Azure Deployment Stacks

Azure Deployment Stacks are a native Azure feature that groups deployed resources into a managed collection, providing lifecycle management, drift protection, and deny settings. Deployment stacks build on top of ARM/Bicep deployments to solve governance challenges that individual deployments cannot address.

---

What is a Deployment Stack?

A deployment stack is an Azure resource that manages a collection of Azure resources as a single unit. When you create a deployment stack, you submit a Bicep or ARM template, and the stack tracks all resources it creates.

Key capabilities:

• Managed resource collection — the stack knows which resources it owns
• Deny settings — prevent modifications or deletions of managed resources
• Detach or delete on removal — control what happens to resources when they are removed from the template
• Update tracking — the stack detects when resources are added or removed from the template

---

Why Deployment Stacks?

The Problem Without Stacks

Standard ARM/Bicep deployments (incremental mode) do not track what happens to resources removed from a template. If you deploy a storage account and a VM, then later remove the VM from the template and redeploy, the VM remains — orphaned and unmanaged.

Complete mode solves this but is dangerous and only works at the resource group level.

The Deployment Stack Solution

With a deployment stack:

1. Resources added to the template are created
2. Resources modified in the template are updated
3. Resources removed from the template are detached or deleted (your choice)
4. Resources in the stack can be protected from external modification

---

Creating a Deployment Stack

At the Resource Group Scope

az stack group create \
  --name webapp-stack \
  --resource-group rg-webapp-prod \
  --template-file main.bicep \
  --parameters @parameters.prod.json \
  --action-on-unmanage deleteResources \
  --deny-settings-mode denyWriteAndDelete

At the Subscription Scope

az stack sub create \
  --name platform-stack \
  --location uksouth \
  --template-file platform.bicep \
  --parameters @parameters.json \
  --action-on-unmanage deleteAll \
  --deny-settings-mode denyDelete

At the Management Group Scope

az stack mg create \
  --name governance-stack \
  --management-group-id myManagementGroup \
  --location uksouth \
  --template-file governance.bicep \
  --action-on-unmanage detachResources \
  --deny-settings-mode none

---

Action on Unmanage

When a resource is removed from the template, the deployment stack takes one of these actions:

Action	Behaviour
deleteResources	Deletes resources but keeps resource groups and management groups
deleteAll	Deletes resources, resource groups, and management groups
detachResources	Removes resources from stack management but does not delete them

Choose based on your governance needs:

• deleteResources — ideal for most workloads; prevents orphaned resources
• deleteAll — strict cleanup for ephemeral environments
• detachResources — safe option when migrating resources between stacks

---

Deny Settings

Deny settings prevent unauthorised changes to resources managed by the stack:

Mode	Effect
none	No restrictions; anyone with RBAC access can modify resources
denyDelete	Prevents deletion of managed resources
denyWriteAndDelete	Prevents both modifications and deletions