Udostępnij za pośrednictwem


How to Lock a Resource Group to prevent accidental deletion of resources like HDInsight

Did you know it is possible to prevent accidental deletion of resources in Azure? This could apply to any number of resource, HDInsight, Stream Analytics jobs, Data Factories, DocumentDB accounts, etc.

We can add a lock to the resource group to prevent resources from being removed inadvertantly.

I found out the hard way when someone here tried to delete their HDInsight and it failed. The delete request fails with HTTP status code 409 CONFLICT which indicates the Resource Group is locked.

DELETE/SUBSCRIPTIONS/RESOURCEGROUPS/PROVIDERS/MICROSOFT.HDINSIGHT/CLUSTERS/ Http request failed with ErrorResponseMessageException. HttpStatus: 'Conflict', ErrorCode: 'ScopeLocked' and ErrorMessage: 'The scope '/subscriptions/subscriptionid/resourceGroups/HDInsightRG/providers/Microsoft.HDInsight/clusters/hdinsightclustername' cannot perform delete operation because following scope(s) are locked: '/subscriptions/subscriptionid/resourceGroups/HDInsightRG'. Please remove the lock and try again.'.

 

References

 

Here's how to make a lock in PowerShell and prevent resources from being delete.

 

Perequisite: Download the PowerShell SDK for Azure from here https://azure.microsoft.com/en-us/downloads/

Start > Run > PowerShell ISE

I like PowerShell ISE because you can highlight one line at a time, and run it one by one.

Example Code

# 1. Login

Login-AzureRmAccount

# 2. Make a new lock

New-AzureRmResourceLock -LockLevel CanNotDelete -LockName LockHDInsightRG -ResourceGroup HDInsightRG

# 3. List existing locks and their names – it will prompt Yes/No unless you add -Force switch.

Get-AzureRmResourceLock

Name : LockHDInsightRG
ResourceId : /subscriptions/subscriptionid/resourceGroups/HDInsightRG/providers/Microsoft
.Authorization/locks/LockHDInsightRG
ResourceName : LockHDInsightRG
ResourceType : Microsoft.Authorization/locks
ResourceGroupName : HDInsightRG
SubscriptionId : subscriptionid
Properties : @{Level=CanNotDelete}
LockId : /subscriptions/subscriptionid/resourceGroups/HDInsightRG/providers/Microsoft.Authorization/locks/LockHDInsightRG

# 4. Try to delete an HDInsight cluster – it will Error out

Remove-AzureRmHDInsightCluster -ClusterName MyCluster

Remove-AzureRmHDInsightCluster -ClusterName MyCluster -ResourceGroupName HDInsightRG
Remove-AzureRmHDInsightCluster : ScopeLocked: The scope '/subscriptions/subscriptionid/resourceGroups/HDInsightRG/providers/Microsoft.HDInsight/clusters/MyCluster' cannot perform delete operation because following scope(s) are locked: '/subscriptions/subscriptionid/resourceGroups/HDInsightRG'.
Please remove the lock and try again.
At line:1 char:1
+ Remove-AzureRmHDInsightCluster -ClusterName MyCluster -ResourceGroup ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Remove-AzureRmHDInsightCluster], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.HDInsight.RemoveAzureHDInsightCommand

# 5. Remove the lock by name - it will prompt Yes/No unless you add -Force switch.

Remove-AzureRmResourceLock -LockName LockHDInsightRG -ResourceGroup HDInsightRG

Remove-AzureRmResourceLock -LockName LockHDInsightRG -ResourceGroup HDInsightRG
True

# 6. List existing locks and their names – no results

Get-AzureRmResourceLock