param( [Parameter(Mandatory=$true,HelpMessage="The search term for all resource groups to check")] [string]$search ) $resourceGroups = (Get-AzureRmResourceGroup | ? {$_.ResourceGroupName -like "*$search*"}) foreach ($resourceGroup in $resourceGroups){ $lock = Get-AzureRmResourceLock -ResourceGroupName $resourceGroup.ResourceGroupName if ($lock -eq $null){ Write-Host "$($resourceGroup.ResourceGroupName) is missing a lock" } }
The script above is really quite simple. When I do production deployments, I usually place the word "prod" somewhere in the resource group name. The script above takes in a search parameter and then tries to locate all resource groups that contain that search parameter. The foreach loop essentially checks for the existence of a lock. If no lock is found, a message is printed.
This script could be expanded in several ways to be more robust. For example, it could auto correct the condition by placing the required lock. One could then add this as part of an Azure Automation job that would ensure that production resource groups are not left unprotected for long. Further, it could actually look at the lock to determine if it is delete or read-only and report accordingly.
In any event, the above script suited my audit purposes just fine. Enjoy!
No comments:
Post a Comment