Sometimes you have to give people a little more access to an Azure environment than you might like, and then there’s the chance of someone accidentally deleting a resource.
A resource deletion may not sound like too much of a big thing if you’re deploying Infrastructure as code, hey we’ll just
terraform apply again and it’ll pop backup.
In theory that’s a great idea, just with one big problem. The new resource isn’t the old resource!
For an example, an Azure SQL Database server is a unique resource. If you delete one you lose any backups you’ve taken as they’re hosted on the server. Spinning up a new one isn’t going to get them back! A phone call to MS Support may if you’re quick and lucky
To avoid this you want to be user Azure Resource Locks. Think of these as the Azure version of child proof locks on your kitchen drawers. Yes, they may occaisonally mean you’ve got an extra step to get a knife out, but the little on can’t get their hands on it.
Auzre Resource Locks
First thing about Azure Resource Locks is that they apply to everyone and every role. Even if you’ve the Owner role on a Resource Group via RBAC, if there’s an Azure Resource Lock on that Resource Group you’re going to be blocked until you’ve removed the lock
This is great because it prevents those “oh ****, that was the wrong subscription” moments
Locks apply downwards from the resource they’re applied to. So if you apply one on a Resource group then it’s lock applies to every resource within that resource group. Apply it to an Azure SQL Database server, and it will apply to all of the Databases on that server.
Azure Resource Lock Types
Resource locks come in 2 flavours
CanNotDelete does what it says on the tin. Once this lock is applied the resource (and it’s children) can not be deleted, even if you use
ReadOnly implements CanNotDelete and also prevents any modification of the locked resource and it’s children
Setting Azure Resource Locks
You can set Azure Resource Locks via the Azure Portal, Azure CLI, Azure Powershell or ARM Templates. Below are how you can set the same CanNotDelete lock on the Lock Resource Group using each of the 4 options:
- Azure Portal
- ARM Template
Create a template.json file:
Which you’d deploy with:
- Azure CLI:
az lock create --name LockGroupNotDelete --lock-type CanNotDelete --resource-group Lock
- Azure PowerShell:
What you’ll see with Azure Resource Locks
- Azure Portal
As you can see the Resource Locks will stop you deleting the resource, which is nice. The errors messages are also nice and informative, so you know the resource is locked and at which scope the lock is placed. Which makes it easier to find the lock to remove it. Talking of removing locks:
Removing Azure Resource Locks
You can remove locks with any of the methods you can use to create them, so you’re free to mix and match how you do things.
- Azure Portal
- Azure CLI
az lock delete --name LockGroupNotDelete --resource-group Lock
- Azure PowerShell
About the Author:
T – @napalmgram
Stuart had spent 20+ years pushing data around many platforms using whatever tools he can find, mainly using SQL Server, PowerShell and Azure these days. Has been a Microsoft Data Platform MVP since 2018. Spends lots of time contributing to the dbatools project. In his copious spare time he also organises DataRelay, Nottingham SQL Server User Group and PowerShell Usergroup, and Nottingham Global Azure Bootcamp
Moore, S. (2019). Prevent misthakes with Azure resources locks. Available at: https://stuart-moore.com/prevent-mistakes-with-azure-resource-locks/ [Accessed: 10th October 2019].