Reputation: 17101
Test-AzureRmResourceGroupDeployment doesn't validate nested resource
I'm looking to incorporate Test-AzureRmResourceGroupDeployment into a build pipeline so I know before deployment that the template / parameters has got any major problems.
However I'm finding if I used nested deployments it provides no validation to the nested deployment whatsoever, I can have a bad templateLink -> uri with incorrect variables even in the URI and it's still validating as successful.
I have tried with a local template, a template uri, with/without hashed parameters and parameters file just in case.
I assume underneath the AzureRM powershell is using the Resource Manager API, it doesn't hint to what the validate actually does with nested templates: https://learn.microsoft.com/en-us/rest/api/resources/deployments/validate
Anything I've missed? Any suggestions on how to validate the entire template, do I need to parse the nested templates and some how re-construct the parameters from json and do the sub-deployments by hand (which would be a shame)?
Upvotes: 2
Views: 607
Answers (2)
Reputation: 17101
Reading a forum post from a Microsoft Employee in the Resource Manager team (a private forum so unfortunately cannot provide a link), it appears Test-AzureRmResourceGroupDeployment does "template expansion" which as 4c74356b41 has also kindly pointed out - surely the nested template validation should work...
So further experimentation has led to finding a limitation in the validation, see below for an example. If there is a variable missing entirely in a nested deployment it doesn't appear to be picked up as a validation warning in the parent template, and also appears to interfere with the template expansion leading to the nested template to be ignored also.
If "parameters": { "missing" : "[variables('PURPOSEFULLY_MISSING')]" } is removed then the template is validated as normal and the nested template also.
Snippet of the overall template for just the nested resources:
"resources": [
{
"name": "[variables('deploymentName')]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('deploymentUri')]",
"contentVersion": "1.0.0.0"
},
"parameters": { "missing" : "[variables('PURPOSEFULLY_MISSING')]" }
}
}
],
Upvotes: 3
Reputation: 72171
that is not true, it will validate nested deployment even if you gate it with condition: false, so you are doing something wrong, we would need to look at the template and how you are calling the cmdlet to understand whats going on
as to the validation: there is no real way to validate the deployment works (test-azurermresourcegroupdeployment is just garbage, extremely low value). the only way to validate it - deploy it.
Upvotes: 2
Related Questions
- Azure Powershell command for getting resources in a Resource Group
- Why is Azure CLI reporting ResourceGroupNotFound when trying to run New-AzResourceGroupDeployment?
- Unable get resource group using Azure CLI - Get-AzureRmResourceGroup command
- New-AzureRmResourceGroup command not working in powershell
- Test-AzureRmResourceGroupDeployment cmdlet returns Empty when the validation is successful
- How can I validate that a parameter is one of my Azure resource groups?
- New-AzureRmResourceGroupDeployment command giving error
- Wildcard (regex) as a parameter: ResourceGroupName does not match expected pattern
- New-AzureRmResourceGroupDeployment: "Deployment 'xxx' could not be found"
- Get-AzureRmResourceGroup -detailed not working