Research: Azure Deployment Stacks for ARM/Bicep Deployments Across All Repositories #16
Description
Research and evaluate Azure Deployment Stacks (https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks) as a replacement or enhancement to standard ARM/Bicep deployments across all AzureLocal repositories.
A deployment stack (Microsoft.Resources/deploymentStacks) manages a group of Azure resources as a single cohesive unit. It adds lifecycle management, drift prevention via deny-assignments, and clean environment teardown on top of standard az deployment / New-AzResourceGroupDeployment.
Why Evaluate This
Current repos use standard ARM/Bicep deployments that:
- Have no built-in drift protection — resources can be modified or deleted outside IaC
- Require manual cleanup of removed resources
- Lack unified lifecycle tracking across scopes (RG, subscription, management group)
Deployment stacks address all three via ActionOnUnmanage and DenySettingsMode.
Scope
All six AzureLocal repos: azurelocal-toolkit, azurelocal-avd, azurelocal-sofs-fslogix, azurelocal-loadtools, azurelocal-vm-conversion-toolkit. (azurelocal.github.io is docs only.)
Research Tasks
- Audit existing ARM/Bicep deployment call sites per repo
- Determine appropriate stack scope per repo (resource group vs subscription)
- Define ActionOnUnmanage strategy (detachAll / deleteResources / deleteAll)
- Define DenySettingsMode (None → DenyDelete for prod)
- Identify implicit resources not covered by deny-assignments (AKS node pools, managed disks)
- Note Key Vault secret handling — stacks cannot delete KV secrets, use detach mode
- Check for Microsoft Graph provider usage — not supported with stacks
- Draft replacement pipeline commands (New-AzResourceGroupDeploymentStack / Set-Az*)
- Identify service principals needing Azure Deployment Stack Contributor/Owner role
- Proof-of-concept stack in azurelocal-toolkit dev environment