts/blahstorename55/providers/Microsoft.Authorization/locks/StorageReadOnlyLock
ResourceName          : blahstorename55
ResourceType          : Microsoft.Storage/storageAccounts
ExtensionResourceName : mylocktwo
ExtensionResourceType : Microsoft.Authorization/locks
ResourceGroupName     : AzureResourceGroup1
SubscriptionId        : 30eb243b-127d-452b-a744-e3ffffac46ac
Properties            : @{Level=ReadOnly; Notes=You can't touch this fool....}
LockId                : /subscriptions//resourcegroups/AzureResourceGroup1/providers/Microsoft.Storage/storageAccounts/blahstorename55/providers/Microsoft.Authorization/locks/StorageReadOnlyLock

Read more