terraform-azurerm-caf-enterprise-scale icon indicating copy to clipboard operation
terraform-azurerm-caf-enterprise-scale copied to clipboard

Published 20 hours ago verified publisher icon Azure

Ensure that Azure Resource Group has resource lock enabled

Open krowlandson opened this issue 2 years ago • 6 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Is your feature request related to a problem?

As identified during the work in issue #268, terrascan recommends that all Resource Groups have resource lock enabled.

The following provides a summary of the errors created by this missing feature: 

        -----------------------------------------------------------------------

    Description    :        Ensure that Azure Resource Group has resource lock enabled
    File           :        resources.connectivity.tf
    Module Name    :        root
    Line           :        1
    Severity       :        LOW

    -----------------------------------------------------------------------

    Description    :        Ensure that Azure Resource Group has resource lock enabled
    File           :        resources.management.tf
    Module Name    :        root
    Line           :        1
    Severity       :        LOW

    -----------------------------------------------------------------------

    Description    :        Ensure that Azure Resource Group has resource lock enabled
    File           :        resources.virtual_wan.tf
    Module Name    :        root
    Line           :        1
    Severity       :        LOW

    -----------------------------------------------------------------------

As a temporary workaround, we are implementing an override to disable this rule in terrascan.

Describe the solution you'd like

This issue is being raised to track addition of this feature to the module.

We are not remediating this as part of #268 as it falls out of scope for this issue. This would also require a minor release due to the addition of new resources.

Additional context

krowlandson avatar May 27 '22 08:05 krowlandson

@krowlandson do we think this a good idea? We should also do in all implementations if so, right?

I personally don't think we should do this. And if we do, it should be CannotDelete only not ReadOnly 👍

jtracey93 avatar May 27 '22 08:05 jtracey93

Trigger ADO Sync

jtracey93 avatar Sep 09 '22 15:09 jtracey93

Trigger ADO Sync

krowlandson avatar Oct 14 '22 07:10 krowlandson

AB#25457

matt-FFFFFF avatar Mar 03 '23 15:03 matt-FFFFFF

I think this is a good idea to set a lock on a resource group level. But I also agree with @jtracey93 that the lock should be set to CannotDelete instead of ReadOnly.

qaiserali avatar Nov 30 '23 07:11 qaiserali

Thanks @qaiserali

Locks with Terraform form part of the resource graph, therefore they do not prevent accidental deletion with Terraform, only with other ARM clients.

This is the reason that we have not prioritized this

matt-FFFFFF avatar Nov 30 '23 09:11 matt-FFFFFF