states.azurerm.resource.management_lock

Azure Resource Manager (ARM) Management Lock State Module

New in version 2.0.0.

Changed in version 4.0.0.

maintainer:

<devops@eitr.tech>
configuration:

This module requires Azure Resource Manager credentials to be passed via acct. Note that the authentication parameters are case sensitive.

Required provider parameters:

if using username and password:
  • subscription_id
  • username
  • password
if using a service principal:
  • subscription_id
  • tenant
  • client_id
  • secret

Optional provider parameters:

cloud_environment: Used to point the cloud driver to different API endpoints, such as Azure GovCloud. Possible values:

  • AZURE_PUBLIC_CLOUD (default)
  • AZURE_CHINA_CLOUD
  • AZURE_US_GOV_CLOUD
  • AZURE_GERMAN_CLOUD

Example configuration for Azure Resource Manager authentication:

azurerm:
    default:
        subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617
        tenant: ABCDEFAB-1234-ABCD-1234-ABCDEFABCDEF
        client_id: ABCDEFAB-1234-ABCD-1234-ABCDEFABCDEF
        secret: XXXXXXXXXXXXXXXXXXXXXXXX
        cloud_environment: AZURE_PUBLIC_CLOUD
    user_pass_auth:
        subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617
        username: fletch
        password: 123pass

The authentication parameters can also be passed as a dictionary of keyword arguments to the connection_auth parameter of each state, but this is not preferred and could be deprecated in the future.
idem_azurerm.states.azurerm.resource.management_lock.absent(hub, ctx, name, resource_group=None, connection_auth=None, **kwargs)

New in version 2.0.0.

Ensure a management lock does not exist. By default this module ensures that the management lock does not exist at the subscription level. If you would like to ensure that the management lock does not exist at the resource group level instead, you can specify a resource group using the resource_group parameter.

Parameters:
  • name – The name of the lock. The lock name can be a maximum of 260 characters. It cannot contain <, > %, &, :, ?, /, or any control characters.
  • resource_group – The name of the resource group.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure management lock is absent:
    azurerm.resource.management_lock.absent:
        - name: my_lock
idem_azurerm.states.azurerm.resource.management_lock.absent_at_resource_level(hub, ctx, name, resource_group, resource, resource_type, resource_provider_namespace, parent_resource_path=None, connection_auth=None, **kwargs)

New in version 2.0.0.

Ensure a management lock does not exist at the resource level.

Parameters:
  • name – The name of the lock. The lock name can be a maximum of 260 characters. It cannot contain <, > %, &, :, ?, /, or any control characters.
  • resource_group – The name of the resource group containing the resource with the lock to delete.
  • resource – The name of the resource with the lock to delete.
  • resource_type – The resource type of the resource with the lock to delete.
  • resource_provider_namespace – The resource provider namespace of the resource with the lock to delete.
  • parent_resource_path – The parent resource identity.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure management lock absent at resource level:
    azurerm.resource.management_lock.absent_at_resource_level:
        - name: my_lock
        - resource_group: my_rg
        - resource: my_resource
        - resource_type: my_type
        - resource_provider_namespace: my_namespace
idem_azurerm.states.azurerm.resource.management_lock.absent_by_scope(hub, ctx, name, scope, connection_auth=None, **kwargs)

New in version 2.0.0.

Ensure a management lock does not exist by scope.

Parameters:
  • name – The name of the lock. The lock name can be a maximum of 260 characters. It cannot contain <, > %, &, :, ?, /, or any control characters.
  • scope – The scope for the lock. When providing a scope for the assignment, use ‘/subscriptions/{subscriptionId}’ for subscriptions, ‘/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}’ for resource groups, and ‘/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePathIfPresent}/{resourceType}/{resourceName}’ for resources.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure management lock absent by scope:
    azurerm.resource.management_lock.absent_by_scope:
        - name: my_lock
        - scope: my_scope
idem_azurerm.states.azurerm.resource.management_lock.present(hub, ctx, name, lock_level, resource_group=None, notes=None, owners=None, connection_auth=None, **kwargs)

New in version 2.0.0.

Changed in version 4.0.0.

Ensure a management lock exists. By default this module ensures that the management lock exists at the subscription level. If you would like to ensure that the management lock exists at the resource group level instead, you can specify a resource group using the resource_group parameter.

Parameters:
  • name – The name of the lock. The lock name can be a maximum of 260 characters. It cannot contain <, > %, &, :, ?, /, or any control characters.
  • lock_level – The level of the lock. Possible values are: ‘CanNotDelete’ and ‘ReadOnly’. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can’t modify or delete it.
  • resource_group – The name of the resource group.
  • notes – A string representing notes about the lock. Maximum of 512 characters.
  • owners – A list of strings representing owners of the lock. Each string represents the application id of the lock owner.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure management lock exists:
    azurerm.resource.management_lock.present:
        - name: my_lock
        - lock_level: 'ReadOnly'
idem_azurerm.states.azurerm.resource.management_lock.present_at_resource_level(hub, ctx, name, lock_level, resource_group, resource, resource_type, resource_provider_namespace, parent_resource_path=None, notes=None, owners=None, connection_auth=None, **kwargs)

New in version 2.0.0.

Changed in version 4.0.0.

Ensure a management lock exists at resource level.

Parameters:
  • name – The name of the lock. The lock name can be a maximum of 260 characters. It cannot contain<, > %, &, :, ?, /, or any control characters.
  • lock_level – The level of the lock. Possible values are: ‘CanNotDelete’ and ‘ReadOnly’. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can’t modify or delete it.
  • resource_group – The name of the resource group containing the resource to lock.
  • resource – The name of the resource to lock.
  • resource_type – The resource type of the resource to lock.
  • resource_provider_namespace – The resource provider namespace of the resource to lock.
  • parent_resource_path – The parent resource identity.
  • notes – A string representing notes about the lock. Maximum of 512 characters.
  • owners – A list of strings representing owners of the lock. Each string represents the application id of the lock owner.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure management lock exists at resource level:
    azurerm.resource.management_lock.present_at_resource_level:
        - name: my_lock
        - resource_group: my_rg
        - resource: my_resource
        - resource_type: my_type
        - resource_provider_namespace: my_namespace
        - lock_level: 'ReadOnly'
idem_azurerm.states.azurerm.resource.management_lock.present_by_scope(hub, ctx, name, scope, lock_level, notes=None, owners=None, connection_auth=None, **kwargs)

New in version 2.0.0.

Changed in version 4.0.0.

Ensure a management lock exists by scope.

Parameters:
  • name – The name of the lock. The lock name can be a maximum of 260 characters. It cannot contain <, > %, &, :, ?, /, or any control characters.
  • scope – The scope for the lock. When providing a scope for the assignment, use ‘/subscriptions/{subscriptionId}’ for subscriptions, ‘/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}’ for resource groups, and ‘/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePathIfPresent}/{resourceType}/{resourceName}’ for resources.
  • lock_level – The level of the lock. Possible values are: ‘CanNotDelete’ and ‘ReadOnly’. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can’t modify or delete it.
  • notes – A string representing notes about the lock. Maximum of 512 characters.
  • owners – A list of strings representing owners of the lock. Each string represents the application id of the lock owner.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure management lock exists by scope:
    azurerm.resource.management_lock.present_by_scope:
        - name: my_lock
        - scope: my_scope
        - lock_level: 'ReadOnly'