Skip to content

Commit 4e63b29

Browse files
authored
Merge pull request #231887 from seesharprun/cosmos-revamp-resource-locks
Cosmos DB | Revamp resource locks article
2 parents 27500ae + 9127fd0 commit 4e63b29

File tree

1 file changed

+40
-32
lines changed

1 file changed

+40
-32
lines changed

articles/cosmos-db/resource-locks.md

Lines changed: 40 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -1,46 +1,54 @@
11
---
2-
title: Prevent Azure Cosmos DB resources from being deleted or changed
3-
description: Use Azure Resource Locks to prevent Azure Cosmos DB resources from being deleted or changed.
2+
title: Use locks to protect resources
3+
titleSuffix: Azure Cosmos DB
4+
description: Use Azure resource locks to prevent Azure Cosmos DB resources from being deleted or changed unintentionally.
45
author: seesharprun
6+
ms.author: sidandrews
7+
ms.reviewer: mjbrown
58
ms.service: cosmos-db
69
ms.subservice: nosql
710
ms.topic: how-to
8-
ms.date: 08/31/2022
9-
ms.author: sidandrews
10-
ms.reviewer: mjbrown
11-
ms.custom: devx-track-azurepowershell, devx-track-azurecli, ignite-2022
1211
ms.devlang: azurecli
12+
ms.date: 03/23/2023
13+
ms.custom: devx-track-azurepowershell, devx-track-azurecli, ignite-2022
1314
---
1415

15-
# Prevent Azure Cosmos DB resources from being deleted or changed
16+
# Protect Azure Cosmos DB resources with locks
1617

1718
[!INCLUDE[NoSQL, MongoDB, Cassandra, Gremlin, Table](includes/appliesto-nosql-mongodb-cassandra-gremlin-table.md)]
1819

19-
As an administrator, you may need to lock an Azure Cosmos DB account, database or container. Locks prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to ``CanNotDelete`` or ``ReadOnly``.
20+
As an administrator, you may need to lock an Azure Cosmos DB account, database or container. Locks prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to `CanNotDelete` or `ReadOnly`.
2021

2122
| Level | Description |
2223
| --- | --- |
23-
| ``CanNotDelete`` | Authorized users can still read and modify a resource, but they can't delete the resource. |
24-
| ``ReadOnly`` | Authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the **Reader** role. |
24+
| `CanNotDelete` | Authorized users can still read and modify a resource, but they can't delete the resource. |
25+
| `ReadOnly` | Authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the **Reader** role. |
26+
27+
## Prerequisites
28+
29+
- An existing Azure Cosmos DB account.
30+
- If you have an Azure subscription, [create a new account](nosql/how-to-create-account.md?tabs=azure-portal).
31+
- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
32+
- Alternatively, you can [try Azure Cosmos DB free](try-free.md) before you commit.
2533

2634
## How locks are applied
2735

2836
When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.
2937

3038
Unlike Azure role-based access control, you use management locks to apply a restriction across all users and roles. To learn about role-based access control for Azure Cosmos DB see, [Azure role-based access control in Azure Cosmos DB](role-based-access-control.md).
3139

32-
Resource Manager locks apply only to operations that happen in the management plane, which consists of operations sent to <https://management.azure.com>. The locks don't restrict how resources perform their own functions. Resource changes are restricted, but resource operations aren't restricted. For example, a ReadOnly lock on an Azure Cosmos DB container prevents you from deleting or modifying the container. It doesn't prevent you from creating, updating, or deleting data in the container. Data transactions are permitted because those operations aren't sent to <https://management.azure.com>.
40+
Resource Manager locks apply only to operations that happen in the management plane, which consists of operations sent to `https://management.azure.com`. The locks don't restrict how resources perform their own functions. Resource changes are restricted, but resource operations aren't restricted. For example, a ReadOnly lock on an Azure Cosmos DB container prevents you from deleting or modifying the container. It doesn't prevent you from creating, updating, or deleting data in the container. Data transactions are permitted because those operations aren't sent to `https://management.azure.com`.
3341

3442
## Manage locks
3543

36-
Resource locks don't work for changes made by users accessing Azure Cosmos DB using account keys unless the Azure Cosmos DB account is first locked by enabling the ``disableKeyBasedMetadataWriteAccess`` property. Ensure this property doesn't break existing applications that make changes to resources using any SDK, Azure portal, or third party tools. Enabling this property will break applications that connect via account keys and modify resources such as changing throughput, updating index policies, etc. To learn more and to go through a checklist to ensure your applications continue to function, see [preventing changes from the Azure Cosmos DB SDKs](role-based-access-control.md#prevent-sdk-changes)
44+
Resource locks don't work for changes made by users accessing Azure Cosmos DB using account keys unless the Azure Cosmos DB account is first locked by enabling the `disableKeyBasedMetadataWriteAccess` property. Ensure this property doesn't break existing applications that make changes to resources using any SDK, Azure portal, or third party tools. Enabling this property breaks applications that connect via account keys to modify resources. These modifications can include changing throughput, updating index policies, etc. To learn more and to go through a checklist to ensure your applications continue to function, see [preventing changes from the Azure Cosmos DB SDKs](role-based-access-control.md#prevent-sdk-changes)
3745

3846
### [PowerShell](#tab/powershell)
3947

4048
```powershell-interactive
41-
$RESOURCE_GROUP_NAME = "myResourceGroup"
42-
$ACCOUNT_NAME = "my-cosmos-account"
43-
$LOCK_NAME = "$accountName-Lock"
49+
$RESOURCE_GROUP_NAME = "<resource-group>"
50+
$ACCOUNT_NAME = "<account-name>"
51+
$LOCK_NAME = "$ACCOUNT_NAME-lock"
4452
```
4553

4654
First, update the account to prevent changes by anything that connects via account keys.
@@ -71,26 +79,26 @@ New-AzResourceLock @parameters
7179
### [Azure CLI](#tab/azure-cli)
7280

7381
```azurecli-interactive
74-
resourceGroupName='myResourceGroup'
75-
accountName='my-cosmos-account'
82+
resourceGroupName='<resource-group>'
83+
accountName='<account-name>'
7684
lockName="$accountName-Lock"
7785
```
7886

7987
First, update the account to prevent changes by anything that connects via account keys.
8088

8189
```azurecli-interactive
8290
az cosmosdb update \
83-
--name $accountName \
8491
--resource-group $resourceGroupName \
92+
--name $accountName \
8593
--disable-key-based-metadata-write-access true
8694
```
8795

8896
Create a Delete Lock on an Azure Cosmos DB account resource
8997

9098
```azurecli-interactive
9199
az lock create \
100+
--resource-group $resourceGroupName \
92101
--name $lockName \
93-
--resource-group $resourceGroupName \
94102
--lock-type 'CanNotDelete' \
95103
--resource-type Microsoft.DocumentDB/databaseAccount \
96104
--resource $accountName
@@ -106,17 +114,17 @@ When applying a lock to an Azure Cosmos DB resource, use the [``Microsoft.Author
106114

107115
```json
108116
{
109-
"type": "Microsoft.Authorization/locks",
110-
"apiVersion": "2017-04-01",
111-
"name": "cosmoslock",
112-
"dependsOn": [
113-
"[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]"
114-
],
115-
"properties": {
116-
"level": "CanNotDelete",
117-
"notes": "Do not delete Azure Cosmos DB account."
118-
},
119-
"scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]"
117+
"type": "Microsoft.Authorization/locks",
118+
"apiVersion": "2017-04-01",
119+
"name": "cosmoslock",
120+
"dependsOn": [
121+
"[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]"
122+
],
123+
"properties": {
124+
"level": "CanNotDelete",
125+
"notes": "Do not delete Azure Cosmos DB account."
126+
},
127+
"scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]"
120128
}
121129
```
122130

@@ -147,5 +155,5 @@ Manage resource locks for Azure Cosmos DB:
147155

148156
## Next steps
149157

150-
- [Overview of Azure Resource Manager Locks](../azure-resource-manager/management/lock-resources.md)
151-
- [How to audit Azure Cosmos DB control plane operations](audit-control-plane-logs.md)
158+
> [!div class="nextstepaction"]
159+
> [Overview of Azure Resource Manager Locks](../azure-resource-manager/management/lock-resources.md)

0 commit comments

Comments
 (0)