0

In this link a policy to lock resource group is given. Once it is implemented I would like the Devops pipeline to delete resources(as part of re-creation). I do not want the policy to prevent me from doing this(or temporarily allow me). How can I do it? As soon as the devops is done, Policy should act on this newly created object to lock it again.

dreftymac
  • 31,404
  • 26
  • 119
  • 182
Blue Clouds
  • 7,295
  • 4
  • 71
  • 112
  • Do you mean you want to delete the lock and then delete the resources in DevOps pipeline? If this is the case, you could use Azure Powershell, Azure CLI, or Rest api to delete the lock: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources. – Cece Dong - MSFT Nov 12 '20 at 10:01
  • Could you please elaborate your query? What do you want to DevOps achieve? – Cece Dong - MSFT Nov 20 '20 at 09:53
  • Devops pipeline recreates resources – Blue Clouds Nov 20 '20 at 10:05
  • Are you looking for [Azure Resource Group Deployment task](https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment?view=azure-devops) to deploy Azure Resource Groups? – Cece Dong - MSFT Nov 23 '20 at 10:00
  • yes that can be used for the 're-creation' task but I am not looking for that. I will edit the question. It is about bypassing the policy – Blue Clouds Nov 23 '20 at 10:18
  • 1
    How about invoke Azure Powershell, Azure CLI, or Rest api to delete the lock, then use Azure Resource Group Deployment task to deploy Azure Resource Groups, and invoke Azure Powershell, Azure CLI, or Rest api to create the lock again: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources? – Cece Dong - MSFT Nov 24 '20 at 10:08

1 Answers1

0

Assuming that you have used 'deployIfNotExists', if you remove the lock the policy will put the lock on again.

Therefore the devops pipline must:

  • Disable the policy
  • Remove the lock from the resources that need to be recreated
  • Recreate the resource
  • Enable the policy
Shiraz Bhaiji
  • 64,065
  • 34
  • 143
  • 252
  • So during the policy removal time the whole subscription will be unlocked, right? I don't think such a solution will work in our case. And a policy per rg is not practical either – Blue Clouds Nov 16 '20 at 09:45