In a previous post I talked about how we can use a script to add and remove locks on resources in my integration platform to prevent accidental deletion.

We wanted to take it a step further so every week we run a DevOps pipeline which runs the scripts to ensure if someone has removed a lock they will be added back in.

The pipeline looks like the following:

The task to install modules is:

- powershell: |
   #Install powershell modules that are needed in this pipeline
   Install-Module -Name Az -Force -AllowClobber
   Install-Module -Name Az.Accounts -Force -AllowClobber
   Install-Module -Name Az.ResourceGraph -AllowClobber
  displayName: 'Install Powershell Modules'

The task to run the lock script is:

- task: AzurePowerShell@5
  displayName: 'Apply Resource Group Locks'
    azureSubscription: 'ARM-IT-EAI-DevOpsService'
    ScriptPath: '$(System.DefaultWorkingDirectory)/_Admin/ResourceGroup_Locks/resourcegroup.locks.apply.ps1'
    azurePowerShellVersion: LatestVersion

You can then just do whatever flavour of pipeline you prefer, in our case we used a classic release pipeline which triggers on a schedule and just runs the script for each environment.


Buy Me A Coffee