Managing Azure Resource Group Locks with a Bash Script

Navya ANavya A
4 min read

Managing cloud resources efficiently is crucial for organizations to maintain security and ensure proper resource utilization. In Azure, resource locks are a powerful feature that can help protect resources from accidental deletions or modifications. This blog post introduces a Bash script designed to streamline the process of adding and removing locks on Azure resource groups. Weโ€™ll discuss the scriptโ€™s use case, how it works, and its benefits.

Use Case for the Script

Azure resource locks are essential tools for maintaining the integrity and stability of critical resources. They come in two types:

  • ReadOnly: Allows read operations but blocks modifications and deletions.

  • CanNotDelete: Allows all operations except delete, preventing accidental deletion of resources.

The Bash script presented here is particularly useful for:

  1. DevOps Engineers: Who need to ensure the protection of resources during deployments and maintenance activities.

  2. System Administrators: Who are tasked with managing access and security policies across various resource groups.

  3. Development Teams: Who require a safe environment where critical resources are protected from unintended changes.

By using this script, teams can automate the process of adding or removing locks, thus enhancing their workflow efficiency and reducing the risk of human error.

How the Script Works

The script provides an interactive way to manage Azure resource locks by prompting the user for necessary inputs and executing the corresponding actions. Here's a breakdown of its functionality:

1. Prompt for User Input

The script begins by prompting the user for their Azure subscription ID, the name of the resource group, and whether they want to add or remove a lock. If the user chooses to add a lock, they are prompted to enter a lock name.

prompt_for_input() {
  read -p "Enter your Azure subscription ID: " SUBSCRIPTION_ID
  read -p "Enter the resource group name: " RESOURCE_GROUP
  read -p "Do you want to add or remove a lock? (add/remove): " ACTION

  if [ "$ACTION" == "add" ]; then
    read -p "Enter the new lock name: " LOCK_NAME
    LOCK_LEVEL="ReadOnly"  # Default lock level for add action
  elif [ "$ACTION" == "remove" ]; then
    echo "Fetching existing lock names for resource group $RESOURCE_GROUP..."
  else
    echo "Invalid action. Use 'add' to create a lock or 'remove' to delete a lock."
    exit 1
  fi
}
2. Set the Azure Subscription

The script sets the Azure subscription context to ensure the commands are executed in the correct environment.

set_subscription() {
  az account set --subscription $SUBSCRIPTION_ID
}
3. Add a Lock

If the user chooses to add a lock, the script creates a ReadOnly lock on the specified resource group.

add_lock() {
  az lock create --name $LOCK_NAME --resource-group $RESOURCE_GROUP --lock-type $LOCK_LEVEL
  echo "Lock $LOCK_NAME added to resource group $RESOURCE_GROUP."
}
4. List and Remove Existing Locks

If the user opts to remove a lock, the script retrieves and displays existing locks, then prompts the user to confirm the removal of each lock.

get_existing_locks() {
  az lock list --resource-group $RESOURCE_GROUP --query "[].{Name:name, Type:lockType}" --output table
}

remove_lock() {
  existing_locks=$(az lock list --resource-group $RESOURCE_GROUP --query "[].name" --output tsv)

  if [ -z "$existing_locks" ]; then
    echo "No locks found in resource group $RESOURCE_GROUP."
    exit 1
  else
    echo "Existing locks in resource group $RESOURCE_GROUP:"
    get_existing_locks

    for lock_name in $existing_locks; do
      read -p "Do you want to remove the lock '$lock_name'? (Yes/No): " confirm
      if [ "$confirm" == "Yes" ]; then
        az lock delete --name $lock_name --resource-group $RESOURCE_GROUP
        echo "Lock $lock_name removed from resource group $RESOURCE_GROUP."
      fi
    done
  fi
}

Full Script on GitHub

You can find the complete script along with detailed instructions and additional information on GitHub.

Conclusion

This Bash script provides an efficient way to manage Azure resource group locks, making it easier for teams to protect critical resources and streamline their workflows. By automating the process of adding and removing locks, organizations can reduce the risk of accidental changes and ensure their cloud infrastructure remains secure. Whether you are a DevOps engineer, system administrator, or developer, this script is a valuable tool for maintaining the integrity of your Azure environment.

Feel free to customize and extend the script to suit your specific needs and improve your cloud resource management practices.

0
Subscribe to my newsletter

Read articles from Navya A directly inside your inbox. Subscribe to the newsletter, and don't miss out.

azure resource lockazure resource lock automate using bash scriptAzureresourcegroupBashBash shell scriptazure-devopsazure automation

Written by

Navya A
Navya A

๐Ÿ‘‹ Welcome to my Hashnode profile! I'm a passionate technologist with expertise in AWS, DevOps, Kubernetes, Terraform, Datree, and various cloud technologies. Here's a glimpse into what I bring to the table: ๐ŸŒŸ Cloud Aficionado: I thrive in the world of cloud technologies, particularly AWS. From architecting scalable infrastructure to optimizing cost efficiency, I love diving deep into the AWS ecosystem and crafting robust solutions. ๐Ÿš€ DevOps Champion: As a DevOps enthusiast, I embrace the culture of collaboration and continuous improvement. I specialize in streamlining development workflows, implementing CI/CD pipelines, and automating infrastructure deployment using modern tools like Kubernetes. โ›ต Kubernetes Navigator: Navigating the seas of containerization is my forte. With a solid grasp on Kubernetes, I orchestrate containerized applications, manage deployments, and ensure seamless scalability while maximizing resource utilization. ๐Ÿ—๏ธ Terraform Magician: Building infrastructure as code is where I excel. With Terraform, I conjure up infrastructure blueprints, define infrastructure-as-code, and provision resources across multiple cloud platforms, ensuring consistent and reproducible deployments. ๐ŸŒณ Datree Guardian: In my quest for secure and compliant code, I leverage Datree to enforce best practices and prevent misconfigurations. I'm passionate about maintaining code quality, security, and reliability in every project I undertake. ๐ŸŒ Cloud Explorer: The ever-evolving cloud landscape fascinates me, and I'm constantly exploring new technologies and trends. From serverless architectures to big data analytics, I'm eager to stay ahead of the curve and help you harness the full potential of the cloud. Whether you need assistance in designing scalable architectures, optimizing your infrastructure, or enhancing your DevOps practices, I'm here to collaborate and share my knowledge. Let's embark on a journey together, where we leverage cutting-edge technologies to build robust and efficient solutions in the cloud! ๐Ÿš€๐Ÿ’ป