Azure Blueprints
An Azure service that provides templates for quick, repeatable creation of fully governed cloud subscriptions.
72 questions
Can Azure Deployment Stacks be used to protect Budgets on Subscriptions?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 74%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPB%3C/text%3E%3C/svg%3E)
Per B. Olsen
5
Reputation points
I'm trying to see if we can use a Deployment Stack on a ManagementGroup in Azure to protect a Budget on a Subscription from being modified and/or deleted by Contributors or Owners of the Subscription.
As of now I haven't succeeded despite playing around with denyWriteAndDelete and deny-settings-apply-to-child-scopes in the stack. Both IAM roles can even delete the Budget...
A small Bicep budget to used in the stack:
targetScope = 'subscription'
resource budget 'Microsoft.Consumption/budgets@2023-11-01' = {
name: 'bg-bicep-budget1'
properties: {
category: 'Cost'
amount: 100
timeGrain: 'Monthly'
timePeriod: {
startDate: '2024-09-01T00:00:00Z'
endDate: '2048-07-31T00:00:00Z'
}
notifications: {
actual_GreaterThan_80_Percent: {
enabled: true
operator: 'GreaterThan'
threshold: 80
contactEmails: [
'someone@somewhere'
]
thresholdType: 'Actual'
}
}
}
}
Creating a Stack on a group, targeting a Subscription with the Budget:
az stack mg create `
--name 'test-001' `
--location 'swedencentral' `
--template-file 'budget1.bicep' `
--deployment-subscription '123456789654654' `
--action-on-unmanage 'deleteResources' `
--deny-settings-mode 'denyWriteAndDelete' `
--management-group-id 'stack-test-001' `
--deny-settings-excluded-principals '65469879879324654645654654' `
--deny-settings-apply-to-child-scopes
Sorry: No tags available for Bicep nor Deployment Stacks, Azure Blueprints was closest, but very wrong...
Sign in to answer