Tag: Protection

Protecting Azure Resources from Deletion

There's a lot we can do in Azure to protect our resources from harm.

First security permissions can be set up using active directory groups, so that access can be restrict to certain member to actually do anything with a resource. There's the fact that resources exist on more than one server so that if a server fails another already has a copy ready to switch to. We can even use ARM templates to have our entire infrastructure written as code that can be redeployed should the worst happen.

However what if we have some blob storage with some important data and we accidentally just go and delete it? Sometimes human error just happens, sure we can recreate it with our ARM template, but the contents will be gone.

Or maybe we're not using ARM templates and did everything through the portal so we'd really like to just make sure we didn't delete stuff by accident.

Azure Resource Locks

One thing we can do is to set up Azure Resource Locks. This isn't the same thing as setting up backups (you should absolutely do that to), but this is a nice extra thing you can do to prevent you from deleting something by accident. It's also really simple to do too.

In the Portal

If your doing everything direct in the portal, open your resource and look for locks in the left nav.

Now click the add button. Give it a name, lock type of delete and a note for what it does.

Now if you try and delete the resource you get a friendly error message saying you can't.

ARM Template

If your using ARM templates to manage your infrastructure, then you need this little snippet of code added to your template file.

{
        "type": "Microsoft.Authorization/locks",
        "apiVersion": "2016-09-01",
        "name": "NAME OF LOCK GOES HERE",
        "scope": "[concat('Microsoft.Sql/servers/databases/', parameters('database_name'))]",
        "dependsOn": [
          "[resourceId('Microsoft.Sql/servers/databases/', parameters('database_name'))]"
        ],
        "properties": {
          "level": "CanNotDelete",
          "notes": "DESCRIPTION SAYING IT SHOULDNT BE DELETED GOES HERE"
        }
      }

Notice the scope and depends on section. These need to reference the item you want to protect.