Azure Resource Locks with PowerShell - Marcin Gastol
15710
post-template-default,single,single-post,postid-15710,single-format-standard,bridge-core-3.0.7,bridge,qode-page-transition-enabled,ajax_fade,page_not_loaded,,qode-title-hidden,qode-child-theme-ver-1.0.0,qode-theme-ver-29.4,qode-theme-bridge,qode_header_in_grid,wpb-js-composer js-comp-ver-6.10.0,vc_responsive

14 Apr Azure Resource Locks with PowerShell

Posted at 20:52h in Azure by
0 Likes

Intro

In cloud environments, it’s crucial to protect critical resources from accidental deletion or modification. Azure Resource Locks provide a way to safeguard your resources by applying locks at different scopes, such as subscriptions, resource groups, or individual resources. This blog post will guide you through automating the application of Azure Resource Locks using PowerShell, ensuring that your critical resources remain secure.

What are Azure Resource Locks?

Azure Resource Locks are a feature that helps you protect your resources from accidental changes. By applying a lock, you can prevent resources from being deleted or modified. There are two types of locks:

  1. Read-only: This lock restricts actions that modify the resource. Authorized users can read the resource, but they can’t delete or update it.
  2. Delete: This lock restricts users from deleting the resource, but they can still read and modify it.

Why Use Resource Locks?

Resource Locks are essential for maintaining the integrity of your critical resources. They help ensure that important configurations and data are not accidentally altered or removed, which could lead to service disruptions or data loss.

Azure Resource Locks with PowerShell

Using PowerShell to manage Azure Resource Locks provides a powerful and flexible way to automate the protection of your resources. Below are the steps to automate the creation, assignment, and management of resource locks.

Step 1: Connect to Azure

Before applying resource locks, you need to connect to your Azure account using PowerShell.

PowerShell
# Connect to Azure
Connect-AzAccount

Step 2: Creating a Resource Group

If you don’t already have a resource group, create one to organize your resources.

PowerShell
# Define parameters
$resourceGroupName = 'GarsonResourceGroup'
$location = 'West Europe'

# Create a resource group
New-AzResourceGroup -Name $resourceGroupName -Location $location

Step 3: Applying a Resource Lock

Example: Applying a Delete Lock to a Resource Group

Applying a delete lock ensures that the resources within the group cannot be deleted.

PowerShell
# Define lock parameters
$lockName = 'DeleteLock'
$lockLevel = 'CanNotDelete'
$resourceId = (Get-AzResourceGroup -Name $resourceGroupName).ResourceId

# Create a delete lock on the resource group
New-AzResourceLock -LockLevel $lockLevel -LockName $lockName -ResourceId $resourceId

Example: Applying a Read-Only Lock to a Virtual Machine

Applying a read-only lock ensures that the virtual machine cannot be modified.

PowerShell
# Define parameters
$vmName = 'GarsonVM'
$lockName = 'ReadOnlyLock'
$lockLevel = 'ReadOnly'
$resourceId = (Get-AzVM -ResourceGroupName $resourceGroupName -Name $vmName).Id

# Create a read-only lock on the virtual machine
New-AzResourceLock -LockLevel $lockLevel -LockName $lockName -ResourceId $resourceId

Step 5: Automating the Process with a Script

To ensure continuous protection, you can automate the application of resource locks using a PowerShell script. This script will create and manage locks on your critical resources.

PowerShell
# Connect to Azure
Connect-AzAccount

# Define parameters
$resourceGroupName = 'GarsonResourceGroup'
$location = 'West Europe'
$vmName = 'GarsonVM'
$deleteLockName = 'DeleteLock'
$readOnlyLockName = 'ReadOnlyLock'

# Create a resource group if it doesn't exist
if (-not (Get-AzResourceGroup -Name $resourceGroupName -ErrorAction SilentlyContinue)) {
    New-AzResourceGroup -Name $resourceGroupName -Location $location
}

# Apply a delete lock to the resource group
$resourceGroupId = (Get-AzResourceGroup -Name $resourceGroupName).ResourceId
if (-not (Get-AzResourceLock -ResourceId $resourceGroupId -ErrorAction SilentlyContinue)) {
    New-AzResourceLock -LockLevel 'CanNotDelete' -LockName $deleteLockName -ResourceId $resourceGroupId
}

# Apply a read-only lock to the virtual machine
$vmId = (Get-AzVM -ResourceGroupName $resourceGroupName -Name $vmName).Id
if (-not (Get-AzResourceLock -ResourceId $vmId -ErrorAction SilentlyContinue)) {
    New-AzResourceLock -LockLevel 'ReadOnly' -LockName $readOnlyLockName -ResourceId $vmId
}

# Function to remove a lock
function Remove-Lock {
    param (
        [string]$lockName,
        [string]$resourceGroupName
    )

    $lock = Get-AzResourceLock -LockName $lockName -ResourceGroupName $resourceGroupName -ErrorAction SilentlyContinue
    if ($lock) {
        Remove-AzResourceLock -LockId $lock.LockId
    }
}

# Example of removing a lock
Remove-Lock -lockName $deleteLockName -resourceGroupName $resourceGroupName

If you wish to start you journey from beggining check out how to start with Powershell in Azure:

Azure 101. Exploring the Azure Portal and Key Services

Tags:
No Comments

Post A Comment

Verified by MonsterInsights