Feature: Add Microsoft.Authorization/locks; Lock resources

[mehighlow]

Add implementation to lock resources to prevent them from being destroyed in the Azure Portal while ASO keeps managing them.

Lock your resources to protect your infrastructure

Let's say I want to minimize any chance of my resources being deleted while I manage them with ASO. From the ASO side, I have an option to set serviceoperator.azure.com/reconcile-policy: detach-on-delete to prevent accidental deletes of K8s objects from being reconciled with Azure. However, those resources can still be deleted from the Azure Portal. It would be great to use ASO to have an option to set a lock to prevent them from being deleted from the Azure Portal.

There are 2 types of locks:

1. Read-only, which can be projected to serviceoperator.azure.com/reconcile-policy: skip
2. Delete - this feature request.

The way I propose implementing delete lock is through an annotation like serviceoperator.azure.com/reconcile-policy: lock-delete, which can be used only in combination with serviceoperator.azure.com/reconcile-policy: detach-on-delete, unless you consider combining them together into a single annotation like serviceoperator.azure.com/reconcile-policy: locked-detach-on-delete

[matthchr]

This seems like a reasonable ask.

[matthchr]

Put in to 2.10 for design and discussion.

[theunrepentantgeek]

At least part of the solution will involve importing Microsoft.Authorization/locks.

When the locks are in place, even ASO will be blocked from updates - which means natural drift might come into play. At the very least, ASO needs to know not to PUT a resource that's been locked, though it might be better if we couple this with #2811 (Resource should do a Diff with Azure)