Merge pull request #204432 from mumian/0711-extension-resource

v-MarkAllen · web-flow · commit def19f285609 · 2022-07-12T13:54:50.000-04:00
cross-sub/RG deployments are not supported for individual resources
diff --git a/articles/azure-resource-manager/bicep/scope-extension-resources.md b/articles/azure-resource-manager/bicep/scope-extension-resources.md
@@ -2,7 +2,7 @@
 title: Scope on extension resource types (Bicep)
 description: Describes how to use the scope property when deploying extension resource types with Bicep.
 ms.topic: conceptual
-ms.date: 02/11/2022
+ms.date: 07/12/2022
 ---
 
 # Set scope for extension resources in Bicep
@@ -138,6 +138,44 @@ The same requirements apply to extension resources as other resource when target
 * [Management group deployments](deploy-to-management-group.md)
 * [Tenant deployments](deploy-to-tenant.md)
 
+The resourceGroup and subscription properties are only allowed on modules. These properties are not allowed on individual resources. Use modules if you want to deploy an extension resource with the scope set to a resource in a different resource group.
+
+The following example shows how to apply a lock on a storage account that resides in a different resource group.
+
+* **main.bicep:**
+
+    ```bicep
+    param resourceGroup2Name string
+    param storageAccountName string
+
+    module applyStoreLock './storageLock.bicep' = {
+      name: 'addStorageLock'
+      scope: resourceGroup(resourceGroup2Name)
+      params: {
+        storageAccountName: storageAccountName
+      }
+    }
+    ```
+
+* **storageLock.bicep:**
+
+    ```bicep
+    param storageAccountName string
+
+    resource storage 'Microsoft.Storage/storageAccounts@2021-09-01' existing = {
+      name: storageAccountName
+    }
+
+    resource storeLock 'Microsoft.Authorization/locks@2017-04-01' = {
+      scope: storage
+      name: 'storeLock'
+      properties: {
+        level: 'CanNotDelete'
+        notes: 'Storage account should not be deleted.'
+      }
+    }
+    ```
+
 ## Next steps
 
 For a full list of extension resource types, see [Resource types that extend capabilities of other resources](../management/extension-resource-types.md).
diff --git a/articles/azure-resource-manager/templates/scope-extension-resources.md b/articles/azure-resource-manager/templates/scope-extension-resources.md
@@ -2,7 +2,7 @@
 title: Scope on extension resource types
 description: Describes how to use the scope property when deploying extension resource types.
 ms.topic: conceptual
-ms.date: 01/13/2021 
+ms.date: 07/11/2022
 ms.custom: devx-track-azurepowershell, devx-track-azurecli
 ---
 
@@ -79,6 +79,8 @@ The following example creates a storage account and applies a role to it.
 
 :::code language="json" source="~/resourcemanager-templates/azure-resource-manager/scope/storageandrole.json" highlight="56":::
 
+The resourceGroup and subscription properties are only allowed on nested or linked deployments. These properties are not allowed on individual resources. Use nested or linked deployments if you want to deploy an extension resource with the scope set to a resource in a different resource group.
+
 ## Next steps
 
 * To understand how to define parameters in your template, see [Understand the structure and syntax of ARM templates](./syntax.md).
