diff --git a/.azuredevops/modulePipelines/ms.authorization.locks.yml b/.azuredevops/modulePipelines/ms.authorization.locks.yml new file mode 100644 index 0000000000..796262ea91 --- /dev/null +++ b/.azuredevops/modulePipelines/ms.authorization.locks.yml @@ -0,0 +1,55 @@ +name: 'Authorization - Locks' + +parameters: + - name: removeDeployment + displayName: Remove deployed module + type: boolean + default: true + - name: prerelease + displayName: Publish prerelease module + type: boolean + default: false + +pr: none + +trigger: + batch: true + branches: + include: + - main + paths: + include: + - '/.azuredevops/modulePipelines/ms.authorization.locks.yml' + - '/.azuredevops/pipelineTemplates/*.yml' + - '/arm/Microsoft.Authorization/locks/*' + - '/arm/.global/global.module.tests.ps1' + exclude: + - '/**/*.md' + +variables: + - template: '../../global.variables.yml' + - group: 'PLATFORM_VARIABLES' + - name: modulePath + value: '/arm/Microsoft.Authorization/locks' + +stages: + - stage: Validation + displayName: Static validation + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.validateModulePester.yml + + - stage: Deployment + displayName: Deployment validation + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml + parameters: + removeDeployment: '${{ parameters.removeDeployment }}' + deploymentBlocks: + - path: $(modulePath)/.parameters/rg.parameters.json + templateFilePath: $(modulePath)/deploy.bicep + + - stage: Publishing + displayName: Publishing + condition: and(succeeded(), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq('${{ parameters.prerelease }}', 'true'))) + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.publishModule.yml diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 2d7edbd607..33013e95ea 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -47,6 +47,9 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json templateFilePath: $(templateFilePath) displayName: Validation Resource Group + - path: $(dependencyPath)/$(resourceType)/parameters/locks.parameters.json + templateFilePath: $(templateFilePath) + displayName: Locks Resource Group - stage: deploy_ppg displayName: Deploy proximity placement group diff --git a/.github/workflows/ms.authorization.locks.yml b/.github/workflows/ms.authorization.locks.yml new file mode 100644 index 0000000000..49c6070b64 --- /dev/null +++ b/.github/workflows/ms.authorization.locks.yml @@ -0,0 +1,145 @@ +name: 'Authorization: Locks' + +on: + workflow_dispatch: + inputs: + removeDeployment: + type: boolean + description: 'Remove deployed module' + required: false + default: true + prerelease: + type: boolean + description: 'Publish prerelease module' + required: false + default: false + push: + branches: + - main + paths: + - '.github/actions/templates/**' + - '.github/workflows/ms.authorization.locks.yml' + - 'arm/Microsoft.Authorization/locks/**' + - 'arm/.global/global.module.tests.ps1' + - '!*/**/readme.md' + - 'utilities/pipelines/**' + - '!utilities/pipelines/dependencies/**' + +env: + variablesPath: 'global.variables.yml' + modulePath: 'arm/Microsoft.Authorization/locks' + workflowPath: '.github/workflows/ms.authorization.locks.yml' + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' + ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-20.04 + name: 'Initialize pipeline' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Set input parameters to output variables' + id: get-workflow-param + uses: ./.github/actions/templates/getWorkflowInput + with: + workflowPath: '${{ env.workflowPath}}' + - name: 'Get parameter file paths' + id: get-parameter-file-paths + uses: ./.github/actions/templates/getParameterFiles + with: + modulePath: '${{ env.modulePath }}' + outputs: + removeDeployment: ${{ steps.get-workflow-param.outputs.removeDeployment }} + parameterFilePaths: ${{ steps.get-parameter-file-paths.outputs.parameterFilePaths }} + + ######################### + # Static validation # + ######################### + job_module_pester_validation: + runs-on: ubuntu-20.04 + name: 'Static validation' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Run tests' + uses: ./.github/actions/templates/validateModulePester + with: + modulePath: '${{ env.modulePath }}' + + ############################# + # Deployment validation # + ############################# + job_module_deploy_validation: + runs-on: ubuntu-20.04 + name: 'Deployment validation' + needs: + - job_initialize_pipeline + - job_module_pester_validation + strategy: + fail-fast: false + matrix: + parameterFilePaths: ${{ fromJSON(needs.job_initialize_pipeline.outputs.parameterFilePaths) }} + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: ./.github/actions/templates/setEnvironmentVariables + with: + variablesPath: ${{ env.variablesPath }} + # ------------------- # + ## Deploy & Remove ## + # ------------------- # + - name: 'Using parameter file [${{ matrix.parameterFilePaths }}]' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' + location: '${{ env.location }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' + + ################## + # Publishing # + ################## + job_publish_module: + name: 'Publishing' + if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' + runs-on: ubuntu-20.04 + needs: + - job_module_deploy_validation + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: ./.github/actions/templates/setEnvironmentVariables + with: + variablesPath: ${{ env.variablesPath }} + - name: 'Publishing' + uses: ./.github/actions/templates/publishModule + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateSpecsRGName: '${{ env.templateSpecsRGName }}' + templateSpecsRGLocation: '${{ env.templateSpecsRGLocation }}' + templateSpecsDescription: '${{ env.templateSpecsDescription }}' + templateSpecsDoPublish: '${{ env.templateSpecsDoPublish }}' + bicepRegistryName: '${{ env.bicepRegistryName }}' + bicepRegistryRGName: '${{ env.bicepRegistryRGName }}' + bicepRegistryRgLocation: '${{ env.bicepRegistryRgLocation }}' + bicepRegistryDoPublish: '${{ env.bicepRegistryDoPublish }}' diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 400fc2281e..1754c3c32c 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -43,13 +43,12 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['validation.parameters.json'] + parameterFilePaths: ['validation.parameters.json', 'locks.parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: diff --git a/arm/Microsoft.Authorization/locks/.parameters/rg.parameters.json b/arm/Microsoft.Authorization/locks/.parameters/rg.parameters.json new file mode 100644 index 0000000000..dc4870ce99 --- /dev/null +++ b/arm/Microsoft.Authorization/locks/.parameters/rg.parameters.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "level": { + "value": "CanNotDelete" + }, + "resourceGroupName": { + "value": "adp-<>-az-locks-rg-001" + }, + "subscriptionId": { + "value": "<>" + } + } +} diff --git a/arm/Microsoft.Authorization/locks/deploy.bicep b/arm/Microsoft.Authorization/locks/deploy.bicep new file mode 100644 index 0000000000..d716d9b106 --- /dev/null +++ b/arm/Microsoft.Authorization/locks/deploy.bicep @@ -0,0 +1,69 @@ +targetScope = 'subscription' + +@allowed([ + 'CanNotDelete' + 'ReadOnly' +]) +@description('Required. Set lock level.') +param level string + +@description('Optional. The decription attached to the lock.') +param notes string = level == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + +@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. Name of the Resource Group to assign the lock to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided lock to the resource group.') +param resourceGroupName string = '' + +@description('Optional. Subscription ID of the subscription to assign the lock to. If not provided, will use the current scope for deployment. If no resource group name is provided, the module deploys at subscription level, therefore assigns the provided locks to the subscription.') +param subscriptionId string = subscription().id + +@sys.description('Optional. Location for all resources.') +param location string = deployment().location + +var enableReferencedModulesTelemetry = false + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' + location: location + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +module lock_sub 'subscription/deploy.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { + name: '${uniqueString(deployment().name, location)}-Lock-Sub-Module' + scope: subscription(subscriptionId) + params: { + name: '${subscription().displayName}-${level}-lock' + level: level + notes: notes + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +} + +module lock_rg 'resourceGroup/deploy.bicep' = if (!empty(subscriptionId) && !empty(resourceGroupName)) { + name: '${uniqueString(deployment().name, location)}-Lock-RG-Module' + scope: resourceGroup(subscriptionId, resourceGroupName) + params: { + name: '${resourceGroupName}-${level}-lock' + level: level + notes: notes + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +} + +@description('The name of the lock.') +output name string = empty(resourceGroupName) ? lock_sub.outputs.name : lock_rg.outputs.name + +@description('The resource ID of the lock.') +output resourceId string = empty(resourceGroupName) ? lock_sub.outputs.resourceId : lock_rg.outputs.resourceId + +@sys.description('The scope this lock applies to.') +output scope string = empty(resourceGroupName) ? subscription().id : any(resourceGroup(resourceGroupName)) diff --git a/arm/Microsoft.Authorization/locks/readme.md b/arm/Microsoft.Authorization/locks/readme.md new file mode 100644 index 0000000000..fe2172de6b --- /dev/null +++ b/arm/Microsoft.Authorization/locks/readme.md @@ -0,0 +1,87 @@ +# Authorization Locks `[Microsoft.Authorization/locks]` + +This module deploys Authorization Locks. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Deployment examples](#Deployment-examples) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | + +## Parameters + +**Required parameters** +| Parameter Name | Type | Allowed Values | Description | +| :-- | :-- | :-- | :-- | +| `level` | string | `[CanNotDelete, ReadOnly]` | Set lock level. | + +**Optional parameters** +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `location` | string | `[deployment().location]` | Location for all resources. | +| `notes` | string | `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` | The decription attached to the lock. | +| `resourceGroupName` | string | `''` | Name of the Resource Group to assign the lock to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided lock to the resource group. | +| `subscriptionId` | string | `[subscription().id]` | Subscription ID of the subscription to assign the lock to. If not provided, will use the current scope for deployment. If no resource group name is provided, the module deploys at subscription level, therefore assigns the provided locks to the subscription. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the lock. | +| `resourceId` | string | The resource ID of the lock. | +| `scope` | string | The scope this lock applies to. | + +## Deployment examples + +

Example 1

+ +
+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "level": { + "value": "CanNotDelete" + }, + "resourceGroupName": { + "value": "adp-<>-az-locks-rg-001" + }, + "subscriptionId": { + "value": "<>" + } + } +} + +``` + +
+ +
+ +via Bicep module + +```bicep +module locks './Microsoft.Authorization/locks/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-locks' + params: { + level: 'CanNotDelete' + resourceGroupName: 'adp-<>-az-locks-rg-001' + subscriptionId: '<>' + } +``` + +
+

diff --git a/arm/Microsoft.Authorization/locks/resourceGroup/deploy.bicep b/arm/Microsoft.Authorization/locks/resourceGroup/deploy.bicep new file mode 100644 index 0000000000..00c3566ce0 --- /dev/null +++ b/arm/Microsoft.Authorization/locks/resourceGroup/deploy.bicep @@ -0,0 +1,46 @@ +targetScope = 'resourceGroup' + +@description('Optional. The name of the lock.') +param name string = '${level}-lock' + +@allowed([ + 'CanNotDelete' + 'ReadOnly' +]) +@description('Required. Set lock level.') +param level string + +@description('Optional. The decription attached to the lock.') +param notes string = level == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + +@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource lock 'Microsoft.Authorization/locks@2017-04-01' = { + name: name + properties: { + level: level + notes: notes + } +} + +@description('The name of the lock.') +output name string = lock.name + +@description('The resource ID of the lock.') +output resourceId string = lock.id + +@description('The name of the resource group the lock was applied to.') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.Authorization/locks/resourceGroup/readme.md b/arm/Microsoft.Authorization/locks/resourceGroup/readme.md new file mode 100644 index 0000000000..c1e4e67f62 --- /dev/null +++ b/arm/Microsoft.Authorization/locks/resourceGroup/readme.md @@ -0,0 +1,38 @@ +# Authorization Locks on Resource Group level `[Microsoft.Authorization/locks/resourceGroup]` + +This module deploys Authorization Locks on Resource Group level. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | + +## Parameters + +**Required parameters** +| Parameter Name | Type | Allowed Values | Description | +| :-- | :-- | :-- | :-- | +| `level` | string | `[CanNotDelete, ReadOnly]` | Set lock level. | + +**Optional parameters** +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `name` | string | `[format('{0}-lock', parameters('level'))]` | The name of the lock. | +| `notes` | string | `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` | The decription attached to the lock. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the lock. | +| `resourceGroupName` | string | The name of the resource group the lock was applied to. | +| `resourceId` | string | The resource ID of the lock. | diff --git a/arm/Microsoft.Authorization/locks/resourceGroup/version.json b/arm/Microsoft.Authorization/locks/resourceGroup/version.json new file mode 100644 index 0000000000..41f66cc990 --- /dev/null +++ b/arm/Microsoft.Authorization/locks/resourceGroup/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.1" +} diff --git a/arm/Microsoft.Authorization/locks/subscription/deploy.bicep b/arm/Microsoft.Authorization/locks/subscription/deploy.bicep new file mode 100644 index 0000000000..f184869649 --- /dev/null +++ b/arm/Microsoft.Authorization/locks/subscription/deploy.bicep @@ -0,0 +1,46 @@ +targetScope = 'subscription' + +@description('Optional. The name of the lock.') +param name string = '${level}-lock' + +@allowed([ + 'CanNotDelete' + 'ReadOnly' +]) +@description('Required. Set lock level.') +param level string + +@description('Optional. The decription attached to the lock.') +param notes string = level == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + +@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource lock 'Microsoft.Authorization/locks@2017-04-01' = { + name: name + properties: { + level: level + notes: notes + } +} + +@description('The name of the lock.') +output name string = lock.name + +@description('The resource ID of the lock.') +output resourceId string = lock.id + +@description('The subscription the lock was deployed into.') +output subscriptionName string = subscription().displayName diff --git a/arm/Microsoft.Authorization/locks/subscription/readme.md b/arm/Microsoft.Authorization/locks/subscription/readme.md new file mode 100644 index 0000000000..cf74d949f1 --- /dev/null +++ b/arm/Microsoft.Authorization/locks/subscription/readme.md @@ -0,0 +1,38 @@ +# Authorization Locks on Subscription level `[Microsoft.Authorization/locks/subscription]` + +This module deploys Authorization Locks on Subscription level. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | + +## Parameters + +**Required parameters** +| Parameter Name | Type | Allowed Values | Description | +| :-- | :-- | :-- | :-- | +| `level` | string | `[CanNotDelete, ReadOnly]` | Set lock level. | + +**Optional parameters** +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `name` | string | `[format('{0}-lock', parameters('level'))]` | The name of the lock. | +| `notes` | string | `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` | The decription attached to the lock. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the lock. | +| `resourceId` | string | The resource ID of the lock. | +| `subscriptionName` | string | The subscription the lock was deployed into. | diff --git a/arm/Microsoft.Authorization/locks/subscription/version.json b/arm/Microsoft.Authorization/locks/subscription/version.json new file mode 100644 index 0000000000..41f66cc990 --- /dev/null +++ b/arm/Microsoft.Authorization/locks/subscription/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.1" +} diff --git a/arm/Microsoft.Authorization/locks/version.json b/arm/Microsoft.Authorization/locks/version.json new file mode 100644 index 0000000000..41f66cc990 --- /dev/null +++ b/arm/Microsoft.Authorization/locks/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.1" +} diff --git a/arm/Microsoft.Resources/resourceGroups/.bicep/nested_lock.bicep b/arm/Microsoft.Resources/resourceGroups/.bicep/nested_lock.bicep deleted file mode 100644 index 96d0f4c23b..0000000000 --- a/arm/Microsoft.Resources/resourceGroups/.bicep/nested_lock.bicep +++ /dev/null @@ -1,26 +0,0 @@ -@description('Optional. The name of the lock.') -param name string = '${level}-lock' - -@allowed([ - 'CanNotDelete' - 'ReadOnly' -]) -@description('Required. Set lock level.') -param level string - -@description('Optional. The decription attached to the lock.') -param notes string = level == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' - -resource lock 'Microsoft.Authorization/locks@2017-04-01' = { - name: name - properties: { - level: level - notes: notes - } -} - -@description('The resource ID of the lock.') -output resourceId string = lock.id - -@description('The name of the lock.') -output name string = lock.name diff --git a/arm/Microsoft.Resources/resourceGroups/deploy.bicep b/arm/Microsoft.Resources/resourceGroups/deploy.bicep index d833f6e1cc..e5f23ab7e8 100644 --- a/arm/Microsoft.Resources/resourceGroups/deploy.bicep +++ b/arm/Microsoft.Resources/resourceGroups/deploy.bicep @@ -43,7 +43,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2019-05-01' = { properties: {} } -module resourceGroup_lock '.bicep/nested_lock.bicep' = if (!empty(lock)) { +module resourceGroup_lock '../../Microsoft.Authorization/locks/resourceGroup/deploy.bicep' = if (!empty(lock)) { name: '${uniqueString(deployment().name, location)}-${lock}-Lock' params: { level: any(lock) diff --git a/utilities/pipelines/dependencies/Microsoft.Resources/resourceGroups/parameters/locks.parameters.json b/utilities/pipelines/dependencies/Microsoft.Resources/resourceGroups/parameters/locks.parameters.json new file mode 100644 index 0000000000..6d067839b3 --- /dev/null +++ b/utilities/pipelines/dependencies/Microsoft.Resources/resourceGroups/parameters/locks.parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "adp-<>-az-locks-rg-001" + } + } +}