Try SpotterManage Azure locks
| "added in version" 0.1.2 of azure.azcollection"
Authors: Yuwei Zhou (@yuwzho)
Install with ansible-galaxy collection install azure.azcollection:==2.3.0
collections:
- name: azure.azcollection
version: 2.3.0Create, delete an Azure lock.
To create or delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions.
Of the built-in roles, only Owner and User Access Administrator are granted those actions.
- name: Create a lock for a resource
azure_rm_lock:
managed_resource_id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM
name: myLock
level: read_only
- name: Create a lock for a resource group
azure_rm_lock:
managed_resource_id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/myResourceGroup
name: myLock
level: read_only
- name: Create a lock for a resource group
azure_rm_lock:
resource_group: myResourceGroup
name: myLock
notes: description_lock
level: read_only
- name: Create a lock for a subscription
azure_rm_lock:
name: myLock
level: read_only
name:
description:
- Name of the lock.
required: true
type: str
level:
choices:
- can_not_delete
- read_only
description:
- The lock level type.
type: str
notes:
description:
- Notes about the lock. Maximum of 512 characters.
type: str
state:
choices:
- absent
- present
default: present
description:
- State of the lock.
- Use C(present) to create or update a lock and C(absent) to delete a lock.
type: str
secret:
description:
- Azure client secret. Use when authenticating with a Service Principal.
type: str
tenant:
description:
- Azure tenant ID. Use when authenticating with a Service Principal.
type: str
ad_user:
description:
- Active Directory username. Use when authenticating with an Active Directory user
rather than service principal.
type: str
profile:
description:
- Security profile found in ~/.azure/credentials file.
type: str
log_mode:
description:
- Parent argument.
type: str
log_path:
description:
- Parent argument.
type: str
password:
description:
- Active Directory user password. Use when authenticating with an Active Directory
user rather than service principal.
type: str
client_id:
description:
- Azure client ID. Use when authenticating with a Service Principal or Managed Identity
(msi).
- Can also be set via the C(AZURE_CLIENT_ID) environment variable.
type: str
thumbprint:
description:
- The thumbprint of the private key specified in I(x509_certificate_path).
- Use when authenticating with a Service Principal.
- Required if I(x509_certificate_path) is defined.
type: str
version_added: 1.14.0
version_added_collection: azure.azcollection
api_profile:
default: latest
description:
- Selects an API profile to use when communicating with Azure services. Default value
of C(latest) is appropriate for public clouds; future values will allow use with
Azure Stack.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
auth_source:
choices:
- auto
- cli
- credential_file
- env
- msi
default: auto
description:
- Controls the source of the credentials to use for authentication.
- Can also be set via the C(ANSIBLE_AZURE_AUTH_SOURCE) environment variable.
- When set to C(auto) (the default) the precedence is module parameters -> C(env)
-> C(credential_file) -> C(cli).
- When set to C(env), the credentials will be read from the environment variables
- When set to C(credential_file), it will read the profile from C(~/.azure/credentials).
- When set to C(cli), the credentials will be sources from the Azure CLI profile.
C(subscription_id) or the environment variable C(AZURE_SUBSCRIPTION_ID) can be used
to identify the subscription ID if more than one is present otherwise the default
az cli subscription is used.
- When set to C(msi), the host machine must be an azure resource with an enabled MSI
extension. C(subscription_id) or the environment variable C(AZURE_SUBSCRIPTION_ID)
can be used to identify the subscription ID if the resource is granted access to
more than one subscription, otherwise the first subscription is chosen.
- The C(msi) was added in Ansible 2.6.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
resource_group:
description:
- Manage a lock for the named resource group.
- Mutually exclusive with I(managed_resource_id).
- If neither I(managed_resource_id) or I(resource_group) are specified, manage a lock
for the current subscription.
type: str
subscription_id:
description:
- Your Azure subscription Id.
type: str
cloud_environment:
default: AzureCloud
description:
- For cloud environments other than the US public cloud, the environment name (as
defined by Azure Python SDK, eg, C(AzureChinaCloud), C(AzureUSGovernment)), or a
metadata discovery endpoint URL (required for Azure Stack). Can also be set via
credential file profile or the C(AZURE_CLOUD_ENVIRONMENT) environment variable.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
adfs_authority_url:
description:
- Azure AD authority url. Use when authenticating with Username/password, and has
your own ADFS authority.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
managed_resource_id:
description:
- Manage a lock for the specified resource ID.
- Mutually exclusive with I(resource_group).
- If neither I(managed_resource_id) or I(resource_group) are specified, manage a lock
for the current subscription.
- '''/subscriptions/{subscriptionId}'' for subscriptions.'
- '''/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}'' for resource
groups.'
- '''/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{namespace}/{resourceType}/{resourceName}''
for resources.'
type: str
cert_validation_mode:
choices:
- ignore
- validate
description:
- Controls the certificate validation behavior for Azure endpoints. By default, all
modules will validate the server certificate, but when an HTTPS proxy is in use,
or against Azure Stack, it may be necessary to disable this behavior by passing
C(ignore). Can also be set via credential file profile or the C(AZURE_CERT_VALIDATION)
environment variable.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
x509_certificate_path:
description:
- Path to the X509 certificate used to create the service principal in PEM format.
- The certificate must be appended to the private key.
- Use when authenticating with a Service Principal.
type: path
version_added: 1.14.0
version_added_collection: azure.azcollection
disable_instance_discovery:
default: false
description:
- Determines whether or not instance discovery is performed when attempting to authenticate.
Setting this to true will completely disable both instance discovery and authority
validation. This functionality is intended for use in scenarios where the metadata
endpoint cannot be reached such as in private clouds or Azure Stack. The process
of instance discovery entails retrieving authority metadata from https://login.microsoft.com/
to validate the authority. By setting this to **True**, the validation of the authority
is disabled. As a result, it is crucial to ensure that the configured authority
host is valid and trustworthy.
- Set via credential file profile or the C(AZURE_DISABLE_INSTANCE_DISCOVERY) environment
variable.
type: bool
version_added: 2.3.0
version_added_collection: azure.azcollection
id: description: - Resource ID of the lock. returned: success sample: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Authorization/locks/keep type: str