How to Lock a Resource Group to prevent accidental deletion of resources like HDInsight
Did you know it is possible to prevent accidental deletion of resources in Azure? This could apply to any number of resource, HDInsight, Stream Analytics jobs, Data Factories, DocumentDB accounts, etc.
We can add a lock to the resource group to prevent resources from being removed inadvertantly.
I found out the hard way when someone here tried to delete their HDInsight and it failed. The delete request fails with HTTP status code 409 CONFLICT which indicates the Resource Group is locked.
DELETE/SUBSCRIPTIONS/RESOURCEGROUPS/PROVIDERS/MICROSOFT.HDINSIGHT/CLUSTERS/ Http request failed with ErrorResponseMessageException. HttpStatus: 'Conflict', ErrorCode: 'ScopeLocked' and ErrorMessage: 'The scope '/subscriptions/subscriptionid/resourceGroups/HDInsightRG/providers/Microsoft.HDInsight/clusters/hdinsightclustername' cannot perform delete operation because following scope(s) are locked: '/subscriptions/subscriptionid/resourceGroups/HDInsightRG'. Please remove the lock and try again.'.
References
- New-AzureRmResourceLock https://msdn.microsoft.com/en-us/library/mt652515.aspx
- Get-AzureRmResourceLock https://msdn.microsoft.com/en-us/library/mt652497.aspx
- Remove-AzureRmResourceLock https://msdn.microsoft.com/en-us/library/mt652493.aspx
Here's how to make a lock in PowerShell and prevent resources from being delete.
Perequisite: Download the PowerShell SDK for Azure from here https://azure.microsoft.com/en-us/downloads/
Start > Run > PowerShell ISE
I like PowerShell ISE because you can highlight one line at a time, and run it one by one.
Example Code
# 1. Login
Login-AzureRmAccount
# 2. Make a new lock
New-AzureRmResourceLock -LockLevel CanNotDelete -LockName LockHDInsightRG -ResourceGroup HDInsightRG
# 3. List existing locks and their names – it will prompt Yes/No unless you add -Force switch.
Get-AzureRmResourceLock
Name : LockHDInsightRG
ResourceId : /subscriptions/subscriptionid/resourceGroups/HDInsightRG/providers/Microsoft
.Authorization/locks/LockHDInsightRG
ResourceName : LockHDInsightRG
ResourceType : Microsoft.Authorization/locks
ResourceGroupName : HDInsightRG
SubscriptionId : subscriptionid
Properties : @{Level=CanNotDelete}
LockId : /subscriptions/subscriptionid/resourceGroups/HDInsightRG/providers/Microsoft.Authorization/locks/LockHDInsightRG
# 4. Try to delete an HDInsight cluster – it will Error out
Remove-AzureRmHDInsightCluster -ClusterName MyCluster
Remove-AzureRmHDInsightCluster -ClusterName MyCluster -ResourceGroupName HDInsightRG
Remove-AzureRmHDInsightCluster : ScopeLocked: The scope '/subscriptions/subscriptionid/resourceGroups/HDInsightRG/providers/Microsoft.HDInsight/clusters/MyCluster' cannot perform delete operation because following scope(s) are locked: '/subscriptions/subscriptionid/resourceGroups/HDInsightRG'.
Please remove the lock and try again.
At line:1 char:1
+ Remove-AzureRmHDInsightCluster -ClusterName MyCluster -ResourceGroup ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Remove-AzureRmHDInsightCluster], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.HDInsight.RemoveAzureHDInsightCommand
# 5. Remove the lock by name - it will prompt Yes/No unless you add -Force switch.
Remove-AzureRmResourceLock -LockName LockHDInsightRG -ResourceGroup HDInsightRG
Remove-AzureRmResourceLock -LockName LockHDInsightRG -ResourceGroup HDInsightRG
True
# 6. List existing locks and their names – no results
Get-AzureRmResourceLock