An extension resource is a resource that modifies another resource. For example, you can assign a role to a resource. The role assignment is an extension resource type.
This article shows how to set the scope for an extension resource type when deployed with a Bicep file. It describes the scope property that is available for extension resources when applying to a resource.
Note
The scope property is only available to extension resource types. To specify a different scope for a resource type that isn't an extension type, use a module.
To apply an extension resource type at the target deployment scope, add the resource to your template as you would with any other resource type. The available scopes are resource group, subscription, management group, and tenant. The deployment scope must support the resource type.
When deployed to a resource group, the following template adds a lock to that resource group.
Bicep
resourcecreateRgLock'Microsoft.Authorization/locks@2020-05-01' = {
name: 'rgLock'properties: {
level: 'CanNotDelete'notes: 'Resource group should not be deleted.'
}
}
The next example assigns a role to the subscription it's deployed to.
Bicep
targetScope = 'subscription'
@description('The principal to assign the role to')paramprincipalIdstring
@allowed([
'Owner''Contributor''Reader'
])
@description('Built-in role to assign')parambuiltInRoleTypestringvarrole = {
Owner: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'Contributor: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'Reader: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7'
}
resourceroleAssignSub'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(subscription().id, principalId, role[builtInRoleType])properties: {
roleDefinitionId: role[builtInRoleType]
principalId: principalId
}
}
Apply to resource
To apply an extension resource to a resource, use the scope property. In the scope property, reference the resource you're adding the extension to. You reference the resource by providing the symbolic name for the resource. The scope property is a root property for the extension resource type.
The following example creates a storage account and applies a role to it.
Bicep
@description('The principal to assign the role to')paramprincipalIdstring
@allowed([
'Owner''Contributor''Reader'
])
@description('Built-in role to assign')parambuiltInRoleTypestringparamlocationstring = resourceGroup().locationvarrole = {
Owner: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'Contributor: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'Reader: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7'
}
varuniqueStorageName = 'storage${uniqueString(resourceGroup().id)}'resourcedemoStorageAcct'Microsoft.Storage/storageAccounts@2023-04-01' = {
name: uniqueStorageNamelocation: locationsku: {
name: 'Standard_LRS'
}
kind: 'Storage'properties: {}
}
resourceroleAssignStorage'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(demoStorageAcct.id, principalId, role[builtInRoleType])properties: {
roleDefinitionId: role[builtInRoleType]
principalId: principalId
}
scope: demoStorageAcct
}
You can apply an extension resource to an existing resource. The following example adds a lock to an existing storage account.
Bicep
resourcedemoStorageAcct'Microsoft.Storage/storageAccounts@2023-04-01'existing = {
name: 'examplestore'
}
resourcecreateStorageLock'Microsoft.Authorization/locks@2020-05-01' = {
name: 'storeLock'scope: demoStorageAcctproperties: {
level: 'CanNotDelete'notes: 'Storage account should not be deleted.'
}
}
The same requirements apply to extension resources as other resource when targeting a scope that is different than the target scope of the deployment. To learn about deploying to more than one scope, see:
The resourceGroup and subscription properties are only allowed on modules. These properties are not allowed on individual resources. Use modules if you want to deploy an extension resource with the scope set to a resource in a different resource group.
The following example shows how to apply a lock on a storage account that resides in a different resource group.