Enable resource lock on Keyvaults/Storage accounts within all resource groups in a subscription

[pradeep-reddy118]

Hi All,

We have resource locks(locktype-->delete) enabled on majority of resource groups within our subscription. Now we have a requirement to enable delete lock on few resources(storage accounts, keyvaults) within resourcegroups although resource lock is being inherited from the RG level.

Reason for this is, if incase for some reason lock at resource group is removed, still lock at these resources(storage accounts, keyvaults) exist and stop anyone from deleting these resources.

How can this be achieved using bicep??

FYI.. we dont want to pass the storage account/keyvault names as parameters. Code should fetch all the storage accounts & keyvaults within the resource groups and enable the lock accordingly.

Thanks in advance..!!!

[brwilkinson]

@pradeep-reddy118

• You can use the scope property to setup the lock on the resource.

@maxLength(24)
param storageName string = 'myimportantsa897'

resource storageaccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {
  name: storageName
  location: resourceGroup().location
  kind: 'StorageV2'
  sku: {
    name: 'Premium_LRS'
  }
}

resource lock 'Microsoft.Authorization/locks@2020-05-01' = {
  name: 'mylock'
  scope: storageaccount
  properties: {
    level: 'CanNotDelete'
    notes: 'This is a lock'
  }
  
}

• If the resource is not being deployed in the same template, then you can just update the first part with the existing reference for the scope.

resource storageaccount 'Microsoft.Storage/storageAccounts@2021-02-01' existing = {
  name: storageName
}

[brwilkinson]

Hi @pradeep-reddy118 did this resolve the issue for you?