Validating Azure Resource Manager Templates in Your Build Pipeline on Azure DevOps
Azure Resource Manager Templates is great way of including Infrastructure as Code in to your development practices. ARM Templates can be used to manage your resources on Azure and in some cases, manage configuration as well.
When your infrastructure becomes more complex, your ARM Templates will also become larger and complex. And you should treat your infrastructure code the same way you treat your application code. They should be versioned, source controlled and also tested and validated. By doing this, you can be confident that your Infrastructure code is up to the highest quality and also will not give you problems at deployment time.
In this article, I’ll talk about an approach that we can use to validate our Azure Resource Manager templates. As you know, ARM templates are written in JSON. And these JSON files should be validated for syntactic correctness and validated against the schema used in the ARM templates and validated against the Resource Group on top of which the ARM template is deployed on.
We can use the Azure DevOps build pipeline to do this validation. All you need to do is to add few build steps and configure them properly. I have an ARM Template that I need to validate and to do that, have created a build definition on Azure DevOps, I’ll take you through the steps involved in validating the ARM template.
Validating ARM Template
To validate the ARM Template, we will use 2 steps.
- JSONLint to validate the JSON Syntax of the ARM Template
- Azure Resource Group Deployment Task to validate against the Schema and Resource Group
Note: At this point, you might have some questions. Especially if you know how to user Azure Resource Group Deployment task to validate the templates. I’ll address why I did, what I did later :)
JSONLint is a npm package we can use to validate the json syntax. Azure Resource Group Deployment Task is the same task that we can use for deploying an ARM template to Azure.
Install JSONLint Globally in the Build Agent
Add the npm task in to your build definition in Azure DevOps. Then change the command to custom and add install jsonlint -g in to the command and arguments input field.
Run JSONLint Against the ARM Template
Next search for Command Lint task in the available task list and add it. Then add jsonlint your-template_-file.json to the Script section of the task. In the advanced section you can select the Working Directory where the Template JSON file resides.
Validate ARM Template with Azure Resource Group Deployment
Next, add the Azure Resource Group Deployment task to the build definition and configure it. Set the Azure Subscription, Select the Resource Group and the Location. Then select the Template file and Template Parameter file from the source control repository.
Finally, the most important step in the task, set the Deployment Mode to Validation Only to make sure we only validate the template, not deploy the template.
Now we are ready to validate the ARM template. Queue a build to validate your ARM Template.
Why I Did, What I Did
The Azure Resource Group Deployment task also validates the JSON syntax when it is validating the ARM template. So why did I use the JSONLInt package to validate the syntax of the ARM Template?
For me it’s mainly because the amount of details I get in the output when I run in to issues. In my view the Azure Resource Group Deployment task provides very little details about the syntax issues compared to JSONLint. And for me the amount of details I see in the output helps me a lot to pin-point the issue and fix it. Look at the example below,
Validating a template with a missing comma (,)
The following output was given when validating the ARM template JSON syntax with the Azure Resource Group Deployment task.
The following output was given when validating the ARM template JSON syntax with JSONLInt
As you can clearly see, the extra information on the JSON lint task makes it easy to pin-point the syntax issue with the json file. The screenshot below shows the exact line where the error is.
Also for me, by using a separate task to validate the JSON syntax, I’m sure that if the Azure Resource Group Deployment task validation fails, it will be related to the ARM template Schema and the Resources it is trying to deploy. So, my focus is right where it should be.
Still IMHO, I think the output for validation errors shows when validating against the schema and the resource group could be further improved in the Azure Resource Group Deployment task.
Practical Use Case
One great practical use of this kind of validation is you can include this in a Pull Request build in Azure DevOps. In the projects I am working on we heavily use ARM templates to automated and manage infrastructure (sometimes configuration as well) so it’s easier for us to do repeatable deployments safely. And we follow the practice of using pull requests to merge code in to our main branches and use Pull Requests to peer review our code changes.
With the use of Branch Policies in Azure DevOps, we have configured a build task to be run every time a pull request is created. And in this build task, I have configured the above steps to validate the ARM templates before merging them in to the main branches. This ensures that we always merge tested infrastructure code in to our main branches and we minimize deployment issue caused by syntax and other validation error that can be introduced during the development process.
In this article we discussed about why we should validate our Infrastructure code and how we can validate our Azure Resource Manager templates on Azure DevOps. And then we discussed the reasoning behind some of the choices I made and a real-world use case of validating ARM templates in the day to day development activities. I hope you enjoyed this article and I’ll see you in the next one.
You Might Also Like
← Previous Post