Resource group deployments with ARM templates
This article describes how to scope your deployment to a resource group. You use an Azure Resource Manager template (ARM template) for the deployment. The article also shows how to expand the scope beyond the resource group in the deployment operation.
Tip
We recommend Bicep because it offers the same capabilities as ARM templates and the syntax is easier to use. To learn more, see resource group deployments.
Supported resources
Most resources can be deployed to a resource group. For a list of available resources, see ARM template reference.
Schema
For templates, use the following schema:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
...
}
For parameter files, use:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
...
}
Deployment commands
To deploy to a resource group, use the resource group deployment commands.
For Azure CLI, use az deployment group create. The following example deploys a template to create a resource group. The resource group you specify in the --resource-group parameter is the target resource group.
az deployment group create \
--name demoRGDeployment \
--resource-group ExampleGroup \
--template-uri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.storage/storage-account-create/azuredeploy.json" \
--parameters storageAccountType=Standard_GRS
For more detailed information about deployment commands and options for deploying ARM templates, see:
- Deploy resources with ARM templates and Azure portal
- Deploy resources with ARM templates and Azure CLI
- Deploy resources with ARM templates and Azure PowerShell
- Deploy resources with ARM templates and Azure Resource Manager REST API
- Use a deployment button to deploy templates from GitHub repository
- Deploy ARM templates from Cloud Shell
Deployment scopes
When deploying to a resource group, you can deploy resources to:
- the target resource group from the operation
- other resource groups in the same subscription or other subscriptions
- any subscription in the tenant
- the tenant for the resource group
The only prohibited scope transitions occur from Resource Group to Management Group, or from Subscription to Management Group.
An extension resource can be scoped to a target that is different than the deployment target.
The user deploying the template must have access to the specified scope.
This section shows how to specify different scopes. You can combine these different scopes in a single template.
Scope to target resource group
To deploy resources to the target resource, add those resources to the resources section of the template.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
resource-group-resources
],
"outputs": {}
}
For an example template, see Deploy to target resource group.
Scope to resource group in same subscription
To deploy resources to a different resource group in the same subscription, add a nested deployment and include the resourceGroup property. If you don't specify the subscription ID or resource group, the subscription and resource group from the parent template are used. All the resource groups must exist before running the deployment.
In the following example, the nested deployment targets a resource group named demoResourceGroup.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "nestedDeployment",
"resourceGroup": "demoResourceGroup",
"properties": {
"mode": "Incremental",
"template": {
resource-group-resources
}
}
}
],
"outputs": {}
}
For an example template, see Deploy to multiple resource groups.
Scope to resource group in different subscription
To deploy resources to a resource group in a different subscription, add a nested deployment and include the subscriptionId and resourceGroup properties. In the following example, the nested deployment targets a resource group named demoResourceGroup.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "nestedDeployment",
"subscriptionId": "00000000-0000-0000-0000-000000000000",
"resourceGroup": "demoResourceGroup",
"properties": {
"mode": "Incremental",
"template": {
resource-group-resources
}
}
}
],
"outputs": {}
}
For an example template, see Deploy to multiple resource groups.
Scope to subscription
To deploy resources to a subscription, add a nested deployment and include the subscriptionId property. The subscription can be the subscription for the target resource group, or any other subscription in the tenant. Also, set the location property for the nested deployment.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "nestedDeployment",
"location": "centralus",
"subscriptionId": "0000000-0000-0000-0000-000000000000",
"properties": {
"mode": "Incremental",
"template": {
subscription-resources
}
}
}
],
"outputs": {}
}
For an example template, see Create resource group.
Scope to tenant
To create resources at the tenant, set the scope to /. The user deploying the template must have the required access to deploy at the tenant.
To use a nested deployment, set scope and location.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "nestedDeployment",
"location": "centralus",
"scope": "/",
"properties": {
"mode": "Incremental",
"template": {
tenant-resources
}
}
}
],
"outputs": {}
}
Or, you can set the scope to / for some resource types, like management groups.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mgName": {
"type": "string",
"defaultValue": "[concat('mg-', uniqueString(newGuid()))]"
}
},
"resources": [
{
"type": "Microsoft.Management/managementGroups",
"apiVersion": "2021-04-01",
"name": "[parameters('mgName')]",
"scope": "/",
"location": "eastus",
"properties": {}
}
],
"outputs": {
"output": {
"type": "string",
"value": "[parameters('mgName')]"
}
}
}
For more information, see Management group.
Deploy to target resource group
To deploy resources in the target resource group, define those resources in the resources section of the template. The following template creates a storage account in the resource group that is specified in the deployment operation.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storagePrefix": {
"type": "string",
"minLength": 3,
"maxLength": 11
},
"storageSKU": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_RAGRS",
"Standard_ZRS",
"Premium_LRS",
"Premium_ZRS",
"Standard_GZRS",
"Standard_RAGZRS"
]
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
},
"variables": {
"uniqueStorageName": "[concat(parameters('storagePrefix'), uniqueString(resourceGroup().id))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-09-01",
"name": "[variables('uniqueStorageName')]",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('storageSKU')]"
},
"kind": "StorageV2",
"properties": {
"supportsHttpsTrafficOnly": true
}
}
],
"outputs": {
"storageEndpoint": {
"type": "object",
"value": "[reference(variables('uniqueStorageName')).primaryEndpoints]"
}
}
}
Deploy to multiple resource groups
You can deploy to more than one resource group in a single ARM template. To target a resource group that is different than the one for parent template, use a nested or linked template. Within the deployment resource type, specify values for the subscription ID and resource group that you want the nested template to deploy to. The resource groups can exist in different subscriptions.
Note
You can deploy to 800 resource groups in a single deployment. Typically, this limitation means you can deploy to one resource group specified for the parent template, and up to 799 resource groups in nested or linked deployments. However, if your parent template contains only nested or linked templates and does not itself deploy any resources, then you can include up to 800 resource groups in nested or linked deployments.
The following example deploys two storage accounts. The first storage account is deployed to the resource group specified in the deployment operation. The second storage account is deployed to the resource group specified in the secondResourceGroup and secondSubscriptionID parameters:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storagePrefix": {
"type": "string",
"maxLength": 11
},
"secondResourceGroup": {
"type": "string"
},
"secondSubscriptionID": {
"type": "string",
"defaultValue": ""
},
"secondStorageLocation": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
},
"variables": {
"firstStorageName": "[concat(parameters('storagePrefix'), uniqueString(resourceGroup().id))]",
"secondStorageName": "[concat(parameters('storagePrefix'), uniqueString(parameters('secondSubscriptionID'), parameters('secondResourceGroup')))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "[variables('firstStorageName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"properties": {
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "nestedTemplate",
"resourceGroup": "[parameters('secondResourceGroup')]",
"subscriptionId": "[parameters('secondSubscriptionID')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "[variables('secondStorageName')]",
"location": "[parameters('secondStorageLocation')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"properties": {
}
}
]
},
"parameters": {}
}
}
]
}
If you set resourceGroup to the name of a resource group that doesn't exist, the deployment fails.
To test the preceding template and see the results, use PowerShell or Azure CLI.
To deploy two storage accounts to two resource groups in the same subscription, use:
firstRG="primarygroup"
secondRG="secondarygroup"
az group create --name $firstRG --location southcentralus
az group create --name $secondRG --location eastus
az deployment group create \
--name ExampleDeployment \
--resource-group $firstRG \
--template-uri https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/crosssubscription.json \
--parameters storagePrefix=tfstorage secondResourceGroup=$secondRG secondStorageLocation=eastus
To deploy two storage accounts to two subscriptions, use:
firstRG="primarygroup"
secondRG="secondarygroup"
firstSub="<first-subscription-id>"
secondSub="<second-subscription-id>"
az account set --subscription $secondSub
az group create --name $secondRG --location eastus
az account set --subscription $firstSub
az group create --name $firstRG --location southcentralus
az deployment group create \
--name ExampleDeployment \
--resource-group $firstRG \
--template-uri https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/crosssubscription.json \
--parameters storagePrefix=storage secondResourceGroup=$secondRG secondStorageLocation=eastus secondSubscriptionID=$secondSub
Create resource group
From a resource group deployment, you can switch to the level of a subscription and create a resource group. The following template deploys a storage account to the target resource group, and creates a new resource group in the specified subscription.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storagePrefix": {
"type": "string",
"maxLength": 11
},
"newResourceGroupName": {
"type": "string"
},
"nestedSubscriptionID": {
"type": "string"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
},
"variables": {
"storageName": "[concat(parameters('storagePrefix'), uniqueString(resourceGroup().id))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "[variables('storageName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"properties": {
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "demoSubDeployment",
"location": "westus",
"subscriptionId": "[parameters('nestedSubscriptionID')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2021-04-01",
"name": "[parameters('newResourceGroupName')]",
"location": "[parameters('location')]",
"properties": {}
}
],
"outputs": {}
}
}
}
]
}
Next steps
- For an example of deploying workspace settings for Microsoft Defender for Cloud, see deployASCwithWorkspaceSettings.json.