Improve your IaC game in Azure with Template Specs

If you have worked with IaC (Infrastructure as Code) in Azure you must have stumbled upon Azure Resource Manager templates or just ARM templates. They declaratively describe your Azure resources, so that you can have your infrastructure described as code.

You‘re probably going to agree with this: Working with ARM templates is not the smoothest thing in the world! One of the drawbacks you might have discovered is that they are not so easily shared.

Let’s look at a scenario:

You have an ARM template containing some Azure infrastructure that you want to deploy. The ARM template is kept in a repository along with the rest of your code and you want to deploy it in a CI/CD pipeline.

Here’s where the trouble arises. In order to be able to deploy the ARM template, the repository will need to be publicly accessible. If you are working open source, this is fine, but everyone’s not that comfortable sharing their source code. Those who use private repositories are forced to download the ARM template and manually deploy it to Azure. If people start keeping local copies of the templates, the code is bound to start diverging.

Luckily, Microsoft is aware of this too. In 2018 they introduced Azure Blueprints, which I have written about here, and in 2020 they introduced Template Specs, which we will take a closer look at now.

Keep in mind that both Azure Blueprints and Template Specs are in preview at the time of writing!

Template Specs to the rescue

Template Specs allow you to store your ARM templates in Azure, as an Azure resource. And it is this resource that we’ll now be deploying. It works as a wrapper around the ARM templates, and fortunately, creating a template spec doesn’t require public repositories!

The fact that we’re now dealing with a resource in Azure brings along a bunch of benefits. The ARM template is now stored in a central place from where it can be deployed. No more local copies! And as with resources in Azure in general we get Azure’s native RBAC (Role-Based Access Control). Only those with sufficient privileges can read and/or deploy the template spec.

Another thing worth mentioning is versioning. When you create a template spec you give it a version. If you, later on, need to adjust the template, you do that and recreate the template spec with a new version. This way you have full control over what’s been deployed earlier.

Template specs in action

Let’s look at an example. We’re going to deploy a simple ARM template that represents a virtual network with a few lines of PowerShell.

Here is our ARM template:

The first thing we are going to do is create a resource group in Azure. This is where we are going to store our template spec and our virtual network:

New-AzResourceGroup -Name BorgesResourceGroup -Location westeurope

Feel free to keep the template spec in a separate resource group. In this case, we deploy to the same group just for simplicity. Now that we have a resource group we can create the template spec based on the ARM template.

New-AzTemplateSpec `
    -Name BorgesTemplateSpec `
    -Version 1 `
    -ResourceGroupName BorgesResourceGroup `
    -Location westeurope `
    -TemplateFile C:\src\div\SimpleTemplateSpec/arm-template.json

Running this command creates a template spec with version 1. Now let’s actually deploy the template spec. To do that we first need to retrieve the ID of the template spec.

$id = (Get-AzTemplateSpec -Name BorgesTemplateSpec -ResourceGroupName BorgesResourceGroup -Version 1).Versions.Id

When we have the ID we can run a resource group deployment:

New-AzResourceGroupDeployment -ResourceGroupName BorgesResourceGroup -TemplateSpecId $id

After running these commands we will end up with a resource group containing two resources: A template spec and a virtual network, like shown below:

As we can see the template spec is a resource in Azure just like other resources. If we click into it we can see that it supports a bunch of stuff like Access control and versioning:

So that’s it. With no more than four PowerShell commands you can create a cloud environment in Azure using template specs.

Conclusion

ARM templates alone are quite limited. They are hard to share, as they require a public endpoint. Template Specs solves this as well as adding some extra functionality. Using template specs along with a CI/CD pipeline can potentially make your life a lot easier and really improve your IaC game in Azure.