natively support deny assignments

[erwinkramer]

Azure Blueprints and Azure managed apps use deny assignments to protect system-managed resources. But when are we going to get the power to use this deny assignment ourselves by a Microsoft.Authorization/denyAssignments/write resource? I know there are talks about kind off similar deny capability called locking functionality in deploymentStacks via ARM Templates and Bicep Roadmap with Azure MVPs September 2020 but it seems to fail in the same problem, exclusively bringing functionality to a product on-top off ARM/Bicep, instead of just supporting it natively in ARM and Bicep. If i could guess there are technical issues with this as a reason why it isn't supported, but then an alternative would be supporting deny assignments as an option inside templateSpecs?

So in the future i will still have to depend on blueprints or deploymentStacks to protect my resources, while i might not need all that overhead, if i could just protect my bicep module file with a seperate denyAssignments resource, that would create much flexibility.

[brwilkinson]

You can set resource locks to protect resources, they are available at any scope that you choose and can be deployed.

The popular option is: CanNotDelete

https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/locks?pivots=deployment-language-bicep

Name	Description	Value
level	The level of the lock. Possible values are: NotSpecified, CanNotDelete, ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it.	'CanNotDelete''NotSpecified''ReadOnly' (required)
notes	Notes about the lock. Maximum of 512 characters.	string

Here is the deployment stacks info: https://www.youtube.com/watch?v=tPrpsKVEhSU&t=224s

I believe it's close to public preview, however you can try to sign up for the private preview here:

https://aka.ms/getStacks