Preflight check with AzAPI

One of the cool feature switches in the AzAPI Terraform provider is preflight validation.

If enabled, this provides further checks against your resources at plan stage, one of which is checking for Azure Policy violations.

Cool, right? Let’s see how to enable it:

1
2
3

provider "azapi" {
  enable_preflight = true
}

That. Is. It.

We’ll make a couple resources:

• a resource group,
• a built-in policy assignment restricting locations to New Zealand North

& then a demo that will:

• use azapi preflight
• attempt to deploy a storage account to East US

It’s time for Good Vibes

Copilot Edits! Please Make it so!

⏱️…

That almost worked, a bit of editing, then we have a repository to explore pre-flight & policy:

https://github.com/kewalaka/azapi-preflight 🎉

Without preflight

The readme walks you through the steps of setting up the pre-reqs and running the demo.

Let’s quickly make a small change to set the pre-flight flag to false, then we run a plan:

1

Plan: 3 to add, 0 to change, 0 to destroy.

It all looks good - but is it?!

Preflight checks at plan

OK - now we change pre-flight back to “true”, and re-run the plan:

Great - it picked up the policy violation.

Further down in the message it gives the name of the policy and the assignment location (redacted to protect my subscription’s innocence!)

It even shows the evaluation against each of the policy criteria:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

{
  "type": "PolicyViolation",
  "info": {
    "evaluationDetails": {
      "evaluatedExpressions": [
        {
          "result": "True",
          "expressionKind": "Field",
          "expression": "location",
          "path": "location",
          "expressionValue": "eastus2",
          "targetValue": [
            "newzealandnorth"
          ],
          "operator": "NotIn"
        },
        {
          "result": "True",
          "expressionKind": "Field",
          "expression": "location",
          "path": "location",
          "expressionValue": "eastus2",
          "targetValue": "global",
          "operator": "NotEquals"
        },
        {
          "result": "True",
          "expressionKind": "Field",
          "expression": "type",
          "path": "type",
          "expressionValue": "Microsoft. Storage/storageAccounts",
          "targetValue": "Microsoft. AzureActiveDirectory/b2cDirectories",
          "operator": "NotEquals"
        }
      ]
    }
  }
}

So, New Zealand North is “not in” East US - well, ain’t that the truth!

More info

There’s a simple readme in the demo repo that will guide you through the above.

Preflight is available in AzAPI 2.0.1.

You can read more about it in the official documentation on Preflight Validation, along with its other capabilities such as extended validation.

At the time of writing, the default behaviour is not to enable preflight, so to make use of this capability be sure to enable this feature today!