How to use Azure what-if command to validate changes before deploying an ARM template

|
|
Tags:  Azure
UPDATED 24/01/2023: You may be interested in a newer post about the entire ARM template lifecycle that includes What-If operation. You can read it here: How to validate, plan, and deploy ARM templates

Changes on production are dangerous stressful processes. Fortunately, there are tools that make deployments easier and prevent disasters. In this post you will learn how to use Azure ‘what-if’ command to validate changes before deploying an ARM template.

Prerequisites

The command ‘What-if’ is available for Azure Powershell, Azure CLI, Azure REST API, or SDK for .Net and Java. For this post I used Azure CLI 2.30 installed in a computer with Windows 11 21H2. Here you have the instructions to install Azure CLI.

This post is split in various examples based on this ARM template. The template is explained in this other post: How to create an Azure Keyvault secret and copy an access key using an ARM template.

I will deploy the template to an empty resource group named ‘whatifexample’

First example: A new deployment

This example starts with an empty resource group. What-if command will be used to check that your new deploy doesn’t affect any other existing Azure Resources.

In the next code you must change the values of the parameters keyvaultName and storageAccountName with any other name because it probably are already in use. Execute the code in a Powershell console:

az deployment group create `
    --resource-group whatifexample `
    --template-uri "https://gist.githubusercontent.com/Branyac/596fa5face8b5b0d5891b04ba4d75f27/raw/ec446ed10772ac8655fbaadc1b7fcfdc6749fc80/Azure-ARMTemplate-CreateStorageKeyvaultAndStoreKeyInSecret.json" `
    --parameters keyvaultName=kvexampletac storageAccountName=stexampletac storageKeyNumber=0 `
    --mode complete `
    --confirm-with-what-if

The important part is the parameter ‘–confirm-with-what-if’ that executes what-if before the deployment. The rest of the code is the same as a normal deployment.

This code runs a simulation and shows a list with the changes that will be made when executing the deploy.

In this example the list of changes contains 5 Azure resources but there are only 3 resources in the ARM template. This is because ARM templates are declarative and contains the desired result but not how to achieve it. In this case the creation of 2 extra resources is needed to get to the desired result.

After validating those changes are correct, you can execute the deploy by pressing ‘y’.

Second example: Remove a resource and create a new one

For this example I took the code of the previous example and changed the value of the parameter storageAccountName. It will cause the deletion of the storage account and creation of a new one with different name:

az deployment group create `
    --resource-group whatifexample `
    --template-uri "https://gist.githubusercontent.com/Branyac/596fa5face8b5b0d5891b04ba4d75f27/raw/ec446ed10772ac8655fbaadc1b7fcfdc6749fc80/Azure-ARMTemplate-CreateStorageKeyvaultAndStoreKeyInSecret.json" `
    --parameters keyvaultName=kvexampletac storageAccountName=stexampletactwo storageKeyNumber=0 `
    --mode complete `
    --confirm-with-what-if

The color of the output text indicates the type of an operation. Color green is for creation, violet for modification, and orange for deletion.

After validating the output confirm the changes by pressing ‘y’.

Third example: Noise and limits of the what-if command

In this case I took the code of example two and changed and the value of parameter ‘storageKeyNumber’ to 1. This will copy the key2 of storage to the value of the secret:

az deployment group create `
    --resource-group whatifexample `
    --template-uri "https://gist.githubusercontent.com/Branyac/596fa5face8b5b0d5891b04ba4d75f27/raw/ec446ed10772ac8655fbaadc1b7fcfdc6749fc80/Azure-ARMTemplate-CreateStorageKeyvaultAndStoreKeyInSecret.json" `
    --parameters keyvaultName=kvexampletac storageAccountName=stexampletactwo storageKeyNumber=1 `
    --mode complete `
    --confirm-with-what-if

At first it may seem that the tool is broken because in the output the changes are not in the keyvault but in the storage account. There’s an explanation for this.

The changes you see in storage are noise (false positives). You can just ignore it. Also, you may report this error to the what-if issues repository to help to improve the command.

There is a missing change in the Keyvault because the value of a secret is not considered a resource neither a property of a resource, that’s why what-if shows no changes but if you open the secret in Azure Portal after executing the deploy you will see two versions for this secret value.

Conclusions

What-if command is a great tool to validate templates. Remember that ARM templates may create additional resources because it are declarative. What-if command is not perfect: be careful with the noise. Also you must understand how work the Azure resources of the template because maybe you are modifying something that what-if command can’t show as change.

For more information and details, see Microsoft Docs page ARM template deployment what-if operation

Author

Sergio Monedero

I am excited to share my knowledge and insights on programming and devops through this personal website. I am a lifelong learner with a passion for technology, and I enjoy staying up-to-date on the latest industry trends.

Keep in touch with Me: SergioCoder@LinkedIn | Branyac@Github