dantedallag
commented
1 year ago For your first question, child resources will never automatically be managed by the stack. We will only manage what is included in the template. So, if you only include a parent resource in a stack and set the DenySettingsMode to DenyDelete, only the parent will have deny assignments applied to it. If you want to extend deny assignments to children of that parent resource without having the children explicitly managed by the stack, you can use the DenySettingsApplyToChildScopes parameter.
To answer your second question, yes, wildcards like this should work.
D-Bissell
Diverting here for a couple of questions after the Bicep community call https://github.com/Azure/bicep/discussions/11134
Are child resources automatically included in a stack with the parent resource? If the
--deny-settings-modeis set on a stack with a parent resource (EG a VNET, or SQL MI Instance), will this prevent changes or deletes to child resources (EG subnet, managed database) like resource locks currently do? In my view, child resources will often belong to different lifecycles than the parent resource and should not be automatically included in a stack with the parent, and any deny settings should not extend to the child resources.Can wildcards be used with --deny-settings-excluded-actions? EG
Microsoft.Network/*/read