Research: Azure Deployment Stacks for ARM/Bicep Deployments Across All Repositories

[kristopherjturner]

Research and evaluate Azure Deployment Stacks (https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks) as a replacement or enhancement to standard ARM/Bicep deployments across all AzureLocal repositories.

A deployment stack (Microsoft.Resources/deploymentStacks) manages a group of Azure resources as a single cohesive unit. It adds lifecycle management, drift prevention via deny-assignments, and clean environment teardown on top of standard az deployment / New-AzResourceGroupDeployment.

Why Evaluate This

Current repos use standard ARM/Bicep deployments that:

• Have no built-in drift protection — resources can be modified or deleted outside IaC
• Require manual cleanup of removed resources
• Lack unified lifecycle tracking across scopes (RG, subscription, management group)

Deployment stacks address all three via ActionOnUnmanage and DenySettingsMode.

Scope

All six AzureLocal repos: azurelocal-toolkit, azurelocal-avd, azurelocal-sofs-fslogix, azurelocal-loadtools, azurelocal-vm-conversion-toolkit. (azurelocal.github.io is docs only.)

Research Tasks

• Audit existing ARM/Bicep deployment call sites per repo
• Determine appropriate stack scope per repo (resource group vs subscription)
• Define ActionOnUnmanage strategy (detachAll / deleteResources / deleteAll)
• Define DenySettingsMode (None → DenyDelete for prod)
• Identify implicit resources not covered by deny-assignments (AKS node pools, managed disks)
• Note Key Vault secret handling — stacks cannot delete KV secrets, use detach mode
• Check for Microsoft Graph provider usage — not supported with stacks
• Draft replacement pipeline commands (New-AzResourceGroupDeploymentStack / Set-Az*)
• Identify service principals needing Azure Deployment Stack Contributor/Owner role
• Proof-of-concept stack in azurelocal-toolkit dev environment

References

• https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks
• https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/quickstart-create-deployment-stacks
• https://learn.microsoft.com/en-us/training/modules/manage-resource-lifecycles-deployment-stacks/

[kristopherjturner]

Related Issues

This research directly applies to the following open Bicep/ARM/IaC issues across all repos. Adoption of deployment stacks would affect each of these.

azurelocal-sofs-fslogix

• Publish reusable Bicep modules to registry azurelocal-sofs-fslogix#40 — Publish reusable Bicep modules to registry
• Add CI workflow for Bicep lint azurelocal-sofs-fslogix#22 — Add CI workflow for Bicep lint
• Add Bicep/Terraform input validation and defaults azurelocal-sofs-fslogix#21 — Add Bicep/Terraform input validation and defaults
• Validate Bicep templates end-to-end azurelocal-sofs-fslogix#19 — Validate Bicep templates end-to-end
• Add CI workflow for Terraform validate and fmt azurelocal-sofs-fslogix#23 — Add CI workflow for Terraform validate and fmt
• Validate Terraform modules end-to-end azurelocal-sofs-fslogix#20 — Validate Terraform modules end-to-end

azurelocal-toolkit

• infra: CI/CD pipelines and shared workflow templates #13 — infra: CI/CD pipelines and shared workflow templates
• feat: IaC maturity tracking automation and scoring dashboard #12 — feat: IaC maturity tracking automation and scoring dashboard
• Standard: IaC Tool Maturity Lifecycle — status tracking, warnings, and release gates #7 — Standard: IaC Tool Maturity Lifecycle — status tracking, warnings, and release gates
• Track IaC tool maturity status across all repos (Built / Tested / Released) #5 — Track IaC tool maturity status across all repos (Built / Tested / Released)

azurelocal-loadtools

• infra: CI/CD pipelines (lint, test, release) azurelocal-loadtools#18 — infra: CI/CD pipelines (lint, test, release)
• feat: infrastructure provisioning for load test environments azurelocal-loadtools#11 — feat: infrastructure provisioning for load test environments

azurelocal-vm-conversion-toolkit

• infra: CI/CD pipelines (lint, test, release) azurelocal-vm-conversion-toolkit#11 — infra: CI/CD pipelines (lint, test, release)