You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An Azure deployment stack is a type of Azure resource that enables the management of a group of Azure resources as an atomic unit. When a Bicep file or an ARM JSON template is submitted to a deployment stack, it defines the resources that are managed by the stack. If a resource that was previously included in the template is removed, it will either be detached or deleted based on the specified _actionOnUnmanage_ behavior of the deployment stack. Similar to other Azure resources, access to the deployment stack can be restricted using Azure role-based access control (Azure RBAC).
11
+
An Azure deployment stack is a type of Azure resource that enables the management of a group of Azure resources as an atomic unit. When a Bicep file or an ARM JSON template is submitted to a deployment stack, it defines the resources that are managed by the stack. If a resource that was previously included in the template is removed, it will either be detached or deleted based on the specified _actionOnUnmanage_ behavior of the deployment stack. Similar to other Azure resources, access to the deployment stack can be restricted using Azure role-based access control (Azure RBAC).
12
12
13
13
To create and update a deployment stack, you can utilize Azure CLI, Azure PowerShell, or the Azure portal along with Bicep files. These Bicep files are transpiled into ARM JSON templates, which are then deployed as a deployment object by the stack. The deployment stack offers additional capabilities beyond the [familiar deployment resources](./deploy-cli.md), serving as a superset of those capabilities.
14
14
@@ -42,6 +42,13 @@ Deployment stacks provide the following benefits:
42
42
-[What-if](./deploy-what-if.md) isn't available in the preview.
43
43
- A management group-scoped stack is restricted from deploying to another management group. It can only deploy to the management group of the stack itself or to a child subscription.
44
44
45
+
## Built-in roles
46
+
47
+
There are two built-in roles for deployment stack:
48
+
49
+
-**Azure Deployment Stack Contributor**: Allows users to manage deployment stacks, but cannot create or delete deny assignments within the deployment stacks.
50
+
-**Azure Deployment Stack Owner**: Allows users to manage deployment stacks, including those with deny assignments.
51
+
45
52
## Create deployment stacks
46
53
47
54
A deployment stack resource can be created at resource group, subscription, or management group scope. The template passed into a deployment stack defines the resources to be created or updated at the target scope specified for the template deployment.
@@ -594,6 +601,14 @@ To delete a managed resource, remove the resource definition from the underlying
594
601
595
602
When creating a deployment stack, it's possible to assign a specific type of permissions to the managed resources, which prevents their deletion by unauthorized security principals. These settings are referred to as deny settings. You want to store the stack at a parent scope.
596
603
604
+
> [!NOTE]
605
+
> The latest release requires specific permissions at the stack scope in order to:
606
+
>
607
+
> - Create or update a deployment stack and set the deny setting to a value other than "None".
608
+
> - Update or delete a deployment stack with an existing deny setting of something other than "None"
609
+
>
610
+
> Use the [built-in roles](#built-in-roles) to grant the permissions.
611
+
597
612
# [PowerShell](#tab/azure-powershell)
598
613
599
614
The Azure PowerShell includes these parameters to customize the deny assignment:
# Tutorial: use deployment stack with Bicep (Preview)
9
+
# Tutorial: use deployment stack with Bicep
10
10
11
11
In this tutorial, you learn the process of creating and managing a deployment stack. The tutorial focuses on creating the deployment stack at the resource group scope. However, you can also create deployment stacks at either the subscription scope. To gain further insights into creating deployment stacks, see [Create deployment stacks](./deployment-stacks.md).
0 commit comments