How to define a deploy if not exist delete lock for mysql

Vaishnav AV-FT 81 Reputation points
2022-05-27T11:12:22.773+00:00

I am trying to define a policy that will deploy a delete lock at the resource level for Azure MYSQL DB without locks. Below is my code please help me modify the code to set delete lock at the resource level instead of the resource group. 

"policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforMySQL/servers"
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Authorization/locks",
          "existenceCondition": {
            "field": "Microsoft.Authorization/locks/level",
            "equals": "CanNotDelete"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
                "contentVersion": "1.0.0.0",
                "resources": [
                  {
                    "type": "Microsoft.Authorization/locks",
                    "apiVersion": "2017-04-01",
                    "name": "DeleteLock",
                    "properties": {
                      "level": "CanNotDelete",
                      "notes": "Prevent deletion of the resource group"
                    }
                  }
                ]
              }
            }
          }
       }
   }
}
Azure Database for MySQL
Azure Database for MySQL
An Azure managed MySQL database service for app development and deployment.
713 questions
Azure ISV (Independent Software Vendors) and Startups
Azure ISV (Independent Software Vendors) and Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.ISV (Independent Software Vendors) and Startups: A Microsoft program that helps customers adopt Microsoft Cloud solutions and drive user adoption.
111 questions
0 comments
Accepted answer
  1. Oury Ba-MSFT 16,156 Reputation points Microsoft Employee
    2022-06-06T16:25:03.343+00:00

    @VaishnavAV-2087 My suggestion will be to use the Locks inheritance and apply lock at resource group level.

    Regards,
    Oury

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Oury Ba-MSFT 16,156 Reputation points Microsoft Employee
    2022-06-16T16:19:35.093+00:00

    Hi @Vaishnav A V

    In addition to the above answer, I suggested regarding using locks inheritance and apply lock at the resource level group.

    You can create a one-time custom Azure Policy with below definition and ensure that a remediation task is set.
    Any Azure MySQL resource created in the policy assignment scope is evaluated, and a resource lock is created for it, if it does not exist.
    With below policy, resource lock will be limited to Azure MySQL scope, not resource group scope, just as customer required.
    And it does not require you to specify a particular server name either – this policy will pick up the server's name from the target resource against which policy is being evaluated.

    {
    "properties": {
    "displayName": "Deploy CanNotDelete Resource Lock on MySQL resources",
    "description": "Creates a resource lock for a MySQL resource.",
    "mode": "all",
    "metadata": {
    "version": "1.0.0",
    "category": "General"
    },
    "parameters": {},
    "policyRule": {
    "if": {
    "field": "type",
    "equals": "Microsoft.DBforMySQL/flexibleServers"
    },
    "then": {
    "effect": "DeployIfNotExists",
    "details": {
    "type": "Microsoft.Authorization/locks",
    "existenceCondition": {
    "field": "Microsoft.Authorization/locks/level",
    "equals": "CanNotDelete"
    },
    "roleDefinitionIds": [
    "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
    ],
    "deployment": {
    "properties": {
    "mode": "incremental",
    "template": {
    "$schema": https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json,
    "contentVersion": "1.0.0.0",
    "parameters": {
    "serverName": {
    "type": "string"
    }
    },
    "resources": [
    {
    "type": "Microsoft.Authorization/locks",
    "apiVersion": "2017-04-01",
    "scope": "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]",
    "name": "DenyDelete",
    "properties": {
    "level": "CanNotDelete",
    "notes": "Prevents deletion of resource."
    }
    }
    ]
    },
    "parameters": {
    "serverName": {
    "value": "[field('name')]"
    }
    }
    }
    }
    }
    }
    }
    }
    }

    Same as the image posted below

    212171-image.png

    Please let us know if you have any questions. Feel free to comment below so we can discuss further

    Regards,
    Oury

    1 person found this answer helpful.
  2. Oury Ba-MSFT 16,156 Reputation points Microsoft Employee
    2022-05-27T17:07:35.707+00:00

    @VaishnavAV-2087 Thank you for posting your question on Microsoft Q&A and for using Azure services.
    My understanding is that you are trying to modify the above code to deploy a delete lock for your Azure MYSQL at the resource level instead of the resource group level.
    Please let me know if my understanding is not correct.

    This ARM template deploys Azure Database for MySQL Server and creates a CanNotDelete Lock to avoid accidental deletion of the server.

    NOTE: To create or delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions.

    Could you please the below code and let me know if that works for you. 

       "if": {  
        "field": "type",  
         "equals": "Microsoft.DBforMySQL/servers"  
   },  
   "then": {  
     "effect": "deployIfNotExists",  
     "details": {  
       "type": "Microsoft.Authorization/locks",  
       "existenceCondition": {  
         "field": "Microsoft.Authorization/locks/level",  
         "equals": "CanNotDelete"  
       },  
       "roleDefinitionIds": [  
         "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"  
       ],  
       "deployment": {  
         "properties": {  
           "mode": "incremental",  
           "template": {  
             "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",  
             "contentVersion": "1.0.0.0",  
             "resources": [  
               {  
                "type": "Microsoft.DBforMySQL/servers/providers/locks",  
        "apiVersion": "2016-09-01",  
        "name": "[concat(parameters('serverName'), '/Microsoft.Authorization/serverLock')]",  
        "dependsOn": [  
            "[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]"  
        ],  
        "properties": {  
            "level": "CanNotDelete",  
            "notes": "[concat('MySQL Server ', parameters('serverName'), ' should not be deleted.')]"  
        }  
    }  
]

    Source:

    Understand Azure Policy effects
    https://github.com/Azure/azure-mysql/blob/master/arm-templates/ExampleWithLocks/template.json

    Regards,
    Oury