Microsoft.Resources deploymentStacks 2024-03-01
Bicep resource definition
The deploymentStacks resource type can be deployed with operations that target:
- Management groups - See management group deployment commands
- Subscriptions - See subscription deployment commands
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Resources/deploymentStacks resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Resources/deploymentStacks@2024-03-01' = {
name: 'string'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
properties: {
actionOnUnmanage: {
managementGroups: 'string'
resourceGroups: 'string'
resources: 'string'
}
bypassStackOutOfSyncError: bool
debugSetting: {
detailLevel: 'string'
}
denySettings: {
applyToChildScopes: bool
excludedActions: [
'string'
]
excludedPrincipals: [
'string'
]
mode: 'string'
}
deploymentScope: 'string'
description: 'string'
error: {}
parameters: {
{customized property}: {
reference: {
keyVault: {
id: 'string'
}
secretName: 'string'
secretVersion: 'string'
}
type: 'string'
value: any()
}
}
parametersLink: {
contentVersion: 'string'
uri: 'string'
}
template: any()
templateLink: {
contentVersion: 'string'
id: 'string'
queryString: 'string'
relativePath: 'string'
uri: 'string'
}
}
}
Property values
deploymentStacks
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| location | The location of the Deployment stack. It cannot be changed after creation. It must be one of the supported Azure locations. | string |
| tags | Deployment stack resource tags. | Dictionary of tag names and values. See Tags in templates |
| properties | Deployment stack properties. | DeploymentStackProperties |
DeploymentStackProperties
| Name | Description | Value |
|---|---|---|
| actionOnUnmanage | Defines the behavior of resources that are no longer managed after the Deployment stack is updated or deleted. | ActionOnUnmanage (required) |
| bypassStackOutOfSyncError | Flag to bypass service errors that indicate the stack resource list is not correctly synchronized. | bool |
| debugSetting | The debug setting of the deployment. | DeploymentStacksDebugSetting |
| denySettings | Defines how resources deployed by the stack are locked. | DenySettings (required) |
| deploymentScope | The scope at which the initial deployment should be created. If a scope is not specified, it will default to the scope of the deployment stack. Valid scopes are: management group (format: '/providers/Microsoft.Management/managementGroups/{managementGroupId}'), subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}'). | string |
| description | Deployment stack description. Max length of 4096 characters. | string Constraints: Max length = 4096 |
| error | The error detail. | ErrorDetail |
| parameters | Name and value pairs that define the deployment parameters for the template. Use this element when providing the parameter values directly in the request, rather than linking to an existing parameter file. Use either the parametersLink property or the parameters property, but not both. | DeploymentStackPropertiesParameters |
| parametersLink | The URI of parameters file. Use this element to link to an existing parameters file. Use either the parametersLink property or the parameters property, but not both. | DeploymentStacksParametersLink |
| template | The template content. You use this element when you want to pass the template syntax directly in the request rather than link to an existing template. It can be a JObject or well-formed JSON string. Use either the templateLink property or the template property, but not both. | For Bicep, you can use the any() function. |
| templateLink | The URI of the template. Use either the templateLink property or the template property, but not both. | DeploymentStacksTemplateLink |
ActionOnUnmanage
| Name | Description | Value |
|---|---|---|
| managementGroups | Specifies an action for a newly unmanaged resource. Delete will attempt to delete the resource from Azure. Detach will leave the resource in it's current state. | 'delete' 'detach' |
| resourceGroups | Specifies an action for a newly unmanaged resource. Delete will attempt to delete the resource from Azure. Detach will leave the resource in it's current state. | 'delete' 'detach' |
| resources | Specifies an action for a newly unmanaged resource. Delete will attempt to delete the resource from Azure. Detach will leave the resource in it's current state. | 'delete' 'detach' (required) |
DeploymentStacksDebugSetting
| Name | Description | Value |
|---|---|---|
| detailLevel | Specifies the type of information to log for debugging. The permitted values are none, requestContent, responseContent, or both requestContent and responseContent separated by a comma. The default is none. When setting this value, carefully consider the type of information that is being passed in during deployment. By logging information about the request or response, sensitive data that is retrieved through the deployment operations could potentially be exposed. | string |
DenySettings
| Name | Description | Value |
|---|---|---|
| applyToChildScopes | DenySettings will be applied to child resource scopes of every managed resource with a deny assignment. | bool |
| excludedActions | List of role-based management operations that are excluded from the denySettings. Up to 200 actions are permitted. If the denySetting mode is set to 'denyWriteAndDelete', then the following actions are automatically appended to 'excludedActions': '*/read' and 'Microsoft.Authorization/locks/delete'. If the denySetting mode is set to 'denyDelete', then the following actions are automatically appended to 'excludedActions': 'Microsoft.Authorization/locks/delete'. Duplicate actions will be removed. | string[] |
| excludedPrincipals | List of AAD principal IDs excluded from the lock. Up to 5 principals are permitted. | string[] |
| mode | denySettings Mode that defines denied actions. | 'denyDelete' 'denyWriteAndDelete' 'none' (required) |
ErrorDetail
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
DeploymentStackPropertiesParameters
| Name | Description | Value |
|---|---|---|
| {customized property} | DeploymentParameterAutoGenerated |
DeploymentParameterAutoGenerated
| Name | Description | Value |
|---|---|---|
| reference | Azure Key Vault parameter reference. | KeyVaultParameterReferenceAutoGenerated |
| type | Type of the value. | string |
| value | Input value to the parameter. | For Bicep, you can use the any() function. |
KeyVaultParameterReferenceAutoGenerated
| Name | Description | Value |
|---|---|---|
| keyVault | Azure Key Vault reference. | KeyVaultReferenceAutoGenerated (required) |
| secretName | Azure Key Vault secret name. | string (required) |
| secretVersion | Azure Key Vault secret version. | string |
KeyVaultReferenceAutoGenerated
| Name | Description | Value |
|---|---|---|
| id | Azure Key Vault resourceId. | string (required) |
DeploymentStacksParametersLink
| Name | Description | Value |
|---|---|---|
| contentVersion | If included, must match the ContentVersion in the template. | string |
| uri | The URI of the parameters file. | string (required) |
DeploymentStacksTemplateLink
| Name | Description | Value |
|---|---|---|
| contentVersion | If included, must match the ContentVersion in the template. | string |
| id | The resourceId of a Template Spec. Use either the id or uri property, but not both. | string |
| queryString | The query string (for example, a SAS token) to be used with the templateLink URI. | string |
| relativePath | The relativePath property can be used to deploy a linked template at a location relative to the parent. If the parent template was linked with a TemplateSpec, this will reference an artifact in the TemplateSpec. If the parent was linked with a URI, the child deployment will be a combination of the parent and relativePath URIs. | string |
| uri | The URI of the template to deploy. Use either the uri or id property, but not both. | string |
ARM template resource definition
The deploymentStacks resource type can be deployed with operations that target:
- Management groups - See management group deployment commands
- Subscriptions - See subscription deployment commands
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Resources/deploymentStacks resource, add the following JSON to your template.
{
"type": "Microsoft.Resources/deploymentStacks",
"apiVersion": "2024-03-01",
"name": "string",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"properties": {
"actionOnUnmanage": {
"managementGroups": "string",
"resourceGroups": "string",
"resources": "string"
},
"bypassStackOutOfSyncError": "bool",
"debugSetting": {
"detailLevel": "string"
},
"denySettings": {
"applyToChildScopes": "bool",
"excludedActions": [ "string" ],
"excludedPrincipals": [ "string" ],
"mode": "string"
},
"deploymentScope": "string",
"description": "string",
"error": {},
"parameters": {
"{customized property}": {
"reference": {
"keyVault": {
"id": "string"
},
"secretName": "string",
"secretVersion": "string"
},
"type": "string",
"value": {}
}
},
"parametersLink": {
"contentVersion": "string",
"uri": "string"
},
"template": {},
"templateLink": {
"contentVersion": "string",
"id": "string",
"queryString": "string",
"relativePath": "string",
"uri": "string"
}
}
}
Property values
deploymentStacks
| Name | Description | Value |
|---|---|---|
| type | The resource type | 'Microsoft.Resources/deploymentStacks' |
| apiVersion | The resource api version | '2024-03-01' |
| name | The resource name | string (required) |
| location | The location of the Deployment stack. It cannot be changed after creation. It must be one of the supported Azure locations. | string |
| tags | Deployment stack resource tags. | Dictionary of tag names and values. See Tags in templates |
| properties | Deployment stack properties. | DeploymentStackProperties |
DeploymentStackProperties
| Name | Description | Value |
|---|---|---|
| actionOnUnmanage | Defines the behavior of resources that are no longer managed after the Deployment stack is updated or deleted. | ActionOnUnmanage (required) |
| bypassStackOutOfSyncError | Flag to bypass service errors that indicate the stack resource list is not correctly synchronized. | bool |
| debugSetting | The debug setting of the deployment. | DeploymentStacksDebugSetting |
| denySettings | Defines how resources deployed by the stack are locked. | DenySettings (required) |
| deploymentScope | The scope at which the initial deployment should be created. If a scope is not specified, it will default to the scope of the deployment stack. Valid scopes are: management group (format: '/providers/Microsoft.Management/managementGroups/{managementGroupId}'), subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}'). | string |
| description | Deployment stack description. Max length of 4096 characters. | string Constraints: Max length = 4096 |
| error | The error detail. | ErrorDetail |
| parameters | Name and value pairs that define the deployment parameters for the template. Use this element when providing the parameter values directly in the request, rather than linking to an existing parameter file. Use either the parametersLink property or the parameters property, but not both. | DeploymentStackPropertiesParameters |
| parametersLink | The URI of parameters file. Use this element to link to an existing parameters file. Use either the parametersLink property or the parameters property, but not both. | DeploymentStacksParametersLink |
| template | The template content. You use this element when you want to pass the template syntax directly in the request rather than link to an existing template. It can be a JObject or well-formed JSON string. Use either the templateLink property or the template property, but not both. | |
| templateLink | The URI of the template. Use either the templateLink property or the template property, but not both. | DeploymentStacksTemplateLink |
ActionOnUnmanage
| Name | Description | Value |
|---|---|---|
| managementGroups | Specifies an action for a newly unmanaged resource. Delete will attempt to delete the resource from Azure. Detach will leave the resource in it's current state. | 'delete' 'detach' |
| resourceGroups | Specifies an action for a newly unmanaged resource. Delete will attempt to delete the resource from Azure. Detach will leave the resource in it's current state. | 'delete' 'detach' |
| resources | Specifies an action for a newly unmanaged resource. Delete will attempt to delete the resource from Azure. Detach will leave the resource in it's current state. | 'delete' 'detach' (required) |
DeploymentStacksDebugSetting
| Name | Description | Value |
|---|---|---|
| detailLevel | Specifies the type of information to log for debugging. The permitted values are none, requestContent, responseContent, or both requestContent and responseContent separated by a comma. The default is none. When setting this value, carefully consider the type of information that is being passed in during deployment. By logging information about the request or response, sensitive data that is retrieved through the deployment operations could potentially be exposed. | string |
DenySettings
| Name | Description | Value |
|---|---|---|
| applyToChildScopes | DenySettings will be applied to child resource scopes of every managed resource with a deny assignment. | bool |
| excludedActions | List of role-based management operations that are excluded from the denySettings. Up to 200 actions are permitted. If the denySetting mode is set to 'denyWriteAndDelete', then the following actions are automatically appended to 'excludedActions': '*/read' and 'Microsoft.Authorization/locks/delete'. If the denySetting mode is set to 'denyDelete', then the following actions are automatically appended to 'excludedActions': 'Microsoft.Authorization/locks/delete'. Duplicate actions will be removed. | string[] |
| excludedPrincipals | List of AAD principal IDs excluded from the lock. Up to 5 principals are permitted. | string[] |
| mode | denySettings Mode that defines denied actions. | 'denyDelete' 'denyWriteAndDelete' 'none' (required) |
ErrorDetail
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
DeploymentStackPropertiesParameters
| Name | Description | Value |
|---|---|---|
| {customized property} | DeploymentParameterAutoGenerated |
DeploymentParameterAutoGenerated
| Name | Description | Value |
|---|---|---|
| reference | Azure Key Vault parameter reference. | KeyVaultParameterReferenceAutoGenerated |
| type | Type of the value. | string |
| value | Input value to the parameter. |
KeyVaultParameterReferenceAutoGenerated
| Name | Description | Value |
|---|---|---|
| keyVault | Azure Key Vault reference. | KeyVaultReferenceAutoGenerated (required) |
| secretName | Azure Key Vault secret name. | string (required) |
| secretVersion | Azure Key Vault secret version. | string |
KeyVaultReferenceAutoGenerated
| Name | Description | Value |
|---|---|---|
| id | Azure Key Vault resourceId. | string (required) |
DeploymentStacksParametersLink
| Name | Description | Value |
|---|---|---|
| contentVersion | If included, must match the ContentVersion in the template. | string |
| uri | The URI of the parameters file. | string (required) |
DeploymentStacksTemplateLink
| Name | Description | Value |
|---|---|---|
| contentVersion | If included, must match the ContentVersion in the template. | string |
| id | The resourceId of a Template Spec. Use either the id or uri property, but not both. | string |
| queryString | The query string (for example, a SAS token) to be used with the templateLink URI. | string |
| relativePath | The relativePath property can be used to deploy a linked template at a location relative to the parent. If the parent template was linked with a TemplateSpec, this will reference an artifact in the TemplateSpec. If the parent was linked with a URI, the child deployment will be a combination of the parent and relativePath URIs. | string |
| uri | The URI of the template to deploy. Use either the uri or id property, but not both. | string |
Terraform (AzAPI provider) resource definition
The deploymentStacks resource type can be deployed with operations that target:
- Management groups
- Subscriptions
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Resources/deploymentStacks resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Resources/deploymentStacks@2024-03-01"
name = "string"
location = "string"
parent_id = "string"
tags = {
tagName1 = "tagValue1"
tagName2 = "tagValue2"
}
body = jsonencode({
properties = {
actionOnUnmanage = {
managementGroups = "string"
resourceGroups = "string"
resources = "string"
}
bypassStackOutOfSyncError = bool
debugSetting = {
detailLevel = "string"
}
denySettings = {
applyToChildScopes = bool
excludedActions = [
"string"
]
excludedPrincipals = [
"string"
]
mode = "string"
}
deploymentScope = "string"
description = "string"
error = {}
parameters = {
{customized property} = {
reference = {
keyVault = {
id = "string"
}
secretName = "string"
secretVersion = "string"
}
type = "string"
}
}
parametersLink = {
contentVersion = "string"
uri = "string"
}
templateLink = {
contentVersion = "string"
id = "string"
queryString = "string"
relativePath = "string"
uri = "string"
}
}
})
}
Property values
deploymentStacks
| Name | Description | Value |
|---|---|---|
| type | The resource type | "Microsoft.Resources/deploymentStacks@2024-03-01" |
| name | The resource name | string (required) |
| location | The location of the Deployment stack. It cannot be changed after creation. It must be one of the supported Azure locations. | string |
| parent_id | To deploy to a management group, use the ID of that management group. To deploy to a subscription, use the ID of that subscription. To deploy to a resource group, use the ID of that resource group. | string (required) |
| tags | Deployment stack resource tags. | Dictionary of tag names and values. |
| properties | Deployment stack properties. | DeploymentStackProperties |
DeploymentStackProperties
| Name | Description | Value |
|---|---|---|
| actionOnUnmanage | Defines the behavior of resources that are no longer managed after the Deployment stack is updated or deleted. | ActionOnUnmanage (required) |
| bypassStackOutOfSyncError | Flag to bypass service errors that indicate the stack resource list is not correctly synchronized. | bool |
| debugSetting | The debug setting of the deployment. | DeploymentStacksDebugSetting |
| denySettings | Defines how resources deployed by the stack are locked. | DenySettings (required) |
| deploymentScope | The scope at which the initial deployment should be created. If a scope is not specified, it will default to the scope of the deployment stack. Valid scopes are: management group (format: '/providers/Microsoft.Management/managementGroups/{managementGroupId}'), subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}'). | string |
| description | Deployment stack description. Max length of 4096 characters. | string Constraints: Max length = 4096 |
| error | The error detail. | ErrorDetail |
| parameters | Name and value pairs that define the deployment parameters for the template. Use this element when providing the parameter values directly in the request, rather than linking to an existing parameter file. Use either the parametersLink property or the parameters property, but not both. | DeploymentStackPropertiesParameters |
| parametersLink | The URI of parameters file. Use this element to link to an existing parameters file. Use either the parametersLink property or the parameters property, but not both. | DeploymentStacksParametersLink |
| template | The template content. You use this element when you want to pass the template syntax directly in the request rather than link to an existing template. It can be a JObject or well-formed JSON string. Use either the templateLink property or the template property, but not both. | |
| templateLink | The URI of the template. Use either the templateLink property or the template property, but not both. | DeploymentStacksTemplateLink |
ActionOnUnmanage
| Name | Description | Value |
|---|---|---|
| managementGroups | Specifies an action for a newly unmanaged resource. Delete will attempt to delete the resource from Azure. Detach will leave the resource in it's current state. | "delete" "detach" |
| resourceGroups | Specifies an action for a newly unmanaged resource. Delete will attempt to delete the resource from Azure. Detach will leave the resource in it's current state. | "delete" "detach" |
| resources | Specifies an action for a newly unmanaged resource. Delete will attempt to delete the resource from Azure. Detach will leave the resource in it's current state. | "delete" "detach" (required) |
DeploymentStacksDebugSetting
| Name | Description | Value |
|---|---|---|
| detailLevel | Specifies the type of information to log for debugging. The permitted values are none, requestContent, responseContent, or both requestContent and responseContent separated by a comma. The default is none. When setting this value, carefully consider the type of information that is being passed in during deployment. By logging information about the request or response, sensitive data that is retrieved through the deployment operations could potentially be exposed. | string |
DenySettings
| Name | Description | Value |
|---|---|---|
| applyToChildScopes | DenySettings will be applied to child resource scopes of every managed resource with a deny assignment. | bool |
| excludedActions | List of role-based management operations that are excluded from the denySettings. Up to 200 actions are permitted. If the denySetting mode is set to 'denyWriteAndDelete', then the following actions are automatically appended to 'excludedActions': '*/read' and 'Microsoft.Authorization/locks/delete'. If the denySetting mode is set to 'denyDelete', then the following actions are automatically appended to 'excludedActions': 'Microsoft.Authorization/locks/delete'. Duplicate actions will be removed. | string[] |
| excludedPrincipals | List of AAD principal IDs excluded from the lock. Up to 5 principals are permitted. | string[] |
| mode | denySettings Mode that defines denied actions. | "denyDelete" "denyWriteAndDelete" "none" (required) |
ErrorDetail
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
DeploymentStackPropertiesParameters
| Name | Description | Value |
|---|---|---|
| {customized property} | DeploymentParameterAutoGenerated |
DeploymentParameterAutoGenerated
| Name | Description | Value |
|---|---|---|
| reference | Azure Key Vault parameter reference. | KeyVaultParameterReferenceAutoGenerated |
| type | Type of the value. | string |
| value | Input value to the parameter. |
KeyVaultParameterReferenceAutoGenerated
| Name | Description | Value |
|---|---|---|
| keyVault | Azure Key Vault reference. | KeyVaultReferenceAutoGenerated (required) |
| secretName | Azure Key Vault secret name. | string (required) |
| secretVersion | Azure Key Vault secret version. | string |
KeyVaultReferenceAutoGenerated
| Name | Description | Value |
|---|---|---|
| id | Azure Key Vault resourceId. | string (required) |
DeploymentStacksParametersLink
| Name | Description | Value |
|---|---|---|
| contentVersion | If included, must match the ContentVersion in the template. | string |
| uri | The URI of the parameters file. | string (required) |
DeploymentStacksTemplateLink
| Name | Description | Value |
|---|---|---|
| contentVersion | If included, must match the ContentVersion in the template. | string |
| id | The resourceId of a Template Spec. Use either the id or uri property, but not both. | string |
| queryString | The query string (for example, a SAS token) to be used with the templateLink URI. | string |
| relativePath | The relativePath property can be used to deploy a linked template at a location relative to the parent. If the parent template was linked with a TemplateSpec, this will reference an artifact in the TemplateSpec. If the parent was linked with a URI, the child deployment will be a combination of the parent and relativePath URIs. | string |
| uri | The URI of the template to deploy. Use either the uri or id property, but not both. | string |