You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-resource-manager/bicep/deployment-stacks.md
+20Lines changed: 20 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -43,6 +43,16 @@ Deployment stacks provide the following benefits:
43
43
- A management group-scoped stack is restricted from deploying to another management group. It can only deploy to the management group of the stack itself or to a child subscription.
44
44
- The PowerShell command help lists a `DeleteResourcesAndResourcesGroups` value for the `ActionOnUnmanage` switch. When this value is used, the command detaches the managed resources and the resource groups. This value will be removed in the next update. Do not use this value.
45
45
46
+
## Built-in roles
47
+
48
+
> [!WARNING]
49
+
> Enforcement of the RBAC permission [Microsoft.Resources/deploymentStacks/manageDenySetting/action](/azure/role-based-access-control/permissions/management-and-governance) is rolling out across regions, including Government Clouds.
50
+
51
+
There are two built-in roles for deployment stack:
52
+
53
+
-**Azure Deployment Stack Contributor**: Allows users to manage deployment stacks, but cannot create or delete deny assignments within the deployment stacks.
54
+
-**Azure Deployment Stack Owner**: Allows users to manage deployment stacks, including those with deny assignments.
55
+
46
56
## Create deployment stacks
47
57
48
58
A deployment stack resource can be created at resource group, subscription, or management group scope. The template passed into a deployment stack defines the resources to be created or updated at the target scope specified for the template deployment.
@@ -607,6 +617,16 @@ To delete a managed resource, remove the resource definition from the underlying
607
617
608
618
## Protect managed resources against deletion
609
619
620
+
When creating a deployment stack, it's possible to assign a specific type of permissions to the managed resources, which prevents their deletion by unauthorized security principals. These settings are referred to as deny settings. You want to store the stack at a parent scope.
621
+
622
+
> [!NOTE]
623
+
> The latest release requires specific permissions at the stack scope in order to:
624
+
>
625
+
> - Create or update a deployment stack and set the deny setting to a value other than "None".
626
+
> - Update or delete a deployment stack with an existing deny setting of something other than "None"
627
+
>
628
+
> Use the [built-in roles](#built-in-roles) to grant the permissions.
629
+
610
630
# [PowerShell](#tab/azure-powershell)
611
631
612
632
The Azure PowerShell includes these parameters to customize the deny assignment:
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments