Lock Azure resources to prevent accidental deletion

How a lock can prevent user from accidental deletion of a resource.

Advertisements

In some cases you want to protect critical resources from accidental deletion. Some examples are a storage account with source data for processing, a Key Vault with disk encryption keys, or another key component in your infrastructure. When losing some resources that are key in your infrastructure, recovery can be dramatic. Resource Manager locks will enable you to protect these critical resources from deletion.

Resource Manager locks
Resource Manager locks apply to the management function of the locked resources. The locks do not have any impact the normal functions of the resource. You have two possible types of locks on a resource:

Locking down a resource can save your contributors from accidently delete a critical resources. An ‘oeps… I deleted the wrong resources’ moment should be a thing of the past.

CannotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

In practice user or service principles have the role Contributor on a resource. This role allows the user to delete the resource. A lock on the resource will prevent the user with the Contributor role to delete the resource. Only the roles Owner and User Access Administrator can change the locks on the resources.

When deploying a lock from a VSTS release pipeline, the Service Principle should have the role User Access Administrator on the resource group.

Deploying Resource Manager locks
Deploying locks can be done with ARM templates or Powershell. I prefer to add them to my ARM template and deploy them with my release pipeline. A simple template to add a lock looks like:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "lockedResource": {
      "type": "string"
    }
  },
  "resources": [
    {
      "name": "[concat(parameters('lockedResource'), '/Microsoft.Authorization/myLock')]",
      "type": "Microsoft.Storage/storageAccounts/providers/locks",
      "apiVersion": "2015-01-01",
      "properties": {
        "level": "CannotDelete",
        "notes": "prevent resource from accidental deletion"
      }
    }
  ]
}

The parameter lockedResource should look like: ‘/Microsoft.Authorization/’ in the case of locking down a storage account.

When you delete a group in the portal with a locked resource, prevent-delete-of-resourcethe deletion is prevented and the following message is shown to the user:

After removing the lock from the storage account, you will be able to remove the resource group.

Conclusion
Locking critical resources can prevent you from accidental and hard to recover downtime. Applying them from within your arm template is very easy and enables you to manage them like any other resource.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s