You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-resource-manager/bicep/deployment-stacks.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,13 +25,13 @@ To create your first deployment stack, work through [Quickstart: create deployme
25
25
Deployment stacks provide the following benefits:
26
26
27
27
- Streamlined provisioning and management of resources across different scopes as a unified entity.
28
-
- Prevention of undesired modifications to managed resources via [deny settings](#protect-managed-resources-against-deletion).
28
+
- Prevention of undesired modifications to managed resources via [deny settings](#protect-managed-resources).
29
29
- Efficient environment cleanup using delete flags during deployment stack updates.
30
30
- Use of standard templates such as Bicep, ARM templates, or Template specs for your deployment stacks.
31
31
32
32
### Known limitations
33
33
34
-
- Implicitly created resources aren't managed by the stack. Therefore, no deny-assignments or cleanup is possible.
34
+
- Implicitly created resources aren't managed by deployment stack. Therefore, no [deny-assignments](../../role-based-access-control/deny-assignments.md) or cleanup is possible.
35
35
- Deny-assignments don't support tags.
36
36
- Deny-assignments aren't supported at the management group scope. However, they're supported in a management group stack if the deployment is pointed at the subscription scope.
37
37
- Deployment stacks can't delete Key vault secrets. If you're removing key vault secrets from a template, make sure to also execute the deployment stack update/delete command with detach mode.
@@ -62,7 +62,7 @@ A deployment stack resource can be created at resource group, subscription, or m
62
62
- A stack at subscription scope can deploy the template passed-in to a resource group scope (if specified) or the same subscription scope where the deployment stack exists.
63
63
- A stack at management group scope can deploy the template passed-in to the subscription scope specified.
64
64
65
-
It's important to note that where a deployment stack exists, so is the deny-assignment created with the deny settings capability. For example, by creating a deployment stack at subscription scope that deploys the template to resource group scope and with deny settings mode `DenyDelete`, you can easily provision managed resources to the specified resource group and block delete attempts to those resources. By using this approach, you also enhance the security of the deployment stack by separating it at the subscription level, as opposed to the resource group level. This separation ensures that the developer teams working with the provisioned resources only have visibility and write access to the resource groups, while the deployment stack remains isolated at a higher level. This minimizes the number of users that can edit a deployment stack and make changes to its deny-assignment. For more information, see [Protect managed resource against deletion](#protect-managed-resources-against-deletion).
65
+
It's important to note that where a deployment stack exists, so is the deny-assignment created with the deny settings capability. For example, by creating a deployment stack at subscription scope that deploys the template to resource group scope and with deny settings mode `DenyDelete`, you can easily provision managed resources to the specified resource group and block delete attempts to those resources. By using this approach, you also enhance the security of the deployment stack by separating it at the subscription level, as opposed to the resource group level. This separation ensures that the developer teams working with the provisioned resources only have visibility and write access to the resource groups, while the deployment stack remains isolated at a higher level. This minimizes the number of users that can edit a deployment stack and make changes to its deny-assignment. For more information, see [Protect managed resource against deletion](#protect-managed-resources).
66
66
67
67
The create-stack commands can also be used to [update deployment stacks](#update-deployment-stacks).
Copy file name to clipboardExpand all lines: articles/azure-resource-manager/bicep/tutorial-use-deployment-stacks.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -82,7 +82,7 @@ az stack group create \
82
82
--deny-settings-mode 'none'
83
83
```
84
84
85
-
Use the `action-on-unmanage` switch to define what happens to resources that are no longer managed after a stack is updated or deleted. For more information, see [Control detachment and deletion](./deployment-stacks.md#control-detachment-and-deletion). The `deny-settings-mode` switch assigns a specific type of permissions to the managed resources, which prevents their deletion by unauthorized security principals. For more information, see [Protect managed resources against deletion](./deployment-stacks.md#protect-managed-resources-against-deletion).
85
+
Use the `action-on-unmanage` switch to define what happens to resources that are no longer managed after a stack is updated or deleted. For more information, see [Control detachment and deletion](./deployment-stacks.md#control-detachment-and-deletion). The `deny-settings-mode` switch assigns a specific type of permissions to the managed resources, which prevents their deletion by unauthorized security principals. For more information, see [Protect managed resources against deletion](./deployment-stacks.md#protect-managed-resources).
Use the `ActionOnUnmanage` switch to define what happens to resources that are no longer managed after a stack is updated or deleted. For more information, see [Control detachment and deletion](./deployment-stacks.md#control-detachment-and-deletion). The `DenySettingsMode` switch assigns a specific type of permissions to the managed resources, which prevents their deletion by unauthorized security principals. For more information, see [Protect managed resources against deletion](./deployment-stacks.md#protect-managed-resources-against-deletion).
102
+
Use the `ActionOnUnmanage` switch to define what happens to resources that are no longer managed after a stack is updated or deleted. For more information, see [Control detachment and deletion](./deployment-stacks.md#control-detachment-and-deletion). The `DenySettingsMode` switch assigns a specific type of permissions to the managed resources, which prevents their deletion by unauthorized security principals. For more information, see [Protect managed resources against deletion](./deployment-stacks.md#protect-managed-resources).
103
103
104
104
---
105
105
@@ -677,7 +677,7 @@ The Azure CLI includes these parameters to customize the deny assignment:
677
677
678
678
---
679
679
680
-
In this tutorial, you configure the deny settings mode. For more information about other deny settings, see [Protect managed resources against deletion](./deployment-stacks.md#protect-managed-resources-against-deletion).
680
+
In this tutorial, you configure the deny settings mode. For more information about other deny settings, see [Protect managed resources against deletion](./deployment-stacks.md#protect-managed-resources).
681
681
682
682
At the end of the previous step, you have one stack with two managed resources.
Copy file name to clipboardExpand all lines: articles/role-based-access-control/deny-assignments.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,7 +21,7 @@ This article describes how to list deny assignments.
21
21
22
22
## How deny assignments are created
23
23
24
-
Deny assignments are created and managed by Azure to protect resources. You can't directly create your own deny assignments. However, you can specify deny settings when creating a deployment stack, which creates a deny assignment that is owned by the deployment stack resources. Deployment stacks is currently in preview. For more information, see [Protect managed resources against deletion](../azure-resource-manager/bicep/deployment-stacks.md#protect-managed-resources-against-deletion).
24
+
Deny assignments are created and managed by Azure to protect resources. You can't directly create your own deny assignments. However, you can specify deny settings when creating a deployment stack, which creates a deny assignment that is owned by the deployment stack resources. Deployment stacks is currently in preview. For more information, see [Protect managed resources against deletion](../azure-resource-manager/bicep/deployment-stacks.md#protect-managed-resources).
25
25
26
26
## Compare role assignments and deny assignments
27
27
@@ -80,7 +80,7 @@ All Principals can be combined with `ExcludePrincipals` to deny all principals e
80
80
Follow these steps to list deny assignments.
81
81
82
82
> [!IMPORTANT]
83
-
> You can't directly create your own deny assignments. Deny assignments are created and managed by Azure. For more information, see [Protect managed resources against deletion](../azure-resource-manager/bicep/deployment-stacks.md#protect-managed-resources-against-deletion).
83
+
> You can't directly create your own deny assignments. Deny assignments are created and managed by Azure. For more information, see [Protect managed resources against deletion](../azure-resource-manager/bicep/deployment-stacks.md#protect-managed-resources).
0 commit comments