3.3.5. 💡 First Principle: Deploying Governed Environments (Template Specs & Deployment Stacks)

First Principle: Governed environments are best deployed as repeatable, version-controlled packages and then managed together as a single unit, so that new environments are consistently "born compliant" and protected from drift.

Note on Azure Blueprints: You may still see Azure Blueprints referenced in older material. Microsoft has deprecated Azure Blueprints and recommends moving to Template Specs and Deployment Stacks, used together with Bicep/ARM templates and Azure Policy. This guide reflects that current guidance.

What They Are:

• Template Specs: A way to store an ARM or Bicep template as a first-class Azure resource. You can version it and share it across your organization via RBAC, so teams deploy from a known, approved template instead of passing files around.
• Deployment Stacks: An Azure resource that deploys the resources defined in a template and then manages that whole collection as a single unit. The stack tracks everything it created, so the environment can be updated or torn down consistently.

How It Works:

1. Define the environment — network, policy assignments, role assignments, and other resources — in a Bicep or ARM template.
2. Optionally publish that template as a Template Spec so it is versioned and reusable across the organization.
3. Deploy it as a Deployment Stack. The stack records every resource it creates and manages them together.
4. Apply deny settings on the stack to block unauthorized modification or deletion of the managed resources, keeping the environment compliant over time.

Scenario: An organization needs every new project started in Azure to get a standard, secure network configuration, a set of required tags, and specific access permissions for the project team. They want to automate this setup, keep it consistent across projects, and prevent anyone from quietly changing the deployed resources.

Reflection Question: How does deploying from a shared Template Spec, combined with a Deployment Stack's deny settings, help this organization ensure new environments are both consistent at creation and protected from drift afterward?

💡 Tip: Think of it as a division of labor: Bicep/ARM defines what to deploy, Template Specs make that definition shareable and versioned, and Deployment Stacks manage the deployed resources as one governed unit — together replacing what Azure Blueprints used to do.