Way to lock manual addition at resource group level which was created throught terraform

Varma 1,620 Reputation points
2026-05-15T08:51:53.4333333+00:00

I created Resource group and storage account in the azure cloud , i have done using terraform

someone manually delted resource group from cloud

any way to restrict deletion manually both at resource group level and at storage account level

Azure Automation
Azure Automation

An Azure service that is used to automate, configure, and install updates across hybrid environments.


3 answers

Sort by: Most helpful
  1. Bharath Y P 10,180 Reputation points Microsoft External Staff Moderator
    2026-05-19T23:15:37.0366667+00:00

    The primary goal of a CanNotDelete lock is to prevent accidental or unauthorized deletion of critical resources, even by users with elevated permissions.

    • Production databases (Azure SQL, Cosmos DB, PostgreSQL) contain critical business data. A single accidental deletion (e.g., az group delete) can result in irreversible data loss. A resource lock enforces an additional safeguard before deletion.
    • Core networking components such as VNets, VPN Gateways, DNS Zones and ExpressRoute circuits are often shared across multiple workloads. Deleting them impacts multiple applications simultaneously. A lock ensures shared infrastructure is not accidentally removed.
    • Recovery Services Vaults store Backup data and Restore points. Deleting the vault can lead to permanent loss of recovery capability. A lock ensures business continuity and disaster recovery posture.
    • Critical services such as Azure Key Vault, Container Registry and Service Bus are dependencies for automation pipelines. Their deletion breaks deployment pipelines and platform operations. Locks ensure this foundation components remain stable.
    • Industries under HIPAA, PCI-DSS, SOC2, or GDPR have legal data retention requirements. A CanNotDelete lock technically enforces what policy mandates auditors love seeing it in place.

    When someone does need to delete a locked resource, they must first manually remove the lock — and that action is recorded in the Azure Activity Log. This gives you a full audit trail of who unlocked what and when, which is invaluable for security and compliance reviews.

    Beyond just preventing deletion, here are all the ways you can control what users can do with a Resource Group or Storage Account. Azure to restrict access, modification, and deletion, including:

    • Resource Locks (ReadOnly / CanNotDelete): The simplest upgrade from CanNotDelete. Nobody can change or delete anything. Freeze infrastructure during an audit window so auditors see a stable, unchanged environment.
    • RBAC (role-based permissions) : Assign built-in roles or create custom roles to surgically control permissions.
    • Azure Policy (governance enforcement): Prevents users from creating or modifying resources in a way that violates your rules. Even if a user has Contributor access, they cannot misconfigure a storage account to expose data publicly.
    • Network-level restrictions: Lock down the storage account so only trusted networks or IPs can reach it. Even if someone has the storage key, they cannot access data from outside your corporate network or VNet.
    • Authentication model hardening (disable shared keys): Removes the ability to access storage via keys or SAS tokens forces proper identity-based access.

    To implement, you can refer the below reference document:

    Was this answer helpful?

    0 comments No comments

  2. kagiyama yutaka 3,925 Reputation points
    2026-05-15T12:25:37.11+00:00

    I think using a CanNotDelete lock on the RG and the storage account, and restricting who can change that lock via RBAC; Terraform keeps it enforced with azurerm_management_lock.

    Was this answer helpful?

    0 comments No comments

  3. AI answer

    2026-05-15T08:52:09.7733333+00:00

    Use Azure Resource Manager locks to prevent accidental manual deletion of both the resource group and the storage account.

    To protect the resource group (and all resources inside it):

    1. In the Azure portal
      • Go to the resource group.
      • Under Settings, select Locks.
      • Select Add.
      • Give the lock a name, set Lock type to CanNotDelete, and save.
      • This prevents delete operations on the resource group and its resources unless the lock is removed.
    2. With Azure CLI
         az group lock create \
           --name "Cannot delete resource group" \
           --lock-type CanNotDelete \
           --resource-group <your-rg-name>
      
      • Requires at least Contributor on the resource group.
    3. With PowerShell
         New-AzResourceLock -LockName LockGroup -LockLevel CanNotDelete -ResourceGroupName <your-rg-name>
      

    To additionally protect the storage account itself:

    1. In the Azure portal
      • Go to the storage account.
      • Under Settings, select Locks.
      • Add a lock with type CanNotDelete.
    2. With PowerShell
         New-AzResourceLock -LockName LockStorage -LockLevel CanNotDelete `
           -ResourceGroupName <your-rg-name> `
           -ResourceName <your-storage-account-name> `
           -ResourceType Microsoft.Storage/storageAccounts
      
    3. With Azure CLI
         az lock create \
           --name LockStorage \
           --resource-group <your-rg-name> \
           --resource <your-storage-account-name> \
           --lock-type CanNotDelete \
           --resource-type Microsoft.Storage/storageAccounts
      

    From Terraform, define these locks as separate azurerm_management_lock (or equivalent) resources targeting the resource group and the storage account so that every terraform apply ensures the locks exist. Note that users with sufficient permissions (e.g., Owner) can still remove the locks first and then delete the resources; locks mainly protect against accidental or low-privilege deletions.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.