Azure Cosmos DB resources can be accidentally deleted, leading to extended downtime and data loss. Resource locks prevent this by disallowing certain operations on the resource.
Let’s say you have a critical Cosmos DB account, my-cosmos-db-prod, with a database SalesDB and a container Orders. You want to ensure these aren’t accidentally deleted.
First, you’d navigate to your Cosmos DB account in the Azure portal. On the left-hand menu, under the "Settings" section, you’ll find "Locks."
Clicking "Add lock" presents you with a form. For our critical production resources, we’ll choose "CanNotDelete" for the "Lock type." This allows all operations except deletion. If you wanted to be even more stringent and prevent any changes, you could select "ReadOnly," but this would also prevent scaling, updating throughput, or modifying indexing policies.
You can apply locks at different scopes: the subscription, a resource group, or individual resources. For Cosmos DB, it’s most effective to apply locks directly to the Cosmos DB account resource itself. In the "Add lock" form, ensure the "Scope" is set to your my-cosmos-db-prod account. You can give the lock a name, like NoDeleteLock-CosmosDB.
Once applied, if someone tries to delete the my-cosmos-db-prod Cosmos DB account, they’ll receive an error message similar to: "The resource 'my-cosmos-db-prod' cannot be deleted because it is locked by a lock with scope '/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/YOUR_RESOURCE_GROUP/providers/Microsoft.DocumentDB/databaseAccounts/my-cosmos-db-prod' and name 'NoDeleteLock-CosmosDB'."
This lock also cascades. Any child resources, like the SalesDB database or Orders container within that account, inherit the lock. Attempting to delete the SalesDB database directly would also be blocked.
The primary benefit of "CanNotDelete" locks is that they prevent accidental DELETE API calls at the Azure Resource Manager (ARM) level. This is the fundamental mechanism by which Azure resources are managed. When you click "Delete" in the portal or use az cosmosdb delete in the CLI, you’re triggering an ARM operation. The lock intercepts this operation before it reaches Cosmos DB.
To remove a lock, you would go back to the "Locks" section of the Cosmos DB account, select the lock you want to remove, and click "Delete." You need appropriate permissions (e.g., Owner role or User Access Administrator at the scope of the lock) to remove it.
Consider the implications of applying locks at the resource group level. If you lock the resource group containing my-cosmos-db-prod, you’d prevent deletion of all resources within that group, not just the Cosmos DB account. This might be desirable for a tightly coupled set of resources, but for granular control, locking the specific Cosmos DB account is preferred.
If you were to delete the Cosmos DB account after removing the lock, the next error you might encounter is a 404 Not Found if you attempt to access the database or container that no longer exists.