Resource locks can be added on Azure resources to prevent unintended deletion or unwanted changes. There are two types of locks: 1) Do not delete (where you can make updates/changes) and 2) Read only (where you can neither change nor delete), see more info here.
It can make sense to add locks to critical infrastructure resources, but note that it also comes with additional management overhead and some caveats, see link above.
Locks can be added to either a resource or a resource group.
In the example in this post, we'll look at a read only lock for a specific resource and how to add this to an ARM template.
It's fairly simple to add. The lock is a separate resource, an ExpressRoute circuit, but the principle is the same for all resources.
The lock resource itself is as follows:
{
"condition": "[parameters('enableReadOnlyLock')]",
"type": "Microsoft.Authorization/locks",
"apiVersion": "2020-05-01",
"name": "ER circuit lock",
"scope": "[concat('Microsoft.Network/expressRouteCircuits/', parameters('circuitName'))]",
"dependsOn": [
"[resourceId('Microsoft.Network/expressRouteCircuits', parameters('circuitName'))]"
],
"properties": {
"level": "ReadOnly",
"notes": "ER circuit should not be updated or deleted"
}
}
"enableReadOnlyLock": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Determines if the resources should be locked to prevent changes or deletion."
}
},