From 4ec9b0945ef52c8d8fb66bfee2cc8073c637e13d Mon Sep 17 00:00:00 2001 From: Fraser Molyneux Date: Sat, 9 Dec 2023 20:17:14 +0000 Subject: [PATCH] Adding resource locks to terraform --- terraform/app_data_storage.tf | 7 +++++++ terraform/common.tf | 7 +++++++ terraform/key_vault.tf | 7 +++++++ terraform/main.tf | 7 +++++++ terraform/sql_database.tf | 7 +++++++ 5 files changed, 35 insertions(+) diff --git a/terraform/app_data_storage.tf b/terraform/app_data_storage.tf index d551e755..fe4d3389 100644 --- a/terraform/app_data_storage.tf +++ b/terraform/app_data_storage.tf @@ -14,6 +14,13 @@ resource "azurerm_storage_account" "app_data_storage" { tags = var.tags } +resource "azurerm_management_lock" "app_data_storage_lock" { + name = "Terraform (CanNotDelete) - ${random_id.lock.hex}" + scope = azurerm_storage_account.app_data_storage.id + lock_level = "CanNotDelete" + notes = "CanNotDelete Lock managed by Terraform to prevent manual or accidental deletion of resource group and resources" +} + resource "azurerm_storage_container" "map_images_container" { name = "map-images" diff --git a/terraform/common.tf b/terraform/common.tf index 5ea0b161..90f94a97 100644 --- a/terraform/common.tf +++ b/terraform/common.tf @@ -4,3 +4,10 @@ resource "azurerm_resource_group" "rg" { tags = var.tags } + +resource "azurerm_management_lock" "rg_lock" { + name = "Terraform (CanNotDelete) - ${random_id.lock.hex}" + scope = azurerm_resource_group.rg.id + lock_level = "CanNotDelete" + notes = "CanNotDelete Lock managed by Terraform to prevent manual or accidental deletion of resource group and resources" +} diff --git a/terraform/key_vault.tf b/terraform/key_vault.tf index a8a3904c..9c4749b8 100644 --- a/terraform/key_vault.tf +++ b/terraform/key_vault.tf @@ -18,6 +18,13 @@ resource "azurerm_key_vault" "kv" { } } +resource "azurerm_management_lock" "kv_lock" { + name = "Terraform (CanNotDelete) - ${random_id.lock.hex}" + scope = azurerm_key_vault.kv.id + lock_level = "CanNotDelete" + notes = "CanNotDelete Lock managed by Terraform to prevent manual or accidental deletion of resource group and resources" +} + resource "azurerm_role_assignment" "apim_kv_role_assignment" { scope = azurerm_key_vault.kv.id role_definition_name = "Key Vault Secrets User" diff --git a/terraform/main.tf b/terraform/main.tf index 80405dce..a3a5a98c 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -73,3 +73,10 @@ resource "random_id" "environment_id" { resource "time_rotating" "thirty_days" { rotation_days = 30 } + +resource "random_id" "lock" { + keepers = { + id = "${timestamp()}" + } + byte_length = 8 +} diff --git a/terraform/sql_database.tf b/terraform/sql_database.tf index 61d17092..301ff067 100644 --- a/terraform/sql_database.tf +++ b/terraform/sql_database.tf @@ -8,3 +8,10 @@ resource "azurerm_mssql_database" "repo" { max_size_gb = 2 } + +resource "azurerm_management_lock" "repo_lock" { + name = "Terraform (CanNotDelete) - ${random_id.lock.hex}" + scope = azurerm_mssql_database.repo.id + lock_level = "CanNotDelete" + notes = "CanNotDelete Lock managed by Terraform to prevent manual or accidental deletion of resource group and resources" +}