Edit

Manage Azure resource groups by using Python

  • Article

Learn how to use Python with Azure Resource Manager to manage your Azure resource groups.

Prerequisites

  • Python 3.8 or later installed. To install the latest, see Python.org

  • The following Azure library packages for Python installed in your virtual environment. To install any of the packages, use pip install {package-name}

    • azure-identity
    • azure-mgmt-resource
    • azure-mgmt-storage

    If you have older versions of these packages already installed in your virtual environment, you may need to update them with pip install --upgrade {package-name}

  • The examples in this article use CLI-based authentication (AzureCliCredential). Depending on your environment, you may need to run az login first to authenticate.

  • An environment variable with your Azure subscription ID. To get your Azure subscription ID, use:

    az account show --name 'your subscription name' --query id -o tsv

    To set the value, use the option for your environment.

    setx AZURE_SUBSCRIPTION_ID your-subscription-id

    Note

    If you only need to access the environment variable in the current running console, you can set the environment variable with set instead of setx.

    After you add the environment variables, you may need to restart any running programs that will need to read the environment variable, including the console window. For example, if you're using Visual Studio as your editor, restart Visual Studio before running the example.

What is a resource group?

A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to add resources to resource groups based on what makes the most sense for your organization. Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.

The resource group stores metadata about the resources. When you specify a location for the resource group, you're specifying where that metadata is stored. For compliance reasons, you may need to ensure that your data is stored in a particular region.

Create resource groups

To create a resource group, use ResourceManagementClient.resource_groups.create_or_update.

import os
from azure.identity import AzureCliCredential
from azure.mgmt.resource import ResourceManagementClient

credential = AzureCliCredential()
subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

resource_client = ResourceManagementClient(credential, subscription_id)

rg_result = resource_client.resource_groups.create_or_update(
    "exampleGroup",
    {
        "location": "westus"
    }
)

print(f"Provisioned resource group with ID: {rg_result.id}")

List resource groups

To list the resource groups in your subscription, use ResourceManagementClient.resource_groups.list.

import os
from azure.identity import AzureCliCredential
from azure.mgmt.resource import ResourceManagementClient

credential = AzureCliCredential()
subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

resource_client = ResourceManagementClient(credential, subscription_id)

rg_list = resource_client.resource_groups.list()

for rg in rg_list:
    print(rg.name)

To get one resource group, use ResourceManagementClient.resource_groups.get and provide the name of the resource group.

import os
from azure.identity import AzureCliCredential
from azure.mgmt.resource import ResourceManagementClient

credential = AzureCliCredential()
subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

resource_client = ResourceManagementClient(credential, subscription_id)

rg_result = resource_client.resource_groups.get("exampleGroup")

print(f"Retrieved resource group {rg_result.name} in the {rg_result.location} region with resource ID {rg_result.id}")

Delete resource groups

To delete a resource group, use ResourceManagementClient.resource_groups.begin_delete.

import os
from azure.identity import AzureCliCredential
from azure.mgmt.resource import ResourceManagementClient

credential = AzureCliCredential()
subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

resource_client = ResourceManagementClient(credential, subscription_id)

rg_result = resource_client.resource_groups.begin_delete("exampleGroup")

For more information about how Azure Resource Manager orders the deletion of resources, see Azure Resource Manager resource group deletion.

Deploy resources

You can deploy Azure resources by using Python classes or by deploying an Azure Resource Manager template (ARM template).

Deploy resources by using Python classes

The following example creates a storage account by using StorageManagementClient.storage_accounts.begin_create. The name for the storage account must be unique across Azure.

import os
import random
from azure.identity import AzureCliCredential
from azure.mgmt.storage import StorageManagementClient

credential = AzureCliCredential()
subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

random_postfix = ''.join(random.choices('abcdefghijklmnopqrstuvwxyz1234567890', k=13))
storage_account_name = "demostore" + random_postfix

storage_client = StorageManagementClient(credential, subscription_id)

storage_account_result = storage_client.storage_accounts.begin_create(
    "exampleGroup",
    storage_account_name,
    {
        "location": "westus",
        "sku": {
            "name": "Standard_LRS"
        }
    }
)

Deploy resources by using an ARM template

To deploy an ARM template, use ResourceManagementClient.deployments.begin_create_or_update. The following example requires a local template named storage.json.

import os
import json
from azure.identity import AzureCliCredential
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.resource.resources.models import DeploymentMode

credential = AzureCliCredential()
subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

resource_client = ResourceManagementClient(credential, subscription_id)

with open("storage.json", "r") as template_file:
    template_body = json.load(template_file)

rg_deployment_result = resource_client.deployments.begin_create_or_update(
    "exampleGroup",
    "exampleDeployment",
    {
        "properties": {
            "template": template_body,
            "parameters": {
                "storagePrefix": {
                    "value": "demostore"
                },
            },
            "mode": DeploymentMode.incremental
        }
    }
)

The following example shows the ARM template named storage.json that you're deploying:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storagePrefix": {
      "type": "string",
      "minLength": 3,
      "maxLength": 11
    }
  },
  "variables": {
    "uniqueStorageName": "[concat(parameters('storagePrefix'), uniqueString(resourceGroup().id))]"
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2022-09-01",
      "name": "[variables('uniqueStorageName')]",
      "location": "eastus",
      "sku": {
        "name": "Standard_LRS"
      },
      "kind": "StorageV2",
      "properties": {
        "supportsHttpsTrafficOnly": true
      }
    }
  ]
}

For more information about deploying an ARM template, see Deploy resources with ARM templates and Azure CLI.

Lock resource groups

Locking prevents other users in your organization from accidentally deleting or modifying critical resources.

To prevent a resource group and its resources from being deleted, use ManagementLockClient.management_locks.create_or_update_at_resource_group_level.

import os
from azure.identity import AzureCliCredential
from azure.mgmt.resource import ManagementLockClient

credential = AzureCliCredential()
subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

lock_client = ManagementLockClient(credential, subscription_id)

lock_result = lock_client.management_locks.create_or_update_at_resource_group_level(
    "exampleGroup",
    "lockGroup",
    {
        "level": "CanNotDelete"
    }
)

To get the locks for a resource group, use ManagementLockClient.management_locks.list_at_resource_group_level.

import os
from azure.identity import AzureCliCredential
from azure.mgmt.resource import ManagementLockClient

credential = AzureCliCredential()
subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

lock_client = ManagementLockClient(credential, subscription_id)

lock_result = lock_client.management_locks.get_at_resource_group_level("exampleGroup", "lockGroup")

print(f"Lock {lock_result.name} applies {lock_result.level} lock")

To delete a lock on a resource group, use ManagementLockClient.management_locks.delete_at_resource_group_level.

import os
from azure.identity import AzureCliCredential
from azure.mgmt.resource import ManagementLockClient

credential = AzureCliCredential()
subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

lock_client = ManagementLockClient(credential, subscription_id)

lock_client.management_locks.delete_at_resource_group_level("exampleGroup", "lockGroup")

For more information, see Lock resources with Azure Resource Manager.

Tag resource groups

You can apply tags to resource groups and resources to logically organize your assets. For information, see Using tags to organize your Azure resources.

Export resource groups to templates

To assist with creating ARM templates, you can export a template from existing resources. For more information, see Use Azure portal to export a template.

Manage access to resource groups

Azure role-based access control (Azure RBAC) is the way that you manage access to resources in Azure. For more information, see Add or remove Azure role assignments using Azure CLI.

Next steps