Terraform: Apply Lock

2 minute read

Description:

Continuing from my previous post, I then wanted to apply a resource lock to my newly deployed Resource Group to ensure it can’t be deleted.

To Resolve:

  1. So first thing as always is to go to the resource on Terraform Docs for the AzureRM provider and found the example and applied it to main.tf:

    1
2
3
4
5
6

    resource "azurerm_management_lock" "resource-group-level" {
name       = "BlockDelete"
scope      = azurerm_resource_group.azure_learning_rg.id
lock_level = "CanNotDelete"
notes      = "Protect against accidental deletion"
}
    • This resulted in an error on build:
    1
2
3
4
5
6
7
8
9
10
11

    ╷
│ Error: Reference to undeclared resource
│ 
│   on main.tf line 21, in resource "azurerm_management_lock" "resource-group-level":
│   21:   scope      = azurerm_resource_group.azure_learning_rg.id
│ 
│ A managed resource "azurerm_resource_group" "azure_learning_rg" has not
│ been declared in the root module.
╵
##[error]Bash exited with code '1'.
    • This is actually a good learning lesson. What it is saying is that you don’t use the output from the azure_learning_rg module because it does not have an output associated with it. Instead, you use module.azure_learning_rg.res_out_rg_id because that is defined in the output.tf

  2. So after correcting and pushing, and then running the build, we now get:

    1
2
3
4
5
6
7
8
9
10
11
12

    Terraform will perform the following actions:

# azurerm_management_lock.resource-group-level will be created
+ resource "azurerm_management_lock" "resource-group-level" {
      + id         = (known after apply)
      + lock_level = "CanNotDelete"
      + name       = "BlockDelete"
      + notes      = "Protect against accidental deletion"
      + scope      = "/subscriptions/****/resourceGroups/aa-dev-tx-test"
   }

Plan: 1 to add, 0 to change, 0 to destroy.

  3. So next we run the release:

    1
2
3
4
5
6
7
8
9
10
11

    azurerm_management_lock.resource-group-level: Creating...
╷
│ Error: creating Management Lock (Scope: "/subscriptions/****/resourceGroups/aa-dev-tx-test"
│ Name: "BlockDelete"): locks.ManagementLocksClient#CreateOrUpdateByScope: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '****' with object id '****' does not have authorization to perform action 'Microsoft.Authorization/locks/write' over scope '/subscriptions/****/resourceGroups/aa-dev-tx-test/providers/Microsoft.Authorization/locks/BlockDelete' or the scope is invalid. If access was recently granted, please refresh your credentials."
│ 
│   with azurerm_management_lock.resource-group-level,
│   on main.tf line 19, in resource "azurerm_management_lock" "resource-group-level":
│   19: resource "azurerm_management_lock" "resource-group-level" {
│ 
╵
##[error]Bash exited with code '1'.

    • Again, this is a good thing. It caused me to read the docs which state: Only the Owner and the User Access Administrator built-in roles can create and delete management locks. You can create a custom role with the required permissions.

    • So now I update the permissions for az-terraform and rerun the pipeline and run it again.

  4. This created the lock in the portal:

    • applied-lock-rg

Comments

You May Also Enjoy