Azure locks

Locks are mechanisms for stopping certain activities on resources. RBAC provides rights to users, groups, and applications within a certain scope. There are out-of-the-box RBAC roles, such as owner, contributor, and reader. With the contributor role, it is possible to delete or modify a resource. How can such activities be prevented despite the user having a contributor role? Enter Azure locks.

Azure locks can help in two ways:

  • They can lock resources such that they cannot be deleted, even if you have owner access.
  • They can lock resources in such a way that it can be neither deleted nor have its configuration modified.

Locks are typically very helpful for resources in production environments that should not be modified or deleted accidentally.

Locks can be applied at the levels of subscription, resource group, and individual resource. Locks can be inherited between subscriptions, resource groups, and resources. Applying a lock at the parent level will ensure that those at the child level will also inherit it. Even resources you add later will inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence. Applying a lock at the resource level will also not allow the deletion of the resource group containing the resource.

Locks are applied only to operations that help in managing the resource rather than operations that are within the resource. Users either need Microsoft.Authorization/* or Microsoft.Authorization/locks/* RBAC permissions to create and modify locks.

Locks can be created and applied through the Azure portal, Azure PowerShell, the Azure CLI, Azure Resource Manager templates, and REST APIs.

Creating a lock using an Azure Resource Manager template is done as follows:

{ 
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 
  "contentVersion": "1.0.0.0", 
  "parameters": { 
    "lockedResource": { 
      "type": "string" 
    } 
  }, 
  "resources": [ 
    { 
      "name": "[concat(parameters('lockedResource'), '/Microsoft.Authorization/myLock')]", 
      "type": "Microsoft.Storage/storageAccounts/providers/locks", 
      "apiVersion": "2015-01-01", 
      "properties": { 
        "level": "CannotDelete" 
      } 
    } 
  ] 
}

Creating and applying a lock to a resource using PowerShell is done as follows:

New-AzureRmResourceLock -LockLevel CanNotDelete -LockName LockSite `
  -ResourceName examplesite -ResourceType Microsoft.Web/sites `
  -ResourceGroupName exampleresourcegroup

Creating and applying a lock to a resource group using PowerShell is done as follows:

New-AzureRmResourceLock -LockName LockGroup -LockLevel CanNotDelete `
  -ResourceGroupName exampleresourcegroup

Creating and applying a lock to a resource using the Azure CLI is done as follows:

az lock create --name LockSite --lock-type CanNotDelete 
  --resource-group exampleresourcegroup --resource-name examplesite 
  --resource-type Microsoft.Web/sites

Creating and applying a lock to a resource group using the Azure CLI is done as follows:

az lock create --name LockGroup --lock-type CanNotDelete 
  --resource-group exampleresourcegroup

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.59.38.41