1

I want to stop a Storage Event Trigger that is on my data factory before I make modifications to the factory using ARM deployment/Azure DevOps. There is a Delete lock on my resource group which is causing the below error when I try to stop the trigger using powershell (Stop-AzDataFactoryV2Trigger) :

Error Code: BadRequest
Error Message: The scope '/subscriptions/XXX/resourceGroups/XXX/providers/Microsoft.Storage/storageAccounts/XXX/providers/Microsoft.EventGrid/eventSubscriptions/XXX' 
cannot perform delete operation because following scope(s) are locked: '/subscriptions/XXX/resourceGroups/XXX'. Please remove the lock and try again.

Is there any way to do my ADF deployments without having to remove this Delete lock?

dreftymac
  • 31,404
  • 26
  • 119
  • 182
Ajay Meda
  • 313
  • 1
  • 11

2 Answers2

4

After a bit of research and digging around, I found out that the direct answer to this question is that it's not possible to Start/Stop a Storage Event Trigger on a Data Factory when there is a Delete lock on the entire Resource Group. This is because whenever a Storage Event Trigger is started or stopped, an Event Subscription (which is a resource) is created and deleted in the Resource Group but with a Delete lock in place, this deletion cannot happen.

However, there are few workarounds to address this requirement :

  1. Have a Delete lock at the Resource level and not at the Resource Group level.
  2. Move the Data Factory and the Storage Account to a different Resource Group which doesn't have a Delete lock.
  3. Delete the "Delete lock" before the deployment of the ADF and recreate it after the deployment. For this, the Service Principal being used to do the deployments should have the permission needed to update/delete locks.

If anyone has a direct solution to this problem, I'm happy to accept that as the answer. Thanks.

Ajay Meda
  • 313
  • 1
  • 11
  • 1
    After a couple of discussions, it was decided to proceed with the 3rd approach i.e delete the lock before deployment and then re-create the lock after the deployment both the tasks using PowerShell. To be able to do this the Service Principal was given the additional permission of : Microsoft.Authorization/locks/* – Ajay Meda Jan 31 '22 at 14:13
0

The following sample script can be used to stop triggers before deployment.

if ($predeployment -eq $true) {
    #Stop all triggers
    Write-Host "Stopping deployed triggers`n"
    $triggersToStop | ForEach-Object {
        if ($_.TriggerType -eq "BlobEventsTrigger" -or $_.TriggerType -eq "CustomEventsTrigger") {
            Write-Host "Unsubscribing" $_.Name "from events"
            $status = Remove-AzDataFactoryV2TriggerSubscription -ResourceGroupName $ResourceGroupName -DataFactoryName $DataFactoryName -Name $_.Name
            while ($status.Status -ne "Disabled"){
                Start-Sleep -s 15
                $status = Get-AzDataFactoryV2TriggerSubscriptionStatus -ResourceGroupName $ResourceGroupName -DataFactoryName $DataFactoryName -Name $_.Name
            }
        }
        Write-Host "Stopping trigger" $_.Name
        Stop-AzDataFactoryV2Trigger -ResourceGroupName $ResourceGroupName -DataFactoryName $DataFactoryName -Name $_.Name -Force
    }

For more information follow this Pre- and Post-deployment script given in official documentation.

Abhishek K
  • 3,047
  • 1
  • 6
  • 19
  • Doesn't really help my case because there is a Delete lock at the Resource Group level. Stopping an Storage Event Trigger is essentially deleting an Event subscription and the Delete lock does not allow that to happen. Thanks for the proposed answer but any other solution is also appreciated. – Ajay Meda Dec 21 '21 at 21:41