Being able to recognise configuration drifts in Azure Resources via ARM Templates
At the moment, we can redeploy an ARM Template to fix non-desired configuration drifts. However, it would be ideal to be able to validate if a Resource Group presents drifts from given Template/Parameters. In some cases, we want to be informed when ad-hoc changes have been applied to any azure resources in a resource group which have not been vetted, tested, or recorded in source control, and act depending on the findings. Continuous deployment of an ARM Template to avoid configuration drifts is not always the best solution, as this might impact uptime of some resources and some intentional changes might be lost without a warning.
Paco de la Cruz
shared this idea
This is available via the what-if api: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-what-if?tabs=azure-powershell
We’re also working on a concept to lock the resources to prevent drift called deploymentStacks.
9 comments
-
Anonymous
commented
-
John Carew
commented
We would like to preview this as well.
-
John Crim
commented
I don't know how to "email back" here, but I'd like to included in the preview.
I would really like to see a "return the diff" API/Powershell Cmdlet for deploying ARM templates. Then we could implement logic to do nothing or deploy in different ways based on changes.
For example, Azure Service Fabric resources can't be updated at all (even with a 0 change ARM template) if the cluster size is < 3. If we could detect that there are no changes, we could skip that deployment.
-
Paul Pricop
commented
@Governance Team, it will be helpful to be able to validate if a deployment has any drifts. Please consider this functionally for a preview.
-
Sidharth Sachar
commented
Hi. I am an Azure engineer working for a major bank. We have an urgent requirement for this. I would like to be included in the preview.
-
Paco de la Cruz
commented
The Azure Resource Manager Event Grid Publisher allows us to monitor Configuration Drifts on Azure Resources. An simple example here:
https://blog.mexia.com.au/monitoring-configuration-drifts-on-azure-with-event-grid-and-logic-apps
However, you can do it with different approaches, like checking the author, that is not coming from the CI/CD Pipeline, etc. -
Mark Andrie
commented
+1 for this feature, it would be great for ARM to support a sort of "-WhatIf" or "--noop" syntax where you could run this template simulation and see what would change, all the way down to the properties on a specific Resource.
I would also like to see better logging of what actually changed during a template run
-
Paco de la Cruz
commented
To support incremental deployments, one option would be to be able to audit drifts on those resources included in the template.
-
Matt Short
commented
+2. this semi DSC would be a real life saver as we migrate to azure. the ability to call out a change and then add to the template once it has been approved/discussed would really help us settle on configs once we'rve started testing.