Apply Lock on Resource Groups thru Azure Policy

What is Azure Policy? 

Azure Policy is a service in Azure that you use to create, assign, and manage policies to stay compliant with your corporate standards and service level agreements. To read more his about visit Microsoft Documentation                To get compliance about a resource a following two steps are needed              a) Create a Policy Definition                                                                                                    b) Assigning that policy to a Scope, which is called Assignment. Scope can be whole subscription or a Resource Group

Following are main components of a Policy definition                                           a) Identify the resource to which policy to apply                                                            b) Define the criteria to decide complaint and non complaint resource            c) Define the effect on the non complain resources. Visit the to read more about Policy effects

What is lock on Resource group?

Sometimes while deleting a resource group, a wrong resource group is deleted. This may cause serious issue , especially in Production. To avoid this there is an option to apply Locks on resource group. There are two types of Locks , read-only and delete

Policy definition for to check all resource groups for existence of Lock  with LockType delete. Following are the main components

Resource to Apply:

 "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          }
        ]
      }

Criteria:

"existenceCondition": {
            "field": "Microsoft.Authorization/locks/level",
            "equals": "CanNotDelete"
          }
      }

Effect:                                                                                                                                                There are different kind of effects. In this policy Effect used is ‘deployIfNotExists’. As the  name suggests, this effect contains the ARM template to be deployed to Non-Complaint resources. Deployment of the ARM template if done thru Remediation Action.

"effect": "deployIfNotExists"

Full Policy definition:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        }
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Authorization/locks",
        "roleDefinitionIds": [
          "/providers/microsoft.authorization/roleDefinitions/{roleDefinitionId}",
          "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{ManagedIdentityOfAssignment}"
        ],
        "existenceCondition": {
          "field": "Microsoft.Authorization/locks/level",
          "equals": "CanNotDelete"
        },
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "resources": [
                {
                  "type": "Microsoft.Authorization/locks",
                  "apiVersion": "2015-01-01",
                  "name": "RGLock",
                  "properties": {
                    "level": "CanNotDelete",
                    "notes": "Applied thru policy"
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "parameters": {}
}