Management and Governance ARM deployments learning-path-anchor field-manual-complete field-manual-complete

Template spec version

A template spec version is the exact release of a template spec that you deploy. The parent template spec is the catalog item, while the version is the packaged template content at a point in time. For example, a platform team might publish secure-storage version 1.0, then later publish 1.1 with a diagnostic setting change. Application teams can keep using 1.0 until they are ready. This gives infrastructure templates a release model that feels closer to software versions than shared files or copied snippets.

Back to glossary browser Open Microsoft Learn source
Aliases
Template spec version, template spec version, Azure Template spec version, ARM Template spec version, template spec versions, Microsoft.Resources/templateSpecs/versions
Difficulty
fundamentals
CLI mappings
5
Last verified
2026-05-27

Microsoft Learn

A template spec version is the named deployable version inside an Azure Resource Manager template spec. It captures a specific template package so teams can deploy, inspect, export, retain, or retire that version while newer versions of the same template spec are developed.

Microsoft Learn: Azure Resource Manager template specs2026-05-27

Technical context

Template spec versions are child resources under Microsoft.Resources/templateSpecs. Each version stores the main template content, optional linked artifacts, description, tags, and metadata used for deployment. Azure CLI and ARM deployments reference a version by resource ID, including the parent spec name and versions segment. Versions are managed in the Azure control plane with RBAC inherited or assigned at the resource boundary. They help separate publication lifecycle from deployment lifecycle: a platform team can publish a new version without forcing every consumer to adopt it immediately.

Why it matters

Template spec versions matter because approved infrastructure changes need controlled rollout, rollback, and evidence. Without versions, teams either overwrite a shared template and surprise consumers, or copy files and drift forever. A version lets a pipeline pin exactly what it deploys, auditors see which artifact was used, and platform teams test a new release without breaking older workloads. Versioning is especially important for patterns that create networking, identity, security, or expensive resources. It turns infrastructure templates into managed release artifacts. The value is not just storage; it is traceability, compatibility, and safer adoption across teams. That traceability becomes essential during audit and rollback.

Where you see it

Signals, screens, and Azure surfaces where this term usually becomes operational.

Signal 01

In az ts list output for a parent template spec, versions appear as named child artifacts with descriptions, IDs, locations, and publish metadata. for release auditing

Signal 02

In deployment commands, the template spec version appears inside the --template-spec resource ID ending with Microsoft.Resources/templateSpecs/<name>/versions/<version>. during pinned deployments during audited release review and rollback drills

Signal 03

In audit evidence, version names and descriptions identify which approved infrastructure package was deployed, exported, deprecated, or retained for rollback. by consuming teams and auditors

When this becomes relevant

Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.

  • Pin production deployments to a known-good template artifact while testing a newer baseline with pilot teams.
  • Roll back to a previous infrastructure pattern when a new version introduces a bad default or provider conflict.
  • Prove to auditors exactly which version of a shared security or networking template was deployed.
  • Stage breaking changes by publishing a new major version while leaving older consumers on supported versions.
  • Export a version to compare published Azure content with the source commit that created it.

Real-world case studies

Different enterprise-style examples that show the term being used to hit measurable objectives.

Case study 01

Transit agency stages network baseline upgrades

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A metropolitan transit agency used template specs for station-network deployments. A new firewall logging requirement had to reach new stations quickly without disrupting older station projects already in construction.

Business/Technical Objectives
  • Publish the updated baseline without forcing all projects to adopt immediately.
  • Keep existing station deployments pinned to their approved version.
  • Give security teams evidence of which stations used the new logging rule.
  • Maintain rollback to the previous baseline for construction-delayed sites.
Solution Using Template spec version

The platform team published version 2.1 of the station network template spec with the new firewall diagnostics setting. Active construction projects stayed pinned to 2.0 until their change windows opened. New station pipelines referenced the full 2.1 version resource ID. Operators used az ts list to verify supported versions, az ts show to capture version IDs, and az ts export to compare the published artifact with the security-approved source commit. Version descriptions recorded the firewall logging change, approval ticket, and support status. After 90 days, projects still on 2.0 were reviewed before retirement.

Results & Business Impact
  • New station deployments reached 100% firewall logging compliance within two weeks.
  • No in-flight construction deployment was forced to change outside its approved window.
  • Rollback testing using version 2.0 completed in 38 minutes.
  • Security evidence mapped 47 station deployments to exact template versions.
Key Takeaway for Glossary Readers

A template spec version lets shared infrastructure evolve without turning every consumer into an involuntary early adopter.

Case study 02

Game studio rolls back launch telemetry template

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A game studio published a new telemetry baseline one week before a global launch. The new version changed diagnostic retention and caused unexpected Log Analytics ingestion during load tests.

Business/Technical Objectives
  • Identify the exact template version causing the ingestion spike.
  • Roll back new environments to the previous telemetry baseline.
  • Keep the improved dashboard settings for later retesting.
  • Reduce launch-week deployment risk without blocking game servers.
Solution Using Template spec version

The release team discovered that version 3.4 of the telemetry template spec increased verbose diagnostic categories for every regional environment. Pipelines had pinned the version resource ID, so rollback was straightforward: emergency releases switched back to version 3.3. Operators exported both versions and compared diagnostic settings, retention, and workspace targets. The 3.4 version description was updated to preview-only while engineers created a corrected 3.5. Cost and operations teams reviewed what-if output before any production adoption. Because older versions remained available, the launch platform did not need to rebuild templates from Git during the incident.

Results & Business Impact
  • Projected ingestion cost for launch week fell by 61% after reverting to 3.3.
  • Rollback across 12 regional environments completed in under 50 minutes.
  • The corrected 3.5 version passed load-test review two weeks later.
  • No game server deployment was delayed by the telemetry template issue.
Key Takeaway for Glossary Readers

Pinning and retaining template spec versions turns a risky shared-template mistake into a controlled rollback instead of a frantic artifact hunt.

Case study 03

Nonprofit proves grant-compliant infrastructure versions

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

An international nonprofit used donor-funded Azure environments for field data collection. Auditors asked which approved infrastructure version had created each country workspace during the grant period.

Business/Technical Objectives
  • Map country deployments to exact approved template versions.
  • Retain deployable artifacts through the grant audit window.
  • Show that newer versions were not applied retroactively.
  • Reduce manual evidence gathering for small platform teams.
Solution Using Template spec version

The platform engineer standardized template spec version descriptions with grant ID, source commit, approval date, and support status. Deployment pipelines recorded the template spec version resource ID in their release logs and output artifacts. During the audit, operators ran az ts show for sampled versions and az ts export to provide the stored template package. Older versions stayed available until each grant closed, even after newer versions improved tagging and private endpoint defaults. The audit package included deployment IDs, parameter files, and version IDs so reviewers could separate template content from country-specific parameter choices.

Results & Business Impact
  • Evidence collection for 19 country workspaces dropped from three weeks to four days.
  • Auditors traced 100% of sampled deployments to retained version IDs.
  • No workspace had to be redeployed solely to prove template content.
  • The nonprofit adopted a two-year retention policy for grant-related template versions.
Key Takeaway for Glossary Readers

Template spec versions provide practical auditability because they preserve the deployable artifact that existed when the infrastructure was created.

Why use Azure CLI for this?

I use Azure CLI for template spec versions because version handling is a release-management task. The CLI can create a version from a known file, list all versions for a parent spec, show the exact version resource ID, export the stored artifact, and update descriptions or tags. That makes it suitable for pipelines and audits. In real environments, the question is not “does a template exist?” but “which version did this subscription deploy, who can still deploy old versions, and can we recover the content?” CLI commands answer those questions consistently without relying on portal screenshots. It also prevents version evidence from living only in screenshots.

CLI use cases

  • Create a new template spec version from the release pipeline after validation passes.
  • List versions under a parent spec to find supported, deprecated, or experimental artifacts.
  • Show one version and copy the resource ID used by deployment commands.
  • Export a version for diffing against repository content during audit or incident review.
  • Update version descriptions or tags to mark support status without changing deployment content.

Before you run CLI

  • Confirm the parent template spec name, resource group, subscription, and version naming standard before publishing.
  • Verify contributor rights for publishing and reader rights for consumers who will deploy the version.
  • Validate the template and run what-if against representative scopes before creating a new shared version.
  • Check whether existing pipelines reference the version before updating descriptions, deleting it, or changing RBAC.
  • Use a clear version-description that records source commit, compatibility notes, and cost or security changes.

What output tells you

  • Create output confirms that the named version exists and shows the resource ID that consumers can deploy.
  • List output shows how many versions exist and whether old versions remain visible to consumers.
  • Show output confirms description, tags, location, ID, and parent spec context for the selected version.
  • Export output provides the stored template package for review, diffing, or emergency recovery.
  • Deployment output using a version proves which artifact ARM consumed, separate from parameter values and provider results.

Mapped Azure CLI commands

Template spec version release commands

direct
az ts create --resource-group <resource-group> --name <template-spec-name> --version <version> --location <region> --template-file main.bicep --version-description "<release-notes>"
az tsprovisionManagement and Governance
mutating Microsoft docs
az ts list --resource-group <resource-group> --name <template-spec-name> --output table
az tsdiscoverManagement and Governance
read-only Microsoft docs
az ts show --resource-group <resource-group> --name <template-spec-name> --version <version> --output json
az tsdiscoverManagement and Governance
read-only Microsoft docs
az ts export --resource-group <resource-group> --name <template-spec-name> --version <version> --output-folder <folder>
az tsoperateManagement and Governance
read-only Microsoft docs
az ts update --resource-group <resource-group> --name <template-spec-name> --version <version> --version-description "<status-note>" --yes
az tsconfigureManagement and Governance
mutating Microsoft docs

Architecture context

Architecturally, a template spec version is a contract between platform publishers and workload deployers. The parent spec defines the pattern name; the version defines the exact implementation. I treat versions like release artifacts: immutable in intent, described clearly, retained for rollback, and retired only with consumer coordination. Pipelines should pin versions instead of always deploying latest, especially for security, network, and data platform patterns. Semantic versioning helps, but the organization must define what major, minor, and patch mean for infrastructure behavior. Good version design prevents template sharing from becoming uncontrolled change propagation. That discipline keeps shared templates safe at scale.

Security

Security impact is direct because a version can embed security posture that many teams trust. A compromised or poorly reviewed version might weaken firewall rules, omit diagnostics, assign broad roles, or create public endpoints. RBAC should restrict who can create or update versions, and deployment permissions should be separate from publish permissions. Do not place secrets or environment-specific private values in version content. Review version diffs before publishing, keep older secure versions available during migration, and monitor version creation events. Consumers should deploy only approved versions, not whatever appears newest in the portal. Reviewers need that evidence before broad adoption.

Cost

A template spec version does not create large direct cost, but the versioned content can create large downstream cost. If a new version changes SKU defaults, retention settings, zone redundancy, replica counts, or optional resources, every consumer adopting it may increase spend. Keeping too many unused versions also creates governance overhead because each must be understood during audits and cleanup. Cost-aware versioning includes release notes for cost-affecting changes, FinOps review before publishing, and adoption tracking after release. Pinning versions helps avoid accidental cost changes from a moving latest template, especially in automated environments. Include those notes in the adoption plan.

Reliability

Reliability improves when deployments pin a known template spec version. If version 1.2 is stable, teams can continue deploying it while 1.3 is tested. Rollback is simpler because the previous artifact still exists and can be exported or redeployed. Reliability fails when publishers overwrite intent, delete versions prematurely, or use vague version names that hide breaking changes. Keep compatibility notes, avoid removing versions still referenced by active pipelines, and test new versions in representative subscriptions. For critical baselines, define a support window and emergency rollback path before publishing the next version. Document these rules before the release train begins.

Performance

Runtime performance is affected by what the version deploys, not by the version resource itself. A new version may change compute size, storage type, scaling rules, caching, diagnostics, or network topology. That means version adoption can improve or degrade workload performance across many teams. Deployment performance also improves when pipelines reference a stored version rather than packaging linked templates repeatedly from fragile locations. Before publishing, test the version under realistic parameters and compare what-if output. For shared baselines, document performance-affecting defaults clearly so consumers know whether adoption changes latency, throughput, or capacity. Consumers need that warning before rollout. Release evidence keeps Template spec version performance review practical for operators.

Operations

Operators work with template spec versions during releases, audits, and incident response. They list versions, show resource IDs, export content, verify descriptions, compare artifacts to Git commits, and identify which pipelines reference which version. Normal work includes publishing a new version after validation, marking old versions deprecated, cleaning unused versions, and granting deployers read access. Incident work often asks whether a bad deployment came from a faulty template version or wrong parameters. Good operations practice records version ID, source commit, publisher, validation evidence, deployment scopes, and retirement date in the change record. This record prevents version debates during incidents. Release evidence keeps Template spec version operations review practical for operators.

Common mistakes

  • Using latest by convention instead of pinning a version resource ID in production pipelines.
  • Deleting a version that still supports rollback, disaster recovery, or active consumer deployments.
  • Publishing a new version without documenting breaking changes, cost changes, or security posture changes.
  • Assuming version names are meaningful without a standard for major, minor, patch, and preview labels.
  • Letting contributors manually update versions outside the release pipeline, breaking traceability to source control.