NavyaDevops
Managing Azure Resource Group Locks with a Bash Script

Managing Azure Resource Group Locks with a Bash Script

Navya A's photo
Navya A
·

4 min read

Managing cloud resources efficiently is crucial for organizations to maintain security and ensure proper resource utilization. In Azure, resource locks are a powerful feature that can help protect resources from accidental deletions or modifications. This blog post introduces a Bash script designed to streamline the process of adding and removing locks on Azure resource groups. We’ll discuss the script’s use case, how it works, and its benefits.

Use Case for the Script

Azure resource locks are essential tools for maintaining the integrity and stability of critical resources. They come in two types:

  • ReadOnly: Allows read operations but blocks modifications and deletions.

  • CanNotDelete: Allows all operations except delete, preventing accidental deletion of resources.

The Bash script presented here is particularly useful for:

  1. DevOps Engineers: Who need to ensure the protection of resources during deployments and maintenance activities.

  2. System Administrators: Who are tasked with managing access and security policies across various resource groups.

  3. Development Teams: Who require a safe environment where critical resources are protected from unintended changes.

By using this script, teams can automate the process of adding or removing locks, thus enhancing their workflow efficiency and reducing the risk of human error.

How the Script Works

The script provides an interactive way to manage Azure resource locks by prompting the user for necessary inputs and executing the corresponding actions. Here's a breakdown of its functionality:

1. Prompt for User Input

The script begins by prompting the user for their Azure subscription ID, the name of the resource group, and whether they want to add or remove a lock. If the user chooses to add a lock, they are prompted to enter a lock name.

prompt_for_input() {
  read -p "Enter your Azure subscription ID: " SUBSCRIPTION_ID
  read -p "Enter the resource group name: " RESOURCE_GROUP
  read -p "Do you want to add or remove a lock? (add/remove): " ACTION

  if [ "$ACTION" == "add" ]; then
    read -p "Enter the new lock name: " LOCK_NAME
    LOCK_LEVEL="ReadOnly"  # Default lock level for add action
  elif [ "$ACTION" == "remove" ]; then
    echo "Fetching existing lock names for resource group $RESOURCE_GROUP..."
  else
    echo "Invalid action. Use 'add' to create a lock or 'remove' to delete a lock."
    exit 1
  fi
}
2. Set the Azure Subscription

The script sets the Azure subscription context to ensure the commands are executed in the correct environment.

set_subscription() {
  az account set --subscription $SUBSCRIPTION_ID
}
3. Add a Lock

If the user chooses to add a lock, the script creates a ReadOnly lock on the specified resource group.

add_lock() {
  az lock create --name $LOCK_NAME --resource-group $RESOURCE_GROUP --lock-type $LOCK_LEVEL
  echo "Lock $LOCK_NAME added to resource group $RESOURCE_GROUP."
}
4. List and Remove Existing Locks

If the user opts to remove a lock, the script retrieves and displays existing locks, then prompts the user to confirm the removal of each lock.

get_existing_locks() {
  az lock list --resource-group $RESOURCE_GROUP --query "[].{Name:name, Type:lockType}" --output table
}

remove_lock() {
  existing_locks=$(az lock list --resource-group $RESOURCE_GROUP --query "[].name" --output tsv)

  if [ -z "$existing_locks" ]; then
    echo "No locks found in resource group $RESOURCE_GROUP."
    exit 1
  else
    echo "Existing locks in resource group $RESOURCE_GROUP:"
    get_existing_locks

    for lock_name in $existing_locks; do
      read -p "Do you want to remove the lock '$lock_name'? (Yes/No): " confirm
      if [ "$confirm" == "Yes" ]; then
        az lock delete --name $lock_name --resource-group $RESOURCE_GROUP
        echo "Lock $lock_name removed from resource group $RESOURCE_GROUP."
      fi
    done
  fi
}

Full Script on GitHub

You can find the complete script along with detailed instructions and additional information on GitHub.

Conclusion

This Bash script provides an efficient way to manage Azure resource group locks, making it easier for teams to protect critical resources and streamline their workflows. By automating the process of adding and removing locks, organizations can reduce the risk of accidental changes and ensure their cloud infrastructure remains secure. Whether you are a DevOps engineer, system administrator, or developer, this script is a valuable tool for maintaining the integrity of your Azure environment.

Feel free to customize and extend the script to suit your specific needs and improve your cloud resource management practices.

Did you find this article valuable?

Support NavyaDevops by becoming a sponsor. Any amount is appreciated!

azure resource lockazure resource lock automate using bash scriptAzureresourcegroupBashBash shell scriptazure-devopsazure automation