Skip to main content

azure_lock Resource

Use the azure_lock InSpec audit resource to test properties and configuration of a management lock.

Azure REST API Version, Endpoint, and HTTP Client Parameters

This resource interacts with API versions supported by the resource provider. The api_version can be defined as a resource parameter. If not provided, this resource uses the latest version. For more information, refer to the azure_generic_resource document.

Unless defined, this resource uses the azure_cloud global endpoint and default values for the HTTP client. For more information, refer to the resource pack README.


This resource is available in the Chef InSpec Azure resource pack.

See the Chef InSpec documentation on cloud platforms for information on configuring your Azure environment for InSpec and creating an InSpec profile that uses the InSpec Azure resource pack.


The management lock resources do not follow the common resouce_group and name pattern for identification. As a result of that, the resource_id must be given as a parameter to the azure_lock resource. The azure_locks resource can be used for gathering the management lock resource ids to be tested within the desired level, such as, subscription, resource group or individual resource.

describe azure_lock(resource_id: '/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName}/providers/Microsoft.Authorization/locks/{lockName}') do
  it { should exist }


The unique resource ID. /{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName}/providers/Microsoft.Authorization/locks/{lockName}.


The level of the lock. Possible values are: NotSpecified, CanNotDelete, ReadOnly. For more see here.
Notes about the lock. Maximum of 512 characters.
A list of the owners of the lock with these properties.

Please note that the properties can vary depending on the api_version used for the lookup.

For properties applicable to all resources, such as type, name, id, properties, refer to azure_generic_resource.

Also, refer to Azure documentation for other properties available. Any attribute in the response may be accessed with the key names separated by dots (.), eg. properties.<attribute>.


Test If a ReadOnly Management Lock Exist in a Specific Resource Group.

azure_locks(resource_group: 'example-group').ids.each do |id|
  describe azure_lock(resource_id: id) do
    its('properties.level') { should_not cmp `ReadOnly` }

Test If Management Locks on a Specific Resource Contain a Certain String.

azure_locks(resouce_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/virtualMachines/{vmName}').ids.each do |lock_id|
  describe azure_lock(resource_id: lock_id) do
    it('properties.notes') { should include 'contact' }


This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.


# If we expect a resource to always exist

describe azure_lock(resource_id: '/subscriptions/..{lockName}') do
  it { should exist }
# If we expect a resource to never exist

describe azure_lock(resource_id: '/subscriptions/..{lockName}') do
  it { should_not exist }

Azure Permissions

Your Service Principal must be set up with at least a contributor role on the subscription you wish to test.

Edit this page on GitHub

Thank you for your feedback!


Search Results