Zim's Notes

Just work related notes.

Removing Resource Locks Using Ansible and Azure REST API

This is one of the topic I had to look into. Removing locks appeared to be an issue while performing automatic clean up of the resources.

Currently there’s no support for locks in Ansible, but I have tried to use azure_rm_resource_facts module to list locks on both resource group and subscription level, and then delete locks using azure_rm_resource.

To list all the locks in the resource group:

1
2
3
4
5
6
7
8
9
10

  - name: List all the locks in the resource group
    azure_rm_resource_facts:
      api_version: '2016-09-01'
      resource_group: ""
      provider: authorization
      resource_type: locks
    register: output

  - debug:
      var: output

or all resources in the subscription, just remove resource_group parameter:

1
2
3
4
5
6
7
8
9

  - name: List all the locks in the resource group
    azure_rm_resource_facts:
      api_version: '2016-09-01'
      provider: authorization
      resource_type: locks
    register: output

  - debug:
      var: output

Output will look as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

{
    "output": {
        "changed": false,
        "failed": false,
        "response": [
            {
                "id": "/subscriptions/1c5b82ee-9294-4568-b0c0-b9c523bc0d86/resourceGroups/zimslockedrg/providers/Microsoft.Network/virtualNetworks/zimslockedvb/providers/Microsoft.Authorization/locks/justalock",
                "name": "justalock",
                "properties": {
                    "level": "CanNotDelete",
                    "notes": "blabla"
                },
                "type": "Microsoft.Authorization/locks"
            }
        ],
        "url": "/subscriptions/1c5b82ee-9294-4568-b0c0-b9c523bc0d86/resourceGroups/zimslockedrg/providers/Microsoft.authorization/locks",
        "warnings": [
            "Azure API profile latest does not define an entry for GenericRestClient"
        ]
    }
}

Based on this output you can just delete all the locks one by one using azure_rm_resource module:

1
2
3
4
5
6
7
8

  - name: Delete locks one by one
    azure_rm_resource:
      api_version: '2016-09-01'
      url: ""
      provider: authorization
      resource_type: locks
      state: absent
    with_items: ""

Please note that there’s a bug in the versions of Ansible earlier than 2.8, and the last playbook needs small modification:

1
2
3
4
5
6
7
8

  - name: Delete locks one by one
    azure_rm_resource:
      api_version: '2016-09-01'
      url: ""
      provider: authorization
      resource_type: locks
      state: absent
    with_items: ""