Azure Deployment Stacks became generally available in 2024 and solves a fundamental problem in Infrastructure-as-Code operations on Azure: the missing lifecycle semantics for related resources. Previously, ARM deployments could not automatically remove resources that were no longer present in the template definition, and there was no built-in protection against external changes to IaC-managed resources.
Deployment Stacks as Atomic Resource Units
A Deployment Stack groups all resources of an ARM or Bicep deployment into a managed unit. When a resource is removed from the Bicep template and the stack is redeployed, the resource is automatically deleted (or placed in a “detached” state, depending on configuration). This behavior corresponds to Terraform’s “terraform destroy” for removed resources but is natively integrated into the Azure Resource Manager. Stacks can be defined at the subscription or management group level and can span multiple Resource Groups.
The core feature for governance-sensitive environments is DenySettings. With DenyDelete settings, a stack prevents resources from being deleted outside the IaC workflow. DenyWriteAndDelete goes a step further and blocks external configuration changes as well. This ensures that the IaC code remains the only legitimate source for configuration changes and prevents “config drift” through manual interventions in the Azure Portal.
Integration into Existing IaC Workflows
Azure Deployment Stacks is fully integrated into existing Azure IaC toolchains: Azure CLI, PowerShell, the Azure Portal, and Azure DevOps/GitHub Actions support stacks natively. Existing Bicep templates can be deployed in a stack without modifications. The combination of atomic lifecycle management, DenySettings, and native CI/CD integration makes Deployment Stacks the recommended tool for production Bicep-based IaC environments that go beyond simple Resource Group deployments.
Typical Use Cases
Frequently Asked Questions
What is the difference from a Resource Group?
A Resource Group is a logical container for resources without lifecycle semantics. A Deployment Stack is a managed deployment that treats all contained resources as a unit: shared update, shared deletion, and optional DenySettings protection. A stack resource can span multiple Resource Groups.
What are DenySettings?
DenySettings allow restricting certain operations on stack resources. 'DenyDelete' prevents anyone from deleting a stack resource outside of the stack. 'DenyWriteAndDelete' additionally prevents external configuration changes. This ensures the IaC definition remains the single source of truth about resource state.
Is Azure Deployment Stacks Terraform-compatible?
Not directly. Azure Deployment Stacks is a native ARM/Bicep service. Terraform has its own state management. For Terraform users, Terraform state is the stack equivalent. Deployment Stacks primarily enhances ARM/Bicep-based IaC workflows.
