Docs/cookbook/azure/checklists/deployment

Azure Deployment Checklist

Version: 1.1.0 | Updated: 2026-07-16

Purpose

Gate promotion and rollback of a Azure subscription workload, Bicep module, managed identity, private endpoint, or release pipeline.

Why

A syntactically valid Azure artifact can still fail because of management-plane authorization or policy denial, ARM/Bicep dependency or API-version deployment failure, managed identity token/role mismatch, private DNS, route, NSG, or endpoint failure, throttling, quota, regional capacity, or service degradation. Promotion therefore requires target-state and rollback evidence.

How

Run against the exact target and immutable candidate. Preserve outputs from az version and az account show before evidence collection; az bicep build --file main.bicep; az deployment group what-if --resource-group <rg> --template-file main.bicep --parameters @prod.bicepparam; az role assignment list --assignee-object-id <object-id> --all; az monitor activity-log list --resource-group <rg> --offset 2h. Stop promotion on any failed item.

Version-aware caution

Capture Azure CLI/Bicep versions, resource-provider API versions, and service SKU/region capabilities. ARM API and managed-service features vary by API version, cloud, region, and SKU; a portal screenshot is not a reproducible contract.

Tradeoffs

Promotion waits for "Bicep build/lint and ARM What-If are retained and reviewed for deletes/replacements" and "target tenant, subscription, region, provider registration, quota, and policy state are preflighted". Those Azure target checks slow release but directly bound management-plane authorization or policy denial and make this rollback executable: Reapply the last approved Bicep/parameter artifact or route traffic to the prior deployment slot; never delete stateful resources to force convergence, and restore access changes through reviewed RBAC/policy state.

Anti-patterns

  • Portal-authored production resources create configuration that cannot be reviewed, reproduced, or safely rolled back.
  • Do not remove a native warning, validator, policy, or safety limit merely to make generated output pass.
  • Do not claim a successful result without preserving the command, target, artifact/revision, and observed output.

Enterprise considerations

Azure governance maps management groups to policy initiatives, centralizes Activity Logs and diagnostics, time-bounds exemptions, and records data residency and cost ownership.

Official sources

Checklist

  • Bicep build/lint and ARM What-If are retained and reviewed for deletes/replacements.
  • target tenant, subscription, region, provider registration, quota, and policy state are preflighted.
  • deployment identity has temporary least-privilege management-plane access.
  • data-plane RBAC propagation and managed identity are tested from the workload.
  • private DNS and endpoint connectivity are tested from every caller network.
  • Azure Monitor alerts, Activity Log, diagnostics, and Service Health routing are active.
  • safe-deployment rings use health criteria and stop on platform/user-impact regression.
  • rollback accounts for non-reversible data-plane changes and resource deletion locks.
  • Reapply the last approved Bicep/parameter artifact or route traffic to the prior deployment slot; never delete stateful resources to force convergence, and restore access changes through reviewed RBAC/policy state.
  • Evidence identifies version, target, artifact/revision, command or manual method, UTC time, and result.

Changelog

  • 1.1.0 (2026-07-16): Replaced generic gates with native Azure evidence and failure controls.
  • 1.0.0 (2026-07-16): Added initial checklist.