what-if operation

[smholvoet]

As a person who ditched ARM templates in favor of Terraform only to run into some of the more obvious issues (Terraform not supporting certain resource and having issues keeping up with Azure's rapid pace)... I am big fan of this project ever since I first heard of it 💪

An important goal of Bicep -if not the main one- seems to be taking away some of the pain people are experiencing when making use of ARM templates. Talking about pain... I pretty much wasted an entire afternoon trying to get the what-if operation to work in combination with my CI/CD pipeline in Azure DevOps which deploys certain resources using ARM templates. I'm still trying to get the New-AzResourceGroupDeployment -Whatif to work but keep running into issues.

The main goal of this feature: having a convenient way to check whether the changes I've just made to my ARM templates will yield the expected results, without / before actually deploying 🚀. It should pull the current state of my resources in Azure and compare it to the to-be situation I will end up with if I actually deploy my stuff.

I'm a fan of terraform's plan command which gives you an overview of:

• Which resources will be created from scratch
• Which resources will be completely removed
• Which resources will be modified, showing the exact properties that will be modified

How will Bicep approach this? Will this end up being a separate command?

[macux]

100% this! Currently "developing" in ARM can be a laborious process that reminds me of the days of having to just run an application to see if it works. It can be very time consuming, especially when the documentation is incomplete on a given resource type.

An ideal world for us would make ARM/bicep development mirror any other type of development, i.e. local first with tests, through CI/CD with higher level tests and into production. We do use ARM in CI but it sometimes feels risky and as above, testing sometimes means kicking off a full CI & D process to check for sure that something works.

Related although possibly off topic here - when doing PoC's we often click around in the portal and then move resources into ARM when we're happy. If we could reliably and accurately generate ARM or bicep code from the template option that would be massively helpful, currently generated templates aren't always complete.

[slavizh]

As far as I understand the plan is: there is no change in what-if to comply with Bicep. Basically the flow is will be the following:

1. Your bicep file is converted to ARM template
2. ARM Template is executed with What-If
3. ARM Template is validated
4. ARM Template is deployed

I think their plan is to be able to make all these things with single command just like today you have New-AzDeployment.

In case if you are not aware you can run any of the Az deployment commands with what-if only without performing actual deployment. You can grab the results and based on the outcome execute or not actual deployment. As What-If is is in preview currently there is a lot of noise which the guys are trying to fix.

Hope this helps!

[alex-frankel]

Stan has it right. We will still run what-if off of the generated JSON, though we will make it easy to run that by pointing to a bicep file. i.e.:

New-AzResourceGroupDeployment -TemplateFile ./main.bicep -ResourceGroupName myRg -Confirm

w.r.t to this statement:

wasted an entire afternoon trying to get the what-if operation to work in combination with my CI/CD pipeline in Azure DevOps which deploys certain resources using ARM templates. I'm still trying to get the New-AzResourceGroupDeployment -Whatif to work but keep running into issues.

Can you give us some more details of what issues you were running into? If needed, can you open a dedicated issue in the http://github.com/azure/arm-template-whatif repo?

[smholvoet]

@alex-frankel

The solution I'm trying to deploy contains linked templates, which means I need a public URI. Running the following what-if command:

az deployment group what-if --resource-group <...> `
                            --template-file .\deployment\template.json `
                            --parameters .\deployment\parameters-dev.json

... results in the following validation errors:

This command is in preview. It may be changed/removed in a future release.
ValidationError: MultipleErrorsOccurred - Multiple error occurred: BadRequest,BadRequest,BadRequest,BadRequest. Please see details.
BadRequest - The provided content link 'modules/AutomationAccount.json' is invalid or not supported. Content link must be an absolute URI not referencing local host or UNC path.
BadRequest - The provided content link 'modules/Datafactory.json' is invalid or not supported. Content link must be an absolute URI not referencing local host or UNC path.
BadRequest - The provided content link 'modules/AzureSQL.json' is invalid or not supported. Content link must be an absolute URI not referencing local host or UNC path.
BadRequest - The provided content link 'modules/AzureAnalysisServices.json' is invalid or not supported. Content link must be an absolute URI not referencing local host or UNC path

Checking out your ARM files and running what-if locally without having to push files to a storage container would be nice.

EDIT: Finally got things working in my Azure DevOps pipeline:

- task: AzureFileCopy@3
        displayName: 'Copy Modules Folder'
        inputs:
            SourcePath: '$(Pipeline.Workspace)/infra/Modules'
            azureSubscription: '$(ServiceConnectionName)'
            Destination: 'AzureBlob'
            storage: '$(StorageAccountName)'
            ContainerName: '$(ContainerName)'
            BlobPrefix: 'modules'
            outputStorageUri: 'storageURI'
            outputStorageContainerSasToken: 'storageSAS'
          
- task: AzureCLI@2
inputs:
    azureSubscription: '<...>'
    scriptType: 'ps'
    scriptLocation: 'inlineScript'
    inlineScript: |
    az deployment group what-if --name 'what-if' `
                                --resource-group $(ResourceGroupDev) `
                                --template-file $(Pipeline.Workspace)/$(TemplateFile) `
                                --parameters $(Pipeline.Workspace)/infra/deployment/parameters-dev.json `
                                --parameters templateLocation=$(storageURI) templateSasToken='"$(storageSAS)"'

I would rather have an easy way to check out my ARM files (hopefully soon to be Bicep 😄 files), make the required changes and do my validations locally without the need for public URI's and/or Azure DevOps.

Anyway, this seems to be a known limitation regarding linked templates, instead of an issue with the what-if API.

[alex-frankel]

Right, once we have bicep modules, this will become trivially easy. There won't be any need to do a file copy since the bicep "project" will compile into a single ARM template with nested templates inline (representing each module). From there, you can call what-if and everything should "just work", so you can get rid of the AzureFileCopy task and you won't need to deal with any SAS tokens!

In the short term you will still call bicep build main.bicep before calling what-if on the transpiled JSON, but eventually the bicep transpiler will be built into Az CLI, so at that point you can replace the script required in the AzureCLI task to point to your main .bicep file. The CLI will take care of the build step for you.

[alex-frankel]

I'll plan to leave this open until we ship modules as part of our 0.2 release, at which point you can verify if we are doing what you would expect.

[slavizh]

@smholvoet You will also be able to use Template Spec in the future where bicep files when transformed to ARM Templates can be uploaded as solution to Template Specs and if you have some linked templates you will not have to upload them to storage account.
more info: https://www.youtube.com/watch?v=5sOI-66Ir4U&feature=youtu.be

[smholvoet]

Neat stuff, looking forward to the 0.2 release 👍

[alex-frankel]

Closing since modules are implemented. Also, we are working on #858 which will allow you to run what-if directly with a .bicep file