Applying Azure Management Lock to prevent resource deletion
TypeScriptTo prevent the deletion of resources in Azure, you can apply a Management Lock. Management Locks allow you to enforce different levels of protections on your Azure resources, ensuring they are not accidentally deleted or modified.
The lock level can be set to:
- CanNotDelete: Authorized users can still read and modify a resource, but they can't delete the resource.
- ReadOnly: Authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
You can apply locks to a subscription, resource group, or to individual resources. For this program, we'll focus on applying a
CanNotDelete
lock at the resource group level to protect all resources within it.We will use Pulumi with Azure Native provider to create a management lock at the resource group level.
Here's an outline of the steps we'll follow in the program:
- Import the required Pulumi and Azure Native SDK components.
- Initialize a new Pulumi stack that will define our infrastructure.
- Define a resource group that we want to protect.
- Apply a
ManagementLockAtResourceGroupLevel
to prevent deletion of the resource group.
Below is the TypeScript program to achieve this:
import * as pulumi from "@pulumi/pulumi"; import * as azureNative from "@pulumi/azure-native"; // Create an Azure Resource Group const resourceGroup = new azureNative.resources.ResourceGroup("myResourceGroup"); // Apply a 'CanNotDelete' management lock to the resource group. const lock = new azureNative.authorization.ManagementLockAtResourceGroupLevel("lock", { resourceGroupName: resourceGroup.name, lockName: "preventDeletion", level: "CanNotDelete", // CanNotDelete means authorized users can still read and modify resources, but not delete them. notes: "Lock to prevent accidental resource group deletion", }); // Export the resource group name and the name of the lock export const resourceGroupName = resourceGroup.name; export const lockName = lock.name;
This program first creates a resource group using the
azureNative.resources.ResourceGroup
class. This class represents an Azure resource group, which is a container for managing resources in Azure.Next, it applies a management lock at the resource group level using the
azureNative.authorization.ManagementLockAtResourceGroupLevel
class.Here's what each line of code involving the lock is doing:
resourceGroupName: resourceGroup.name
: Specifies the name of the resource group to which the lock will be applied.lockName: "preventDeletion"
: Sets a unique name for the lock. This can be any descriptive name that makes sense to you.level: "CanNotDelete"
: Selects the lock level. In this case, resources in the resource group can be modified but not deleted.notes: "Lock to prevent accidental resource group deletion"
: An optional field where you can describe the purpose of the lock.
Finally, the program exports the names of both the resource group and the lock for easy access post-deployment.
To deploy this program, run the following commands:
- Ensure you have installed Pulumi and configured it for use with Azure.
- Save the above code to a file named
index.ts
in a new directory. - Run
npm install @pulumi/pulumi @pulumi/azure-native
to install the required packages. - Run
pulumi up
to preview and deploy the stack.
After the deployment, the resource group specified in this program will be protected against deletion.