There are few things more irritating than a carefully crafted ARM deployment that fails when you deploy it to a live Azure subscription, so in this installment, we are going to quickly review the options available for validating your ARM templates to ensure they will work.
In this article:
Native Options
Community Solutions
Coming Soon: what-if for ARM
Avoid This
SPONSOR: Need to stop and start your development VMs on a schedule? The Azure Resource Scheduler let's you schedule up to 10 Azure VMs for FREE! Learn more HERE
There are a couple of native options for validating, but some go deeper than others.
The Azure Resource Group Deployment is a native task in Azure DevOps designed to deploy an ARM template to a new or existing resource group we specify, in the Azure subscription we choose. However, as you can see in Figure 1 we have specified "Deployment mode: Validation only", which means a resource group will be created and the ARM template syntax will be validated, but not actually deployed. It's important to note that this simple approach confirms your ARM template is syntactically correct, but does not verify it is actually deployable in your Azure subscription. This is demonstrated in Day 12 of the 100 Days of IaC series.
Figure 1. Azure Resource Group Deployment task settings in Azure Pipelines
Microsoft has moved to using PowerShell scripts in Azure DevOps pipelines, and even provide a sample pipeline you can import at "Setting Up Your Own CI/CD Pipeline in Azure DevOps". The pipeline references around a dozen PowerShell scripts used to validate various aspects of the deployment, which you can find in the following folder of Azure QuickStart repo: https://github.com/Azure/azure-quickstart-templates/tree/master/test/ci-scripts.
There are two PowerShell cmdlets available in the Az.Resources module for validating ARM templates:
- Test-AzResourceGroupDeployment. The Test-AzResourceGroupDeployment cmdlet determines whether an Azure resource group deployment template and its parameter values are valid.
- Test-AzDeployment. The Test-AzDeployment cmdlet determines whether a deployment template and its parameter values are valid.
What's the difference between the two?
Basically, one targets a specific resource group, and another targets the current subscription scope, but there's a bit more to it. I've described some of the differences a bit further below
EXAMPLE: Test-AzResourceGroupDeployment
This command tests a deployment in the given resource group using the an in-memory hashtable created from the given template file and a parameter file. In addition to what you see here, you could specify
- the
-ResourceGroup
parameter - -Mode
parameter, which can be complete or incremental.- Also a couple of
-Rollback*
parameter options
# Read the ARM template file
$TemplateFileText = [System.IO.File]::ReadAllText("D:\Azure\Templates\EngineeringSite.json")
$TemplateObject = ConvertFrom-Json $TemplateFileText -AsHashtable
# Read the parameter file
Test-AzResourceGroupDeployment -ResourceGroupName "ContosoEngineering" `
-TemplateObject $TemplateObject -TemplateParameterFile "D:\Azure\Templates\EngSiteParams.json"
EXAMPLE: Test-AzDeployment
This command tests a deployment at the current subscription scope using the given template file and parameters file. We can also specify the location to test viability in the subscription based on the region targeted.
Test-AzDeployment -Location "West US" -TemplateFile "D:\Azure\Templates\EngineeringSite.json" `
-TemplateParameterFile "D:\Azure\Templates\EngSiteParms.json"
Missing these cmdlets? Install the Az.Resources PowerShell module:
install-module Az.Resources -Force
There are a couple of community-based solutions for validating your ARM templates, which are described below.
This less common, but very thorough approach (and not for the faint-of-heart), from Microsoft MVP, the benevolent Tao Yang, is great if you want or need to go the extra mile in ensuring no unauthorized changes are made to your deployment templates. To quote Tao's detailed post on the solution:
Now can you ensure the ARM template you are deploying only deploys the resources that you intended to deploy. In other words, if someone has gone rogue or mistakenly modified the template, how can you make sure it does not deploy resources that’s not supposed to be deployed (i.e. a wide open VNet without NSG rules).
Check out the full walkthrough and source code in "Pester Test Your ARM Template in Azure DevOps CI Pipelines"
This one wraps the native Test-AzResourceGroupDeployment
and parses the HTTP output. While it's reasonably well-explained on the solutions Git repo and this blog post, but by the stars and follows on Github it doesn't seem to have picked up much of a following, though this is not necessarily a reflection on quality. Barbara's solution is definitely worth a look to see if it resonates with you at https://github.com/Ba4bes/Test-ArmDeployDetailed.
The long-awaited solution for ARM validation is the what-if functionality now in Preview, provides the what-if operation to let you see how resources will change if you deploy the template. The what-if operation doesn't make any changes to existing resources. Instead, it predicts the changes if the specified template is deployed. It will test for six(6) different kinds of changes: Create, Delete, Ignore, NoChange, Modify, and Deploy.
This works both for resource group based deployments and REST-based deployments, which means you should be able test your management group deployments executed via REST API. We will unpack the what-if preview in a later post here in the 100 Days of IaC in Azure series.
Get the details and sign up for the Preview at "Resource Manager template deployment what-if operation (Preview)"
The Azure-Arm-Validator, described by the Microsoft author as "A tiny server which will validate Azure Resource Manager scripts". It requires some configuration, uses a MongoDB backend, and has been succeeded by the native validation now available in native options like Test-AzResourceGroupDeployment and the pipeline-integrated PowerShell described above. Bottom line is probably nobody should be using it anymore.
ARM template validation is a topic with many facets, and a number of options to meet a variety of deployment scenarios. We hope this post jump starts your efforts in implementing a validation strategy for your ARM deployments. We have 46 days left, so don't hesitate to reach out if you have topics you'd like us to cover.