Increase confidence in your deployments with Azure Bicep

Increase confidence in your deployments with Azure Bicep
Image borrowed from MS Docs

Everytime I am writing code, in this case Azure Bicep to deploy resources to my environment I want to ensure I am doing so in a secure and controlled manner. Not only do I utilize Github for source-control and create branches when adding new resources to safeguard my working code, I will also make use of a functionality called Github Actions.

Actions or pipelines help you automate and test your code and ensure you do not miss anything or introduce vulnerabilities into your working code. Personally I will often manually run both:

az deployment group validate
az deployment group what-if

before I even think of running...

az deployment group create

...if I am creating resources somewhere that infrastructure & resources already exist.

But if you are working with a team or you introduce many changes there is a risk that someone will think "oh well, I simply made a small change" and push it straight to production.

I don't know how many times I have broken things with "small changes" and have had to troubleshoot deployments and resources because of it, this is why I try and validate and run what-if at all times.

If you are working in a larger team and wish to have more control, Github Actions or Azure DevOps Pipelines are great tools and I intend on writing a piece on that technology in the future but this post will aim more on the lone individual and what you can do yourself to get some of the benefits of more control and confidence in your deployments. The idea in that case is to protect your main branch with these automated controls to ensure no faulty code is introduced into the main codebase.

They can trigger on a pull-request to the main branch for instance.

The validate command

The validate command runs a quick check on your Bicep code and checks for errors or mistakes that they know won't work, even without looking at your Azure Environment and what resources you already have there. It can be something like naming convention/restrictions for certain resources for examples. Some resources can not have the "-" character for instance, or have a max amount of allowed characters. Validate catches these small mistakes immediately for you to correct.

The what-if operation

Now the what-if takes things one step further than the validate command and will actually perform what is called the "pre-flight" validation and actually simulate a deployment of your code to your location. It will tell you what resources that will be created, modified, deleted & ignored. This is a great way for you to catch things that may change that you had not intended.

Confidence and a heads-up

The above commands are all about building confidence in your code and your deployment. If the validate operation shows no error and the what-if command does not give you any surprises, you can be pretty confident your deployment will act the way you wanted it to.

Be aware though that the what-if command is still "under development" and will still generate a lot of what they call "noise" that should not be shown to you in a proper what-if operation. The Azure Bicep team is working on this and I hope it will continue to improve as they release new versions of the language.