Skip to content

Instantly share code, notes, and snippets.

@straubt1
Created August 20, 2018 17:04
Show Gist options
  • Save straubt1/fb65310bb105d7d50aa6d6106a4fb401 to your computer and use it in GitHub Desktop.
Save straubt1/fb65310bb105d7d50aa6d6106a4fb401 to your computer and use it in GitHub Desktop.
Terraform Azure Management Locks
resource "azurerm_resource_group" "main" {
name = "cardinal-rg"
location = "centralus"
}
resource "azurerm_management_lock" "resource-group-level" {
name = "resource-group-level"
scope = "${azurerm_resource_group.main.id}"
lock_level = "ReadOnly"
notes = "This Resource Group is Read-Only"
}
locals {
// A list of resource ids that need locks created with type 'ReadOnly'
lock_resources_readonly = [
"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/existing-rg1",
"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/existing-rg2/providers/Microsoft.Storage/storageAccounts/someaccount001",
]
// A list of resource ids that need locks created with type 'CanNotDelete'
lock_resources_cannotdelete = [
"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/existing-rg3",
"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/existing-rg4/providers/Microsoft.Storage/storageAccounts/someaccount002",
]
}
resource "azurerm_management_lock" "cannotdelete" {
count = "${length(local.lock_resources_cannotdelete)}"
scope = "${local.lock_resources_cannotdelete[count.index]}"
name = "CanNotDelete-${count.index}"
lock_level = "CanNotDelete"
notes = "'Can Not Delete' Lock to prevent resource deletion."
}
resource "azurerm_management_lock" "readonly" {
count = "${length(local.lock_resources_readonly)}"
scope = "${local.lock_resources_readonly[count.index]}"
name = "ReadOnly-${count.index}"
lock_level = "ReadOnly"
notes = "'Read Only' Lock to prevent resource modification."
}
resource "azurerm_management_lock" "resource-group-level" {
scope = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/app-rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount99"
name = "resource-level-cannotdelete"
lock_level = "CanNotDelete"
notes = "Item can't be deleted!"
}
resource "azurerm_management_lock" "resource-group-level" {
scope = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/app-rg"
name = "resource-group-level-cannotdelete"
lock_level = "CanNotDelete"
notes = "Items can't be deleted in this resource group!"
}
resource "azurerm_management_lock" "subscription-level" {
scope = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
name = "subscription-level-cannotdelete"
lock_level = "CanNotDelete"
notes = "Items can't be deleted in this subscription!"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment