# Azure Stacks
In this Notebook we are going to take a look at Azure Deployment Stacks. A tool to better manage your resource deployements.
We will look into the it's capabilities and why you might want to use it.

First, lets setup our environment

In [21]:
!az stack group create --name 'stack1' --resource-group 'stacks' --template-file './originals/deployment_1.bicep' --description 'First azure function' --deny-settings-mode None --delete-resources true --yes

[93mA new Bicep release is available: v0.26.54. Upgrade now by running "az bicep upgrade".[0m
[0m
[K{- Finished ..
  "actionOnUnmanage": {
    "managementGroups": "detach",
    "resourceGroups": "detach",
    "resources": "delete"
  },
  "debugSetting": null,
  "deletedResources": [],
  "denySettings": {
    "applyToChildScopes": false,
    "excludedActions": null,
    "excludedPrincipals": null,
    "mode": "none"
  },
  "deploymentId": "/subscriptions/7f1f09f1-46c7-4d90-b00b-e69d5fb05c28/resourceGroups/stacks/providers/Microsoft.Resources/deployments/stack1-240315081tbnk",
  "deploymentScope": null,
  "description": "First azure function",
  "detachedResources": [],
  "duration": "PT1M15.534498S",
  "error": null,
  "failedResources": [],
  "id": "/subscriptions/7f1f09f1-46c7-4d90-b00b-e69d5fb05c28/resourceGroups/stacks/providers/Microsoft.Resources/deploymentStacks/stack1",
  "location": null,
  "name": "stack1",
  "outputs": null,
  "parameters": {},
  "parametersLink": null,
 

In [22]:
!az stack group create --name 'stack2' --resource-group 'stacks' --template-file './originals/deployment_2.bicep' --description 'Second azure function' --deny-settings-mode None --delete-resources true --yes

[93mA new Bicep release is available: v0.26.54. Upgrade now by running "az bicep upgrade".[0m
[0m
[K{\ Finished ..
  "actionOnUnmanage": {
    "managementGroups": "detach",
    "resourceGroups": "detach",
    "resources": "delete"
  },
  "debugSetting": null,
  "deletedResources": [],
  "denySettings": {
    "applyToChildScopes": false,
    "excludedActions": null,
    "excludedPrincipals": null,
    "mode": "none"
  },
  "deploymentId": "/subscriptions/7f1f09f1-46c7-4d90-b00b-e69d5fb05c28/resourceGroups/stacks/providers/Microsoft.Resources/deployments/stack2-240315082h0x5",
  "deploymentScope": null,
  "description": "Second azure function",
  "detachedResources": [],
  "duration": "PT43.7933161S",
  "error": null,
  "failedResources": [],
  "id": "/subscriptions/7f1f09f1-46c7-4d90-b00b-e69d5fb05c28/resourceGroups/stacks/providers/Microsoft.Resources/deploymentStacks/stack2",
  "location": null,
  "name": "stack2",
  "outputs": null,
  "parameters": {},
  "parametersLink": null,
 

In [23]:
!az stack group create --name 'stack3' --resource-group 'stacks' --template-file './originals/deployment_3.bicep' --description 'Third azure function' --deny-settings-mode None --delete-resources true --yes

[93mA new Bicep release is available: v0.26.54. Upgrade now by running "az bicep upgrade".[0m
[K / Finished ..{
  "actionOnUnmanage": {
    "managementGroups": "detach",
    "resourceGroups": "detach",
    "resources": "delete"
  },
  "debugSetting": null,
  "deletedResources": [],
  "denySettings": {
    "applyToChildScopes": false,
    "excludedActions": null,
    "excludedPrincipals": null,
    "mode": "none"
  },
  "deploymentId": "/subscriptions/7f1f09f1-46c7-4d90-b00b-e69d5fb05c28/resourceGroups/stacks/providers/Microsoft.Resources/deployments/stack3-2403150833oew",
  "deploymentScope": null,
  "description": "Third azure function",
  "detachedResources": [],
  "duration": "PT1M13.8212947S",
  "error": null,
  "failedResources": [],
  "id": "/subscriptions/7f1f09f1-46c7-4d90-b00b-e69d5fb05c28/resourceGroups/stacks/providers/Microsoft.Resources/deploymentStacks/stack3",
  "location": null,
  "name": "stack3",
  "outputs": null,
  "parameters": {},
  "parametersLink": null,
  "p

## On edit
The commands below show what happens if something gets edited

  
  

In [None]:
!az stack group create --name 'stack1' --resource-group 'stacks' --template-file './edited/deployment_1.bicep' --deny-settings-mode None --delete-resources true --yes

In [None]:
!az stack group create --name 'stack3' --resource-group 'stacks' --template-file './edited/deployment_3.bicep' --deny-settings-mode None --delete-resources true --yes

## Security

Protect your resources against manual interventions

In [None]:
!az stack group create --name 'stack1' --resource-group 'stacks' -- './edited/deployment_1.bicep' --deny-settings-mode denyDelete --delete-resources true --yes

In [None]:
!az stack group create --name 'stack3' --resource-group 'stacks' --template-file './originals/deployment_3.bicep' --deny-settings-mode denyWriteAndDelete --delete-resources true --yes

### But wait
we cannot edit the settings now

In [None]:
!az functionapp deployment slot swap --name 'cldrpblcmvlfunc3' --resource-group 'stacks' --slot 'staging' --target-slot 'production'


#### How to fix it
use a deny

In [None]:
!az stack group delete -g stacks -n stack3 --yes
!az stack group create --name 'stack3' --delete-resources true --resource-group 'stacks' --template-file './originals/deployment_3.bicep' --deny-settings-mode denyWriteAndDelete --yes --deny-settings-excluded-principals '2dc1f380-efdc-4800-ab4c-cc02622051d8'

### Locking the stack
Make sure nobody can delete the stack

In [None]:
!az resource lock create --lock-type CanNotDelete --name lockStack1 --resource /subscriptions/7f1f09f1-46c7-4d90-b00b-e69d5fb05c28/resourceGroups/stacks/providers/Microsoft.Resources/deploymentStacks/stack1

In [None]:
!az resource lock delete --name lockStack1 --resource /subscriptions/7f1f09f1-46c7-4d90-b00b-e69d5fb05c28/resourceGroups/stacks/providers/Microsoft.Resources/deploymentStacks/stack1

## Exporting templates
Recover an deployed template

In [None]:
!az stack group export --resource-group 'stacks' --name 'stack1'