|
| 1 | +--- |
| 2 | +title: Migrate blueprints to deployment stacks |
| 3 | +description: Learn how to migrate blueprints to deployment stacks. |
| 4 | +ms.topic: conceptual |
| 5 | +ms.custom: devx-track-bicep |
| 6 | +ms.date: 11/11/2024 |
| 7 | +--- |
| 8 | + |
| 9 | +# Migrate blueprints to deployment stacks |
| 10 | + |
| 11 | +This article explains how to convert your Blueprint definitions and assignments into deployment stacks. Deployment stacks are new tools within the `Microsoft.Resources` namespace, bringing Azure Blueprint features into this area. |
| 12 | + |
| 13 | +## Migration steps |
| 14 | + |
| 15 | +1. Export the blueprint definitions into the blueprint definition JSON files which include the artifacts of Azure policies, Azure role assignments, and templates. For more information, see [Export your blueprint definition](../../governance/blueprints/how-to/import-export-ps.md#export-your-blueprint-definition). |
| 16 | +2. Convert the blueprint definition JSON files into a single ARM template or Bicep file to be deployed via deployment stacks with the following considerations: |
| 17 | + |
| 18 | + - **Role assignments**: Convert any [role assignments](/azure/templates/microsoft.authorization/roleassignments). |
| 19 | + - **Policies**: Convert any [policy assignments](/azure/templates/microsoft.authorization/policyassignments) into the Bicep (or ARM JSON template) syntax, and then add them to your main template. You can also embed the [`policyDefinitions`](/azure/templates/microsoft.authorization/policydefinitions) into the JSON template. |
| 20 | + - **Templates**: Convert any templates into a main template for submission to a deployment stack. You can use [modules](./modules.md) in Bicep, embed templates as nested templates or template links, and optionally use [template specs](./template-specs.md) to store your templates in Azure. Template Specs aren't required to use deployment stacks. |
| 21 | + - **Locks**: Deployment stack [DenySettingsMode](./deployment-stacks.md#protect-managed-resources) gives you the ability to block unwanted changes via `DenySettingsMode` (similar to [Blueprint locks](../../governance/blueprints/concepts/resource-locking.md)). You can configure these via Azure CLI or Azure PowerShell. In order to do this, you need corresponding roles to be able to set deny settings. For more information, see [Deployment stacks](./deployment-stacks.md). |
| 22 | + |
| 23 | +3. You can optionally create template specs for the converted ARM templates or Bicep files. Template specs allow you to store templates and their versions in your Azure environment, simplifying the sharing of the templates across your organization. Deployment stacks enable you to deploy template spec definitions, or ARM templates/Bicep files, to a specified target scope. |
| 24 | + |
| 25 | +## Sample |
| 26 | + |
| 27 | +The following Bicep file is a sample migration file. |
| 28 | + |
| 29 | +```bicep |
| 30 | +targetScope = 'subscription' |
| 31 | +
|
| 32 | +param roleAssignmentName string = 'myTestRoleAssignment' |
| 33 | +param roleDefinitionId string = guid(roleAssignmentName) |
| 34 | +param principalId string = guid('myTestId') |
| 35 | +
|
| 36 | +param policyAssignmentName string = 'myTestPolicyAssignment' |
| 37 | +param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' |
| 38 | +
|
| 39 | +param rgName string = 'myTestRg' |
| 40 | +param rgLocation string = deployment().location |
| 41 | +param templateSpecName string = 'myNetworkingTs' |
| 42 | +
|
| 43 | +// Step 1 - create role assignments |
| 44 | +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { |
| 45 | + name: guid(roleAssignmentName) |
| 46 | + properties: { |
| 47 | + principalId: principalId |
| 48 | + roleDefinitionId: roleDefinitionId |
| 49 | + } |
| 50 | +} |
| 51 | +
|
| 52 | +// Step 2 - create policy assignments |
| 53 | +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2022-06-01' = { |
| 54 | + name: policyAssignmentName |
| 55 | + scope: subscriptionResourceId('Microsoft.Resources/resourceGroups', resourceGroup().name) |
| 56 | + properties: { |
| 57 | + policyDefinitionId: policyDefinitionID |
| 58 | + } |
| 59 | +} |
| 60 | +
|
| 61 | +// Step 3 - create template artifacts via modules (or template specs) |
| 62 | +resource rg1 'Microsoft.Resources/resourceGroups@2021-01-01' = { |
| 63 | + name: rgName |
| 64 | + location: rgLocation |
| 65 | +} |
| 66 | +
|
| 67 | +module vnet 'templates/bicep/vnet.bicep' = if (rgName == 'myTestRg') { |
| 68 | + name: uniqueString(rgName) |
| 69 | + scope: rg1 |
| 70 | + params: { location: rgLocation } |
| 71 | +} |
| 72 | +``` |
0 commit comments