Tool to filter out false positive predictions (noise) in "az deployment group what-if"

I developed a tool to filter out false positive predictions (noise) in az deployment group what-if, which is used to deploy Azure resources with ARM or Bicep.

tl;dr

az deployment group what-if result may contain false positive predictions (noise).
az-deployment-denoise can hide changes which you are confident are safe to ignore.

Motivation

I want to use Bicep as SSoT (Single Source of Truth) and deploy all Azure resources every time, including existing ones, to achieve IaC (Infrastructure as Code). However, az deployment group what-if result may show changes even when there are no actual changes, known as false positive predictions (noise).

It makes me anxious to deploy if the result indicates changes that shouldn’t exist. I needed a way to ignore changes that I’m sure are false positives (idempotent with az deployment group create), so I developed a tool to filter out the changes based on configured rules.

Additionally, you should report an issue to the the official repository when you encounter the false positive predictions. This tool is intended as a temporary solution until the issue is resolved.

Example of false positive predictions (noise) in az “deployment group what-if”

As shown in itself, the az deployment group what-if results may contain false positive predictions (noise). The group can be tenant, sub or mg depending on the scope.

Note: The result may contain false positive predictions (noise). You can help us improve the accuracy of the result by opening an issue here: https://aka.ms/WhatIfIssues

Here is a false positive example using the following Bicep code, which defines an Azure App Service Plan resource and an Azure Functions resource.

false-positive-example.bicep

param location string = resourceGroup().location
param functionAppName string
param appServicePlanName string

resource appServicePlan 'Microsoft.Web/serverfarms@2022-09-01' = {
  name: appServicePlanName
  location: location
  sku: {
    name: 'B1'
  }
  kind: 'FunctionApp'
}

resource functionApp 'Microsoft.Web/sites@2022-09-01' = {
  name: functionAppName
  location: location
  kind: 'functionapp'
  properties: {
    serverFarmId: appServicePlan.id
    siteConfig: {
      appSettings: [
        {
          name: 'FUNCTIONS_EXTENSION_VERSION'
          value: '~4'
        }
        {
          name: 'FUNCTIONS_WORKER_RUNTIME'
          value: 'node'
        }
      ]
    }
  }
}

Immediately after deploying these resources (az deployment group create), the what-if result will be as follows.

command

az deployment group create --template-file false-positive-example.bicep --name test-deployment --resource-group test-rg --parameters functionAppName=test-func-denoise appServicePlanName=test-plan
az deployment group what-if --template-file false-positive-example.bicep --name test-deployment --resource-group test-rg --parameters functionAppName=test-func-denoise appServicePlanName=test-plan

output

Note: The result may contain false positive predictions (noise).
You can help us improve the accuracy of the result by opening an issue here: https://aka.ms/WhatIfIssues

Resource and property changes are indicated with these symbols:
  + Create
  ~ Modify
  = Nochange

The deployment will update the following scope:

Scope: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg

  ~ Microsoft.Web/sites/test-func-denoise [2022-09-01]
    + properties.siteConfig.localMySqlEnabled:   false
    + properties.siteConfig.netFrameworkVersion: "v4.6"

  = Microsoft.Web/serverfarms/test-plan [2022-09-01]

Resource changes: 1 to modify, 1 no change.

The result indicates changes even though Bicep code hasn’t been altered. This false positive is reported in the following link.

The result using “az-deployment-denoise”

Using az-deployment-denoise, the result will be as follows.

output

Note: The result may contain false positive predictions (noise).
You can help us improve the accuracy of the result by opening an issue here: https://aka.ms/WhatIfIssues
This result has been filtered using az-deployment-denoise: https://github.com/ottijp/az-deployment-denoise

Resource and property changes are indicated with these symbols:
  = Nochange

The deployment will update the following scope:

Scope: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg

  = Microsoft.Web/serverfarms/test-plan [2022-09-01]
  = Microsoft.Web/sites/test-func-denoise [2022-09-01]

Resource changes: 2 no change.

The following changes in the Azure Functions resource were filtered out.

properties.siteConfig.localMySqlEnabled: false
properties.siteConfig.netFrameworkVersion: "v4.6"

How to use “az-deployment-denoise”

Install with npm command. (Docker support will be added in the future.)

command

npm install -g az-deployment-denoise

Define rules that ignore changes in az-deployment-denoise.json.

az-deployment-denoise.json

{
  "rules": [
    {
      "providerNamespace": "Microsoft.Web",
      "resourceType": "sites",
      "propertyPath": "properties.siteConfig.localMySqlEnabled"
    },
    {
      "providerNamespace": "Microsoft.Web",
      "resourceType": "sites",
      "propertyPath": "properties.siteConfig.netFrameworkVersion"
    }
  ]
}

Finally, execute az deployment group what-if with --no-pretty-print and input its output to az-deployment-denoise.

command

az deployment group what-if --template-file false-positive-example.bicep --name test-deployment --resource-group test-rg --parameters functionAppName=test-func-denoise appServicePlanName=test-plan | az-deployment-denoise

For more details on rule conditions and other features, see the repository page.