Setting scope for extension resources in ARM templates
Grein
An extension resource is a resource that modifies another resource. For example, you can assign a role to a resource. The role assignment is an extension resource type.
This article shows how to set the scope for an extension resource type when deployed with an Azure Resource Manager template (ARM template). It describes the scope property that is available for extension resources when applying to a resource.
To apply an extension resource type at the target deployment scope, you add the resource to your template, as would with any resource type. The available scopes are resource group, subscription, management group, and tenant. The deployment scope must support the resource type.
The following template deploys a lock.
JSON
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
},
"resources": [
{
"type": "Microsoft.Authorization/locks",
"apiVersion": "2016-09-01",
"name": "rgLock",
"properties": {
"level": "CanNotDelete",
"notes": "Resource Group should not be deleted."
}
}
]
}
When deployed to a resource group, it locks the resource group.
az deployment group create \
--resource-group ExampleGroup \
--template-uri"https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/scope/locktargetscope.json"
To apply an extension resource to a resource, use the scope property. Set the scope property to the name of the resource you're adding the extension to. The scope property is a root property for the extension resource type.
The following example creates a storage account and applies a role to it.
The resourceGroup and subscription properties are only allowed on nested or linked deployments. These properties are not allowed on individual resources. Use nested or linked deployments if you want to deploy an extension resource with the scope set to a resource in a different resource group.
Azure Microsoft.Resources/resourceGroups syntax and properties to use in Azure Resource Manager templates for deploying the resource. API version latest
Azure Microsoft.Authorization/roleAssignments syntax and properties to use in Azure Resource Manager templates for deploying the resource. API version 2022-04-01
Azure Microsoft.Authorization/roleAssignments syntax and properties to use in Azure Resource Manager templates for deploying the resource. API version latest