Skip to main content

azure_lock Resource

Use the azure_lock InSpec audit resource to test the properties and configuration of a Management Lock.

Azure REST API Version, Endpoint, and HTTP Client Parameters

This resource interacts with API versions supported by the resource provider. The api_version can be defined as a resource parameter. If not provided, this resource uses the latest version. For more information, refer to the azure_generic_resource document.

Unless defined, this resource uses the azure_cloud global endpoint and default values for the HTTP client. For more information, refer to the resource pack README.


This resource is available in the Chef InSpec Azure resource pack.

For information on configuring your Azure environment for Chef InSpec and creating an InSpec profile that uses the InSpec Azure resource pack, see the Chef InSpec documentation for the Azure cloud platform.


The Management Lock resources do not follow the common resouce_group and name patterns for identification. As a result, the resource_id must be given as a parameter to the azure_lock resource.

The azure_locks resource can be used for gathering the Management Lock resource IDs to be tested within the desired level, such as subscription, resource group, or individual resource.

describe azure_lock(resource_id: '/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName}/providers/Microsoft.Authorization/locks/{lockName}') do
  it { should exist }


The unique resource ID.


The level of the lock. Possible values are: NotSpecified, CanNotDelete, and ReadOnly. For more see here.
Notes about the lock. Maximum of 512 characters.
A list of the owners of the lock with these properties.

Please note that the properties can vary depending on the api_version used for the lookup.

For properties applicable to all resources, such as type, name, id, and properties, refer to azure_generic_resource.

Also, refer to Azure documentation for other properties available. Any attribute in the response may be accessed with the key names separated by dots (.). For example, properties.<attribute>.


Test if a ‘ReadOnly’ Management Lock exists in a specific resource group

azure_locks(resource_group: 'EXAMPLE-GROUP').ids.each do |id|
  describe azure_lock(resource_id: id) do
    its('properties.level') { should_not cmp `ReadOnly` }

Test if Management Locks on a specific resource contain a certain String

azure_locks(resouce_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/virtualMachines/{vmName}').ids.each do |lock_id|
  describe azure_lock(resource_id: lock_id) do
    it('properties.notes') { should include 'contact' }


For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.


# If we expect a resource to always exist.

describe azure_lock(resource_id: '/subscriptions/..{lockName}') do
  it { should exist }


# If we expect a resource to never exist.

describe azure_lock(resource_id: '/subscriptions/..{lockName}') do
  it { should_not exist }

Azure Permissions

Your Service Principal must be set up with at least a contributor role on the subscription you wish to test.

Edit this page on GitHub

Thank you for your feedback!


Search Results