1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Getting Started Managing Azure with PowerShell

Demo: ARM PowerShell: Resource Groups & Locks

Start course

Using PowerShell automation with the Microsoft Azure cloud platform gives you more consistent, repeatable, and auditable controls over your cloud resources. During this course, we will explore the process of connecting Microsoft Windows PowerShell to the Microsoft Azure platform. We'll talk about the installation and authentication process, managing your Azure subscriptions, and Azure Resource Manager (ARM) Resource Groups. We will deploy an ARM JSON Template to a Resource Group, and finally demonstrate how easy it is to deploy cloud resources individually, through imperative provisioning!

If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.


In this video, we're going to take a look at the Azure Resource Manager Resources PowerShell Module.

So let's start by taking a look at the modules that are available on our system that are related to Azure Resource Manager. To do that, I'm going to call Get-Module-List Available-Name and then I'm going to use wildcards to specify that I'm looking for modules with the name Azure RM inside of them.

As you can see, I get back a decently large list of modules and I've actually got some duplicates here because I have some older versions of the same modules installed. So when we install these modules from the PowerShell gallery, it will install the current version. But when I update the Azure Resource Manager module, it's going to install the newer version side by side rather than replacing the old version of the module.

So as you can see, I've got a variety of modules that are specific to certain features inside the Azure platform. For example, I have modules that target the compute platform, the Microsoft Azure Automation Service, the API Management Service, the Azure DNS Service, and many others.

There's a special module in here aside from the AzureRM.profile module that allows us to authenticate and manage our subscription access. But there's another special one called AzureRM.resources. So let's call Get-CommandModuleAzureRM.Resources And this will get us a list of commands that are available to us through the Resources PowerShell module.

Now what's special about the AzureRM. Resources module is that it allows us to manage entities or resources inside of our Azure Resource Manager interface using PowerShell. So we can do things such as creating and deleting resource groups, we can get a list of resources in our entire subscription or in a specific resource group, and we can also provide operations such as resource locks, role assignments, custom role definitions, and a lot of other concepts that are specific to the Azure Resource Manager API.

So let's start out by simply listing out the resource groups that are available in our subscription. To do that, we're going to call Get-AzureRMResourceGroup. If we hit F8 in the PowerShell ISE to run just that one line, you'll see that we get a list of Azure resource groups and the full resource ID path to that resource group. Now each resource group is associated with a particular Azure region, so you'll see that region listed under the location property. If you'd like to have a more graphical view of this, you can use PowerShell 3.0 later to display the information in a WPF grid view, and the command for that is called OutGridView. So if I simply rerun that command, you'll see that I have a nice friendly grid view of information that I can then filter and sort.

So for example, I can filter for a list of resource groups that start with default or I could, for example, create a piece of criteria that filters my resource groups for a particular location. So now I filtered the data for only the resource groups that exist in the West US region.

There are some other commands that we can use to manage resource groups as well. So I'm going to take my Get-Command command and I'm going to even filter the list of commands that I returned further. So now I'm only going to get commands with the name "resource group" in them that are part of the AzureRM.Resources PowerShell module. So if I go ahead and hit F8 to run that command, you'll see that I get a list of commands that allow us to manage resource groups. So I can do things such as getting a resource group like we already did, I can create new resource groups, I can delete resource groups by calling Remove-AzureRMResourceGroup, and I can update existing resource groups by using Set-AzureRMResourceGroup.

So let's go ahead and simply create a new resource group. So I'm going to call the new Azure RM Resource Group command and I'm going to actually call Get-Help on it. So if I hit F8 to run just that one line, you can see that I get the help for new Azure RM Resource Group. Now the syntax is shown here automatically by PowerShell and you can see that there's a couple of parameters that are mandatory.

First of all I have to specify the name, which is the name of the resource group that I'm going to create and also I have to specify the location that I want the resource group to be deployed in. So there's a key command that allows me to discover all of the available locations called Get-AzureRMProvider. So if we call Get-AzureRMResource Provider, you'll see that I get a list of the resource providers in Azure Resource Manager over here on the left. And then all of the resource types in the resource types property, which is in array. And then finally on the far right here, I have the locations. So I can actually authoritatively list out all of the supported Azure locations by using Get-AzureRMResourceProvider.

I can go ahead and pipe that information into the OutGridView command and I will get a much more graphical friendly interface to show me all the supported regions. Now what if I want to get only the unique regions or locations? Well, what I can do is Get-AzureRMResourceProvider and then I will output only the locations property. And then if we run that, you'll see that I get a very large list. But the problem here is that I have a lot of duplicates. So I can take this array of locations and pipe it into Select-Object and then add the unique switch parameter. So if I hit F8 on that, it's going to get me all the locations and then it will filter that for only the unique values. So as you can see, these are the supported regions in Microsoft Azure Resource Manager.

If I want to take that one step further, I can actually sort those regions by simply appending sort object onto the PowerShell pipeline for my Get-AzureRMResourceProvider command. So now I have a nice sorted list of regions that I can deploy a resource group into.

So let's go back to our new Azure Resource Group command. I'm going to call New-AzureRMResourceGroup. I'm going to specify the name. We'll call this CloudAcademyRG and then we'll specify one of the locations that we discovered using Get-AzureRMResourceProvider. So I'm going to go ahead and create that resource group in the Brazil South region. So those are the only two mandatory parameters to create a resource group. And you'll see that that process of creating a resource group only takes a couple of seconds.

Now there are some other parameters that I could specify such as tag. So Azure Resource Manager allows us to tag resource groups and individual resources to help us filter and find resources inside of our subscription. So I'm going to go ahead and call Set-AzureRMResourceGroup to add a tag to the existing resource group that we just created.

So as we can see, the tag is a hash table. And each hash table should have a name and a value. So let's set this name to company and the value to Cloud Academy. If I hit F8 to run that command, it's going to go ahead and just apply those tags to my existing resource group that I just created on line number 11. If I want to delete that resource group, I can call Remove Azure RM Resource Group and specify the name, CloudAcademyRG, and then I'm going to add the force parameters so it doesn't prompt me to delete that resource group.

So when you delete a resource group, it actually deletes all of the resources that are contained inside of it as well. However, because we didn't add any resources to this resource group after we created it, the resource group is actually empty.

Okay, so let's go ahead and recreate that resource group called CloudAcademyRG. So we'll come up to line 11 and hit F8 and we'll also go to line 13 and hit F8 to reassign the tag of company. So now what do I do to find a resource group that has a particular tag? Well, there's actually a command called Find-AzureRMResourceGroup and we can specify the tag that we're looking for.

So let's start by typing "Help" on Find-AzureRMResourceGroup and you'll see that it has only that single parameter-tag. So now if we actually call Find-AzureRMResourceGroup and specify the tag, let's say that we're looking for all resource groups that have a tag of company, but we don't care what the value is. Well, we can specify the tag name and let's hit F8 to run that, and that's going to show us all the resource groups that have a tag with a name of company. As you can see, our CloudAcademyRG resource group has been returned.

If we want to find a tag with a specific value, we can simply specify the tag value just like we did when we defined the tag. So as you can see in the second command, we've now returned to the same result because it matches both criteria. Now if we change the company name to Contoso and hit F8, then you'll see that we don't actually get any output.

There are also a series of commands that allow you to manage what are called resource locks. So let's call Get-CommandModuleAzureRM.Resources, and then the command name we're looking for will have the term "lock" inside of it. So as you can see, there are a series of commands that allow us to manage locks. So let's create a new lock on our resource group to prevent the accidental deletion of that resource group. So if we call New-AzureRMResourceLock, we can specify a few different parameters. We can specify the name of the lock, so let's just call this CloudAcademyRGLock, and then we can specify the lock level. In this case, the lock level cannot delete. So that will prevent accidental deletion of the resource group.

Finally, we can specify lock notes. And this Cloud Academy resource group should not be deleted unless an admin is contacted. And then we can also specify the resource group name that we want to be affected. So let's call this CloudAcademyRG, which is consistent with our earlier name. And then you'll see we get a confirmation say, "Do you really want to create this lock?" So we click "Yes" and the new resource lock will be created.

Now that the lock has been created, if we try to call Remove-AzureRMResourceGroup, and specify the name of our resource group and add the force parameter so we're not prompted, you'll see that it says, "It's scope-locked." The scope has a lock on it. And it says, "Please remove the lock and try again." So let's call Remove-AzureRMResourceLock, specify the lock name, specify the resource group name, and it says, "Are you sure you want to delete the following lock?" And I say, "Yes, I do." And that command was successful. So now if I try to call Remove-AzureRMResourceGroup, you'll see that we don't get an exception this time because that operation was allowed because we removed the lock from the resource. So this is how you can use resource locks to protect your resources from accidental deletion.

About the Author
Trevor Sullivan
Microsoft PowerShell MVP

Trevor Sullivan is a Microsoft MVP for Windows PowerShell, and enjoys working with cloud and automation technologies. As a strong, vocal veteran of the Microsoft-centric IT field since 2004, Trevor has developed open source projects, provided significant amounts of product feedback, authored a large variety of training resources, and presented at IT functions including worldwide user groups and conferences.