• Dana Epp

Locking down Azure resources for fun and profit

Azure is an immensely powerful platform. There are so many different ways that you can add, modify and delete resources its scary. So much so, as more companies adopt public cloud computing on the Microsoft Cloud, I already can see cracks in the armor when it comes to how easy it is to destroy production resources with a few clicks. Ever delete a resource group not knowing there was something critical in there? Yep. Most of us have at one time or another if you have a ton of resources in play... especially when DevOps is auto-deploying some much Infrastructure as Code (IaC).

Enter the concept of an "Azure lock". As an administrator, you may need to lock down a subscription, resource group or even an individual resource, preventing others from accidentally deleting or modifying it. You can do this by using the role-based access control (RBAC) system in Azure and applying a lock level of CanNotDelete or ReadOnly.

  • CanNotDelete means that an authorized user can still read and modify a resource, but they cannot delete it.

  • ReadOnly means that an authorized user can read the resource, but they cannot update or delete it. This is basically the equivalent of giving someone the Reader role.

OK, sounds perfect. We can prevent someone in DevOps from accidentally nuking a production resource. That's good. But how? With a bit of PowerShell-fu! Try this as a cloud administrator to lock down a Resource Group:

New-AzureRmResourceLock -LockName "LockThisGroupDown" -LockLevel CanNotDelete -ResourceGroupName "myresourcegroup"

Pretty easy eh? OK, so lets say you want to lock down an individual resource, like a website:

New-AzureRmResourceLock -LockName "LockThisSite" -LockLevel ReadOnly -ResourceName "contososite" -ResourceType "Microsoft.Web/sites" -ResourceGroupName "myresourcegroup"

Once you start doing this, you may want to consider being able to see the locks. You can use Get-AzureRmResourceLock to do that. And to remove it? You guessed it... Remove-AzureRmResourceLock. ie:

$lockId = (Get-AzureRmResourceLock -ResourceName "contososite" -ResourceType "Microsoft.Web/sites" -ResourceGroupName "myresourcegroup").LockId
Remove-AzureRmResourceLock -LockId $lockId

Now, if you are an ARM template kinda person, you CAN configure this in your template. The resource type of the lock is the resource type of the resource to lock and /providers/locks. The name of the lock is created by concatenating the resource name with /Microsoft.Authorization/ and the name of the lock. You can learn more about it here.

All in all, locking your resources down to prevent the accidental (or deliberate) destruction of production resources is a good thing. You really should consider using the lock feature in Azure to do this.