I've done some searching through Microsoft documentation, stack overflow and elsewhere and I couldn't find any answers to this question.
I have an Azure deployIfNotExists Policy that deploys canNotDelete locks to resource groups in Prod and UAT. I've used a tag to prevent it from applying to resource groups that I've marked as having recoveryServiceVaults, as they are incompatible with delete locks. Unfortunately, recoveryServiceVaults create their own hidden RGs and store their restorePointCollections in there.
I'd like to find a way to automatically exclude resource groups that contain resources of a specific type(Microsoft.compute/restorePointCollections), but I can't figure out the logic for that, or find any examples online. If I was applying the locks at the Resource level, I could just use the 'type' specifier but that won't work for my use case.
Any help would be appreciated.
Azure Backup creates a separate resource group in the format
AzureBackupRG_<geo>_<number>
to store ResourcePointCollections objects.So, an alternate approach to achieving this could be to exclude resource groups that start with the name AzureBackupRG*.