Using ARM-TTK in GitHub to test Azure ARM template
#azure#github
Olivier Miossec

Olivier Miossec @omiossec

About: Former Microsoft Azure MVP. Find me on https://github.com/omiossec, https://www.youtube.com/@AzurePlatformOps or https://www.linkedin.com/in/omiossec/ Living in Amsterdam, NL

Location:
Amsterdam
Joined:
Apr 24, 2019

Using ARM-TTK in GitHub to test Azure ARM template

Publish Date: Jun 16
1 1

Testing the compliance of your infrastructure as Code, ARM-TKK for Bicep, and ARM Template.

Identifying common code issues before the code can be shipped to production is a task that all companies, big or small, should do, especially when these issues are related to security.

This should include all code, including Infrastructure as Code. With Terraform, you can use Terrascan or TfSec. What can we do with Bicep and ARM templates? Well, there is a solution called Azure Resource Manager Template Toolkit or ARM-TTK.

ARM-TTK is a PowerShell tool designed to perform tests on ARM template code. It goes beyond what a simple linter does, validating code, and it checks if the template is compliant with best practices.

ARM-TTK is not new; I have talked about it in another post. Here I want to demonstrate how to automate compliance testing in GitHub.

To use ARM-TTK in GitHub, we need to download it, unzip the package, and load the module.

But how to integrate it into a GitHub pipeline?

There are two solutions: build your pipeline or use a ready-to-use GitHub action.

To use ART-TTK in your pipeline, you will have to download it from GitHub, decompress the zip file, load the module, and test your template.

You can create a PwSh script similar to this one.

<#
.SYNOPSIS
    This script downloads and installs arm-ttk module from the latest release on GitHub and imports the module.

    It takes only one parameter, the path to the template file to be tested. 

    It tests the template referenced in the parameter against the arm-ttk rules.

.DESCRIPTION
    This script downloads and installs arm-ttk module from the latest release on GitHub and imports the module. Then it tests the template given in the templatePath parameter against the arm-ttk rules.

.PARAMETER templatePath
    Define the path of the template to be tested
#> 

param (
    [Parameter(Mandatory)]
    [ValidateScript({ Test-Path $_ -PathType Leaf })]
    [string]$templatePath
)

# Getting the latest release of arm-ttk from GitHub
$armttkLatestRelease = "https://github.com/Azure/arm-ttk/releases/latest"

try {
    $armttkLatestReleaseContent =Invoke-WebRequest -Uri $armttkLatestRelease -UseBasicParsing -HttpVersion 1.1 -Method get 
} catch {
    Write-Error "Failed to retrieve the latest release information from GitHub."
    exit 1
}

$armttkLatestReleaseContentRedirectURIArray = ($armttkLatestReleaseContent.BaseResponse.RequestMessage.RequestUri.AbsolutePath).split("/")
$armttkLatestReleaseVersionTag = $armttkLatestReleaseContentRedirectURIArray[$armttkLatestReleaseContentRedirectURIArray.Length - 1]    

if (-not $armttkLatestReleaseVersionTag) {
    Write-Error "Failed to parse the latest release version tag."
    exit 1
}

$armttkLatestReleaseVersionZipUri = "https://github.com/Azure/arm-ttk/releases/download/$($armttkLatestReleaseVersionTag)/arm-ttk.zip" 

try {
    Invoke-WebRequest -Uri $armttkLatestReleaseVersionZipUri -OutFile "./arm-ttk.zip"
} catch {
    Write-Error "Failed to download the arm-ttk module from GitHub."
    exit 1
}

try {
    Expand-Archive -Path "./arm-ttk.zip" -DestinationPath "./" -Force
} catch {
    Write-Error "Failed to extract the arm-ttk module."
    exit 1
}


try {
    Import-Module ./arm-ttk/arm-ttk/arm-ttk.psd1 -Force
} catch {
    Write-Error "Failed to import the arm-ttk module."
    exit 1
}

# Testing the template against arm-ttk rules

    Test-AzTemplate -TemplatePath $templatePath
Enter fullscreen mode Exit fullscreen mode

The script checks the latest version from GitHub, downloads it, and uses the module to test the ARM template against passed via the $templatePath parameter.

The YAML file to run the script in a workflow

name: demo-arm-ttk

on: 
  push: 
    branches: 
      - main

permissions:
  id-token: write
  contents: read

jobs:

  test-demo:

    name: demo arm-ttk test
    runs-on: ubuntu-latest
    steps:

      - name: Checkout
        uses: actions/checkout@v4

      - name: Run Test 
        shell: pwsh
        run: ./scripts/psarmttk.ps1 -templatePath  "./templates/vm01.json"
Enter fullscreen mode Exit fullscreen mode

You can also use the action-armttk action, but the latest version is from 2023
Or preview action https://github.com/microsoft/action-armttk

The YAML file should look like this

name: On pull request

on:
  pull_request:
    branches:
      - main

jobs:
  validate-module-files-with-armttk:
    uses: microsoft/action-armttk/.github/workflows/arm-ttk@0.0.5
    with:
      bicepFile: main.bicep
      workingPath:
Enter fullscreen mode Exit fullscreen mode

.

Comments 1 total

  • Admin
    AdminJun 16, 2025

    Dear Dev.to community! Big announcement for our Dev.to authors: We're offering your special Dev.to drop for our top content creators. Head over HERE (wallet connection required). – Dev.to Community Support

Add comment