Azure Bicep doesn't delete storage container

Question

I have an Azure Bicep template that deploys a storage account and a container. However, when I rename the container or comment out the container resource in the template, the delete operation does not get triggered. Instead, it creates a new container and does not delete the old one. Any ideas why this happens?

Note: I use Mode Complete to deploy

I have a main.bicep file containing

param location string = resourceGroup().location

param storageAccountName string = 'test${uniqueString('newstring')}'
param storageContainerName string = 'testcontainer'

module storagAccounts '../resources/storage/storageAccounts.bicep' = {
  name: 'storageAccounts'
  params: {
     location: location
     storageAccountName: storageAccountName
  } 
}

module blobServices '../resources/storage/blobServices.bicep' = {
name: 'blobServices'
params: {
  storageAccountName: storagAccounts.outputs.storageAccountName
 }
}

module blobContainer '../resources/storage/containers.bicep' = {
 name: 'blobContainer'
 params: {
   containerName: storageContainerName
   blobServicesName: blobServices.outputs.blobServicesName
   storageAccountName: storagAccounts.outputs.storageAccountName
 }
}

I have a storageAccounts.bicep containing

targetScope = 'resourceGroup'

@minLength(3)
@maxLength(24)
param storageAccountName string

param location string

resource storageAccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {
  name: storageAccountName
  location: location
  kind: 'StorageV2'
  sku: {
    name: 'Standard_LRS'
  }

  tags: {
    environment: 'test'
  }

 
}

output storageAccountId string = storageAccount.id
output storageAccountName string = storageAccountName

a blobServices.bicep

param storageAccountName string 
param blobServicesName string = 'default'

resource blobServices 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {
  name: '${storageAccountName}/${blobServicesName}'
}

output blobServicesName string = blobServicesName

and a container.bicep containing

param storageAccountName string
param blobServicesName string
param containerName string

resource storageContainer 'Microsoft.Storage/storageAccounts/blobServices/containers@2023-01-01' = {
  name: '${storageAccountName}/${blobServicesName}/${containerName}'
  properties: {
    publicAccess: 'None'
  }
}

output storageContainerName string = storageContainer.name

To deploy I use a PowerShell script

Get-AzResourceGroupDeploymentWhatIfResult -Mode Complete -Location westeurope -TemplateFile modules/main.bicep -ResourceGroup testResourceGroup


New-AzResourceGroupDeployment -Name deployment1 -Mode Complete -Location westeurope -TemplateFile modules/main.bicep -ResourceGroup testResourceGroup -Force

Answer 1

Thomas' answer is correct. However, to get the functionality of tracking managed resources in the bicep template, DeploymentStacks is the way to go not the Complete Mode.

using New-AzResourceGroupDeploymentStack -Name deploy -ResourceGroupName testResourceGroup -TemplateFile modules/main.bicep -DenySettingsMode none -DeleteResources -Force deletes the resources that are not defined in the template.

Note that the switch -DeleteResources must be added for this behavior to occur. And the name of the DeploymentStack must also be the same

Answer 2

According to the documentation, this is the expected behavior for storage account:

Resource types may handle complete mode deletions differently. Parent resources are automatically deleted when not defined in a template deployed in complete mode. Also, child resources are automatically deleted when the parent isn't included in the template. However, some child resources are deleted when not defined in the template but other child resources aren't deleted. For a list of how resource types handle deletion, see Deletion of Azure resources for complete mode deployments.

For example, if your resource group contains a storage account (Microsoft.Storage/storageAccounts resource type) and a blob service (Microsoft.Storage/storageAccounts/blobServices resource type), the storage account is the parent resource for the blob service. If you deploy with complete mode and don't include the storage account in your template, both the storage account and the blob service are deleted. If you include the storage account in your template but don't include the blob service, the blob service isn't deleted.

Additional information can be found here:

• Deletion of Azure resources for complete mode deployments