What are Azure Deployment Stacks?
Azure Deployment Stacks provide a unified management layer for Azure resources that belong to the same Bicep deployment. Think of it as Azure's answer to Terraform's statefile. A way to track and manage the complete lifecycle of your infrastructure as a single entity.
Deployment Stacks address a fundamental gap in Bicep's capabilities by introducing stateful infrastructure management. While Bicep has historically lacked mechanisms for automatic cleanup, resource lifecycle management, and destroy operations (excluding ‘complete’ Bicep deployments). Deployment Stacks fill this void while leveraging Azure's native integration to abstract away the complexity of state management entirely.
Why Azure Deployment Stacks?
The Terraform Comparison
Terraform's statefile has long been the gold standard for infrastructure lifecycle management. It tracks deployed resources and enables:
- Automatic deletion of resources when removed from code
- Destroy commands for complete cleanup
- Redeployment when resource configurations change
This provides full end-to-end lifecycle management, significantly reducing manual cleanup work. However, the statefile introduces its own operational burden as users must handle storage, locking, versioning, and security of the state backend.
Bicep's Gap
Bicep's traditional incremental deployment model leaves cleanup entirely manual. Remove a resource from your template, and it remains orphaned in Azure. Change foundational infrastructure, and you're left managing the deletion of old resources yourself. For teams working with dynamic environments or frequent infrastructure changes in Dev/Test, this creates significant operational overhead.
The Deployment Stack Solution
Deployment Stacks bridge this gap by providing:
- Stateful management, without requiring you to manage state storage
- Automatic resource cleanup, with configurable deletion policies
- Integrated resource locks, for production protection
- Destroy operations, equivalent to Terraform's cleanup commands
- Native Azure integration, with built-in RBAC roles
Because Azure manages the stack metadata, you avoid the operational complexity of state backends while gaining the lifecycle management benefits previously exclusive to Terraform.
Getting Started
Deployment Stacks are more simple than you think to adopt. If you're already deploying Bicep templates, you don't need to modify them at all. Deployment Stacks are an extension of Azure's existing deployment mechanisms, not a replacement for your Bicep code.
Adoption primarily involves updating your deployment approach and switching from standard az deployment commands to az stack commands in your scripts, pipelines, or CI/CD workflows. for example:
az deployment sub create
becomes
az stack sub create
Your existing Bicep templates and the resources they define are then brought under stack management with your chosen configuration.
Understanding Deployment Modes
Deployment Stacks offer flexible modes to control how unmanaged resources are handled:
detachAll: When you remove a resource from your Bicep template, it's detached from stack management but remains in Azure. This is useful for transitional scenarios or when you need to preserve resources.
--action-on-unmanage detachAll
deleteResources: Removed resources are automatically deleted from Azure, providing true lifecycle management and eliminating orphaned resources. But not deleting resource groups.
--action-on-unmanage deleteResources
deleteAll: The most aggressive mode, deleting both resources and their resource groups when removed from your template.
--action-on-unmanage deleteAll
DenySettings for Production Protection
Deployment Stacks include deny assignment capabilities that can prevent modifications or deletions of managed resources, even by users with otherwise sufficient permissions. This is invaluable for protecting production infrastructure from accidental changes.
--deny-settings-mode {denyDelete, denyWriteAndDelete, none}
Resources for Deep Dives
For comprehensive implementation guidance, Microsoft's documentation and community resources provide excellent starting points:
How We Use It
At Advania UK, we've implemented Deployment Stacks across our Test and Production environments with measurable results:
Cost Optimization: We're saving approximately ~29% on Azure costs every four weeks through automatic cleanup of Test environments and temporary resources that would previously have been left running.
Deployment reliability: Through our cycle of cleaning up Test resources and redeploying them as work resumes, we continuously validate our deployment processes. This means we have confidence in a well-tested, proven deployment pipeline.
Production Protection: DenySettings provide resource delete and write protection in Production, preventing accidental modifications while maintaining the flexibility to make planned changes through proper deployment processes.
Operational Efficiency: Automatic cleanup of unmanaged resources has eliminated a significant source of manual work. Engineers no longer need to track down and remove orphaned resources when infrastructure changes.
The combination of cost savings, risk reduction, and operational efficiency makes Deployment Stacks a valuable addition to our Azure infrastructure management toolkit. For teams already invested in Bicep, it provides a clear path to stateful infrastructure management without the operational overhead of external state management solutions.
