In my previous blog post Lock Azure resources to prevent accidental deletion, I showed how to add a lock to a resource with an ARM template to protect it from accidental deletion. When you want to delete the resource, you first need to remove the lock. A lock cannot be removed with an ARM template. To remove the lock you can use:
- Powershell
- Rest API
- Portal
When deploying with ARM templates, the deployment will not remove locks. This will protect your resource from accidental deletion in a Infrastructure as Code scenario when deploying from VSTS.
Only the roles Owner and User Access Administrator can delete the locks on the resources. After the lock is removed the resource can be delete as any other resource.
Removing a locks with Powershell
Powershell has the following cmdlets to manage locks:
Only the roles Owner and User Access Administrator can manage the locks on the resources.
The New-AzureRmResourceLock sets a new lock to a resource, the Get-AzureRmResourceLock cmdlets shows all the locks in you subscription, the Set-AzureRmResourceLock enables you to change locks and the Remove-AzureRmResourceLock will remove the locks. The following powershell command will remove all the locks within the specified resourcegroup:
$rg-name = "rgwithlocksname" Get-AzureRmResourceLock | where ResourceGroupName -eq "$rg-name" | Remove-AzureRmResourceLock -Force
Removing locks with the Rest-API
Locks can also be managed with the Rest-API: Here you can see the API: Microsoft documentation management locks Rest-API
Removing locks from the Portal
Next you can also remove the locks from the portal. To do this, go to the resource and open the lock tab in the settings. If you delete a resource group with a locked resource, the portal UI will give you an error and no resources are deleted.
Conclusion
When deploying resources with ARM template, locks can be helpful to protect your critical resource from accidental deletion. They can’t be deleted with an ARM template (even if it deploys in complete mode). If your contributors Users in the portal do not have the rights to manage locks, only the subscription owner will be able to delete the locked resources.