How to apply Azure resource locks to Resource Groups via Policy

2
votes

I'm trying to create an Azure policy which will deploy a resource lock with the level of 'CanNotDelete' to resource groups within a subscription.

Currently the policy is 100% compliant but no locks have been created by the policy.

I have the following in my JSON policy.rules file;

   
{
   "if": {
      "field": "type",
      "equals": "Microsoft.Resources/resourceGroups"
   },
   "then": {
      "effect": "deployIfNotExists",
      "details": {
            "type": "Microsoft.Authorization/locks",
            "existenceCondition": {
               "field": "Microsoft.Authorization/locks/level",
               "equals": "CanNotDelete"
         },
         "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/0000-0000-0000-0000-0000000"
],
      "deployment": {
         "properties": {
            "mode": "incremental",
            "template": {
               "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
               "contentVersion": "1.0.0.0",
               "parameters": {
                  "location": {
                     "type": "string"
                  }
               },
               "resources": [
                  {
                     "type": "Microsoft.Authorization/locks",
                     "apiVersion": "2017-04-01",
                     "name": "ResourceLock",
                     "properties": {
                       "level": "CanNotDelete",
                       "notes": "Prevent accidental deletion of resource groups"
                     }
                  }
               ]
            }
         }
      }
   }
}
}
1
azureazure-resource-group
Is your API version correct ? All through documentation related to lock I can see only 2016-09-01Rahul Ruikar
hey @RahulRuikar the api version is correct, this can be found by looking via the resource explorer\providers.craig Rickett

1 Answers

1
votes

managed to get this working with two changes;

  1. the if statement path - Microsoft.Resources/subscriptions/resourceGroups
  2. The managed Identity was not getting created for some reason, this is required for the 'deployIfNotExists' policy effect.

I hope that helps anyone who runs into the same issue