How can we improve the Azure Resource Manager?

← Azure Resource Manager

Being able to recognise configuration drifts in Azure Resources via ARM Templates

At the moment, we can redeploy an ARM Template to fix non-desired configuration drifts. However, it would be ideal to be able to validate if a Resource Group presents drifts from given Template/Parameters. In some cases, we want to be informed when ad-hoc changes have been applied to any azure resources in a resource group which have not been vetted, tested, or recorded in source control, and act depending on the findings. Continuous deployment of an ARM Template to avoid configuration drifts is not always the best solution, as this might impact uptime of some resources and some intentional changes might be lost without a warning.

48 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Paco de la Cruz shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

7 comments

Attach a File
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • John Crim commented  ·   ·  Flag as inappropriate

    I don't know how to "email back" here, but I'd like to included in the preview.

    I would really like to see a "return the diff" API/Powershell Cmdlet for deploying ARM templates. Then we could implement logic to do nothing or deploy in different ways based on changes.

    For example, Azure Service Fabric resources can't be updated at all (even with a 0 change ARM template) if the cluster size is < 3. If we could detect that there are no changes, we could skip that deployment.

  • Paul Pricop commented  ·   ·  Flag as inappropriate

    @Governance Team, it will be helpful to be able to validate if a deployment has any drifts. Please consider this functionally for a preview.

  • Sidharth Sachar commented  ·   ·  Flag as inappropriate

    Hi. I am an Azure engineer working for a major bank. We have an urgent requirement for this. I would like to be included in the preview.

  • Paco de la Cruz commented  ·   ·  Flag as inappropriate

    The Azure Resource Manager Event Grid Publisher allows us to monitor Configuration Drifts on Azure Resources. An simple example here:
    https://blog.mexia.com.au/monitoring-configuration-drifts-on-azure-with-event-grid-and-logic-apps
    However, you can do it with different approaches, like checking the author, that is not coming from the CI/CD Pipeline, etc.

  • Mark Andrie commented  ·   ·  Flag as inappropriate

    +1 for this feature, it would be great for ARM to support a sort of "-WhatIf" or "--noop" syntax where you could run this template simulation and see what would change, all the way down to the properties on a specific Resource.

    I would also like to see better logging of what actually changed during a template run

  • Paco de la Cruz commented  ·   ·  Flag as inappropriate

    To support incremental deployments, one option would be to be able to audit drifts on those resources included in the template.

  • Matt Short commented  ·   ·  Flag as inappropriate

    +2. this semi DSC would be a real life saver as we migrate to azure. the ability to call out a change and then add to the template once it has been approved/discussed would really help us settle on configs once we'rve started testing.

Azure Resource Manager

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice