azure / arm-template-whatif Goto Github PK

A repository to track issues related to what-if noise suppression

License: MIT License

HTML 100.00%

arm-template-whatif's Introduction

Welcome to the ARM Template What-If issues repo

This repo is a little bit abnormal in that it is solely for keeping track of issues in the ARM Template what-if API. If you want to learn more about the what-if feature, you can take a look at this doc on the full capabilities of the what-if API and corresponding PowerShell cmdlet.

For a guided tutorial on What-If, check out this MS LEARN module.

Install PowerShell module

To use What-If in PowerShell, install a preview version of the Az.Resources module from the PowerShell gallery by running:

Install-Module Az.Resources -RequiredVersion 1.12.1-preview -AllowPrerelease

If you previously installed an alpha version of the what-if module, take the steps described in the ARM template deployment what-if operation (Preview) doc to uninstall that module.

What types of issues are you looking for?

The what-if issues fall into two buckets:

Noise in the diff: These are cases when what-if thinks a resource property will be changed (most often deleted) when in fact no change will occur. This is the primary motivation for this issue repo.
Issues with formatting or general usability of the cmdlet or API: There could be issues with formatting the diff, a parameter set may not be working correctly, etc.

Why does noise occur?

Often times, a property may be returned in a GET request for a resource that is not specified in the ARM template. The What-If API has a noise reduction service to catch these false positives and not return them. However, there are many cases where these could be missed. When this happens, it's likely that the what-if API will tell you that a resource will be modified and a specific property is deleted.

Let's look at an example.

Below is a storage account object declaration in an ARM Template, which is a little different than a pure REST API PUT body:

{
  "name": "storagedczol7xfovaoe",
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2019-04-01",
  "sku": {
    "name": "Standard_LRS"
  },
  "kind": "Storage",
  "location": "eastus",
}

And here is only part of what the storage account looks like on GET. We've shortened in this readme, but you can see the full body here:

{
  "sku": {
    "name": "Standard_LRS",
    "tier": "Standard"
  },
  "kind": "Storage",
  "id": "/subscriptions/e93d3ee6-fac1-412f-92d6-bfb379e81af2/resourceGroups/test-005/providers/Microsoft.Storage/storageAccounts/storagedczol7xfovaoe",
  "name": "storagedczol7xfovaoe",
  "type": "Microsoft.Storage/storageAccounts",
  "location": "eastus",
  "tags": {},
  "properties": {
    "networkAcls": {
      "bypass": "AzureServices",
      "virtualNetworkRules": [],
      "ipRules": [],
      "defaultAction": "Allow"
    },
    "supportsHttpsTrafficOnly": true,
    ...
  }
}

In order to output a clean diff, we do post-processing on the diff to remove all of this noise, but there are many cases that have not yet been accounted for. If we run the same storage account creation through what-if, then we will see some of this noise:

How do I submit an issue?

In order to take an action on noise you encounter, please open an issue and include the following information:

Resource type (i.e. Microsoft.Storage/storageAccounts)
apiVersion (i.e. 2019-04-01)
Client (PowerShell, Azure CLI, API)
Relevant ARM Template code (we only need the resource object specified in 1 and 2, but if it's easier you can include the entire template
Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Sample issue

You can see a sample issue for the above here. Hopefully it gets closed soon :)

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

arm-template-whatif's People

Contributors

Stargazers

Watchers

Forkers

hongshui3000 shenglol heoelri arnoldna janusznowak raj44444 isabella232 azcloudfarmer venkatesugsk jlee-consulting sourcecodecheck vimala88

arm-template-whatif's Issues

Microsoft.EventHub/namespaces

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.EventHub/namespaces
Microsoft.EventHub/namespaces/eventHubs
Microsoft.EventHub/namespaces/eventHubs/authorizationRules
Microsoft.EventHub/namespaces/eventHubs/authorizationRules/consumerGroups
Probably Microsoft.EventHub/namespaces/authorizationRules is also affected by these as the properties of those are similar to Microsoft.EventHub/namespaces/eventHubs/authorizationRules

Microsoft.EventHub/namespaces/disasterRecoveryConfigs

apiVersion (i.e. 2019-04-01)
In code

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
No changes to the resources

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Resource and property changes are indicated with these symbols:
  - Delete
  + Create
  ~ Modify
  = NoChange

The deployment will update the following scopes:

Scope: /subscriptions/<subscription id>

  = resourceGroups/<resource group name> [2020-01-01]

Scope: /subscriptions/<subscription id>/resourceGroups/<resource group name>

  ~ Microsoft.EventHub/namespaces/lzaztesthub02 [2017-04-01]
    - properties.kafkaEnabled: true
    - properties.status:       "Active"

  ~ Microsoft.EventHub/namespaces/lzaztesthub02/eventHubs/hub001 [2017-04-01]
    - location: "West Europe"

  ~ Microsoft.EventHub/namespaces/lzaztesthub02/eventHubs/hub001/authorizationRules/testpolicy-1 [2017-04-01]
    - location: "West Europe"
    ~ properties.rights: [
      - 0: "Manage"
      + 0: "manage"
      - 1: "Send"
      + 1: "send"
      - 2: "Listen"
      + 2: "listen"
      ]

  ~ Microsoft.EventHub/namespaces/lzaztesthub02/eventHubs/hub001/authorizationRules/testpolicy-2 [2017-04-01]
    - location: "West Europe"
    ~ properties.rights: [
      - 0: "Send"
      + 0: "send"
      ]

  ~ Microsoft.EventHub/namespaces/lzaztesthub02/eventHubs/hub001/consumerGroups/group001 [2017-04-01]
    - location: "West Europe"

  ~ Microsoft.EventHub/namespaces/lzaztesthub02/eventHubs/hub001/consumerGroups/group002 [2017-04-01]
    - location: "West Europe"

  = Microsoft.EventHub/namespaces/lzaztesthub02/networkRuleSets/default [2018-01-01-preview]

On the latest versions of namespaces there is even more noise:


  ~ Microsoft.EventHub/namespaces/lzaztesthub02 [2018-01-01-preview]
    - properties.kafkaEnabled:  true
    - properties.status:        "Active"
    - properties.zoneRedundant: false

if you specify the properties (without status) on the namespace they will not be reported as change.

This one is problem too

  ~ Microsoft.EventHub/namespaces/lzaztesthub02/disasterRecoveryConfigs/repl0001 [2017-04-01]
    - properties.type: "MetadataReplication"

I am not specifying that property and I doubt that property can be changed. Also it is not documented.

Additional context
Add any other context about the problem here.

Resources are marked as both Ignore and no change

Describe the noise

Resources are marked as both Ignore and no change

* Microsoft.AlertsManagement/actionRules/test1 [2019-05-05-preview]
  * Microsoft.AlertsManagement/actionRules/test2 [2019-05-05-preview]
  * Microsoft.AlertsManagement/actionRules/test3 [2019-05-05-preview]
  * Microsoft.AlertsManagement/actionRules/test5 [2019-05-05-preview]
  * Microsoft.AlertsManagement/actionRules/test6 [2019-05-05-preview]
  * Microsoft.AlertsManagement/actionRules/test7 [2019-05-05-preview]
  * Microsoft.AlertsManagement/actionRules/test8 [2019-05-05-preview]
  * Microsoft.Insights/actiongroups/test [2019-06-01]
  * Microsoft.Insights/activityLogAlerts/Advisor Recommendations [2017-04-01]
  * Microsoft.Insights/activityLogAlerts/Resource Health 1 [2017-04-01]
  * Microsoft.Insights/activityLogAlerts/Resource Health 2 [2017-04-01]
  * Microsoft.Insights/activityLogAlerts/Resource Health 3 [2017-04-01]
  * Microsoft.Insights/activityLogAlerts/Resource Health 4 [2017-04-01]
  * Microsoft.Insights/activityLogAlerts/Service Health [2017-04-01]
  * Microsoft.OperationalInsights/workspaces/lz-monitoring-core-acceptance-stan3 [2017-03-15-preview]
  * Microsoft.OperationsManagement/solutions/AgentHealthAssessment(lz-monitoring-core-acceptance-stan3) [2015-11-01
-preview]
  * Microsoft.OperationsManagement/solutions/AzureActivity(lz-monitoring-core-acceptance-stan3) [2015-11-01-preview]
  = Microsoft.AlertsManagement/actionRules/test1 [2019-05-05-preview]
  = Microsoft.AlertsManagement/actionRules/test2 [2019-05-05-preview]
  = Microsoft.AlertsManagement/actionRules/test3 [2019-05-05-preview]
  = Microsoft.AlertsManagement/actionRules/test5 [2019-05-05-preview]
  = Microsoft.AlertsManagement/actionRules/test6 [2019-05-05-preview]
  = Microsoft.AlertsManagement/actionRules/test7 [2019-05-05-preview]
  = Microsoft.AlertsManagement/actionRules/test8 [2019-05-05-preview]
  = Microsoft.Insights/activityLogAlerts/Advisor Recommendations [2017-04-01]
  = Microsoft.Insights/activityLogAlerts/Resource Health 1 [2017-04-01]
  = Microsoft.Insights/activityLogAlerts/Resource Health 2 [2017-04-01]
  = Microsoft.Insights/activityLogAlerts/Resource Health 3 [2017-04-01]
  = Microsoft.Insights/activityLogAlerts/Resource Health 4 [2017-04-01]
  = Microsoft.Insights/activityLogAlerts/Service Health [2017-04-01]

More information provided by e-mail.

Resource type (i.e. Microsoft.Storage/storageAccounts)

apiVersion (i.e. 2019-04-01)

Client (PowerShell, Azure CLI, or API)

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
Add any other context about the problem here.

Microsoft.Storage/storageAccount (2019-04-01)

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Storage/storageAccounts

apiVersion (i.e. 2019-04-01)
2019-04-01

Client (PowerShell, Azure CLI, API)
PowerShell

Relevant ARM Template code (we only need the resource object specified in #1 and #2, but if it's easier you can include the entire template

    {
      "name": "[concat('storage', uniqueString(resourceGroup().id))]",
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2019-04-01",
      "sku": {
        "name": "Standard_LRS"
      },
      "kind": "Storage",
      "location":"[resourceGroup().location]"
    }

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
Clean diff

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
Add any other context about the problem here.

Microsoft.Web/sites (2018-11-01)

Describe the noise

Showing siteConfig options being new but they are already set.

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Web/sites

apiVersion (i.e. 2019-04-01)
2018-11-01

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

    {
      "name": "[variables('uiName')]",
      "type": "Microsoft.Web/sites",
      "apiVersion": "2018-11-01",
      "location": "[resourceGroup().location]",
      "tags": "[variables('tags')]",
      "dependsOn": [
        "[resourceId('Microsoft.Web/serverfarms', variables('uiPlanName'))]"
      ],
      "properties": {
        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('uiPlanName'))]",
        "httpsOnly": true,
        "clientAffinityEnabled": false,
        "siteConfig": {
          "webSocketsEnabled": true,
          "alwaysOn": true,
          "httpLoggingEnabled": true,
          "detailedErrorLoggingEnabled": true,
          "logsDirectorySizeLimit": "[parameters('WEBSITE_HTTPLOGGING_SIZE_LIMIT_MB')]",
          "ftpsState": "FtpsOnly",
          "http20Enabled": true
        }
      }
    }

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
No changes made but new properties being reported.

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

~ Microsoft.Web/sites/mysitename [2018-11-01]
    + properties.siteConfig:

        alwaysOn:                    true
        detailedErrorLoggingEnabled: true
        ftpsState:                   "FtpsOnly"
        http20Enabled:               true
        httpLoggingEnabled:          true
        logsDirectorySizeLimit:      128
        webSocketsEnabled:           true

Additional context
Add any other context about the problem here.

Microsoft.Insights/components (2014-04-01)

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Insights/components/RP-FA-MyTestAppTest

apiVersion (i.e. 2019-04-01)
2014-04-01

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code

 {
      "apiVersion": "2014-04-01",
      "name": "[variables('functionAppName')]",
      "type": "Microsoft.Insights/components",
      "location": "[resourceGroup().location]",
      "tags": {
        "[concat('hidden-link:', resourceGroup().id, '/providers/Microsoft.Web/sites/', variables('functionAppName'))]": "Resource",
        "displayName": "AppInsightsComponent"
      },
      "properties": {
        "applicationId": "[variables('functionAppName')]"
      }
    }

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
I expected no noise since the template has not been modified since the resources were deployed

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
Add any other context about the problem here.

What-If Noise Suppression Summary

We are now auto-generating noise reports and noise suppression via live traffic validation. You can view the latest report to see which Resource Providers, Resource Types, and apiVersions we have validated here:

https://azure.github.io/whatifnoise

There's a progress bar under each resource type indicating how "clean" that resource type is. We'll regenerate the summary markdown weekly(ish) for you to track our progress.

Tags on unsupported resources are counted as change

Describe the noise

Certain resources do not support tags but you can specify the tags property in the template and the deployment will run fine. We do that to future proof when at some point may be the resource starts supporting tags and because ARM allows it. This is counted as change by What-If unfortunately.

Example:

  ~ Microsoft.Insights/diagnosticSettings/subscriptionLogsToLogAnalytics-vuwqlkipg5ibm [2017-05-01-preview]
    + tags:
 
        version: "1.0.0.0"

More information is provided by e-mail.
Resource type (i.e. Microsoft.Storage/storageAccounts)

apiVersion (i.e. 2019-04-01)

Client (PowerShell, Azure CLI, or API)

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
Add any other context about the problem here.

Microsoft.Network/virtualNetworks (2019-11-01)

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Network/virtualNetworks
Microsoft.Network/virtualNetworks/subnets

apiVersion (i.e. 2019-04-01)
2019-11-01

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

 {
      "tags": {
        "displayName": "hub vnet"
      },
      "type": "Microsoft.Network/virtualNetworks",
      "name": "[parameters('hubVnetName')]",
      "apiVersion": "2019-11-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "[parameters('hubVnetPrefix')]"
          ]
        },
        "enableDdosProtection": false,
        "enableVmProtection": false
      },
      "resources": [
        {
          "type": "subnets",
          "name": "[variables('mgmtSubnetName')]",
          "apiVersion": "2019-11-01",
          "properties": {
            "addressPrefix": "[parameters('mgmtSubnetPrefix')]",
            "networkSecurityGroup": {
              "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
            }
          },
          "dependsOn": [
            "[resourceId('Microsoft.Network/virtualNetworks', parameters('hubVnetName'))]",
            "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
          ]
        },
        {
          "type": "subnets",
          "name": "[variables('sharedSubnetName')]",
          "apiVersion": "2019-11-01",
          "properties": {
            "addressPrefix": "[parameters('sharedSubnetPrefix')]",
            "networkSecurityGroup": {
              "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
            },
            "serviceEndpoints": [
              {
                "service": "Microsoft.ContainerRegistry"
              },
              {
                "service": "Microsoft.Web"
              },
              {
                "service": "Microsoft.EventHub"
              },
              {
                "service": "Microsoft.Storage"
              },
              {
                "service": "Microsoft.AzureActiveDirectory"
              },
              {
                "service": "Microsoft.AzureCosmosDB"
              },
              {
                "service": "Microsoft.KeyVault"
              },
              {
                "service": "Microsoft.ServiceBus"
              },
              {
                "service": "Microsoft.Sql"
              }
            ]
          },
          "dependsOn": [
            "[resourceId('Microsoft.Network/virtualNetworks', parameters('hubVnetName'))]",
            "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('hubVnetName'), variables('mgmtSubnetName'))]",
            "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
          ]
        },
        {
          "type": "subnets",
          "name": "[variables('dmzSubnetName')]",
          "apiVersion": "2019-11-01",
          "properties": {
            "addressPrefix": "[parameters('dmzSubnetPrefix')]",
            "networkSecurityGroup": {
              "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
            }
          },
          "dependsOn": [
            "[resourceId('Microsoft.Network/virtualNetworks', parameters('hubVnetName'))]",
            "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('hubVnetName'), variables('mgmtSubnetName'))]",
            "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('hubVnetName'), variables('sharedSubnetName'))]",
            "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
          ]
        }
      ],
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
      ]
    },

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
Clean diff

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
Add any other context about the problem here.

Resource group deployment counts API version as change

Describe the noise

I am deploying resource group with version 2019-07-01 but What-If detects that there is change in the API version although there is not.

Example:

  ~ resourceGroups/monitoring-core-accp-stan [2019-07-01]
    ~ apiVersion: "2019-07-01" => "2019-05-01"

More information is provided in e-mail.

Resource type (i.e. Microsoft.Storage/storageAccounts)

apiVersion (i.e. 2019-04-01)

Client (PowerShell, Azure CLI, or API)

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
Add any other context about the problem here.

Microsoft.Sql/servers/{servername}/elasticpools (2017-10-01-preview)

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Sql/servers/{servername}/elasticpools

apiVersion (i.e. 2019-04-01)
2017-10-01-preview

Client (PowerShell, Azure CLI, or API)

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

 {
                    "type": "Microsoft.Sql/servers/elasticpools",
                    "apiVersion": "2017-10-01-preview",
                    "name": "[concat(parameters('serverName'), '/', parameters('elasticPoolName'))]",
                    "location": "[parameters('serverLocation')]",
                    "dependsOn": [
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
                    ],
                    "tags": "[parameters('elasticPoolTags')]",
                    "sku": {
                        "name": "[parameters('skuName')]",
                        "tier": "[parameters('tier')]",
                        "capacity": "[parameters('poolLimit')]"
                    },
                    "properties": {
                        "perDatabaseSettings": {
                            "minCapacity": "[parameters('perDatabasePerformanceMin')]",
                            "maxCapacity": "[parameters('perDatabasePerformanceMax')]"
                        },
                        "zoneRedundant": "[parameters('zoneRedundant')]",
                        "licenseType": "[parameters('licenseType')]",
                        "storageMB": "[parameters('poolSize')]"
                    }
                }

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
Check #21 for full template

Secrets shown in plain text

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.ContainerService/managedClusters

apiVersion (i.e. 2019-04-01)
2019-08-01

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object specified in #1 and #2, but if it's easier you can include the entire template

    {
      "apiVersion": "[variables('apiVersion').aks]",
      "type": "Microsoft.ContainerService/managedClusters",
      "name": "[parameters('name')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "nodeResourceGroup": "[concat(parameters('name'),'-worker')]",
        "kubernetesVersion": "[parameters('kubernetesVersion')]",
        "enableRBAC": true,
        "dnsPrefix": "[parameters('name')]",
        "addonProfiles": {
          "kubeDashboard": {
            "enabled": false
          },
          "omsagent": {
            "enabled": true,
            "config": {
              "logAnalyticsWorkspaceResourceID": "[variables('cluster').workspaceId]"
            }
          }
        },
        "copy": [
          {
            "name": "agentPoolProfiles",
            "count": "[length(parameters('agentPoolProfiles'))]",
            "input": {
              "name": "[concat('nodepool',add(copyIndex('agentPoolProfiles'),1))]",
              "maxPods": 250,
              "osDiskSizeGB": 128,
              "count": "[parameters('agentPoolProfiles')[copyIndex('agentPoolProfiles')].nodeCount]",
              "vmSize": "[parameters('agentPoolProfiles')[copyIndex('agentPoolProfiles')].nodeVmSize]",
              "osType": "Linux",
              "vnetSubnetID": "[variables('agentPoolProfiles').vnetSubnetId]",
              "enableAutoScaling": "[if(parameters('agentPoolProfiles')[copyIndex('agentPoolProfiles')].enableAutoScaling, parameters('agentPoolProfiles')[copyIndex('agentPoolProfiles')].enableAutoScaling, json('null'))]",
              "maxCount": "[if(parameters('agentPoolProfiles')[copyIndex('agentPoolProfiles')].enableAutoScaling, parameters('agentPoolProfiles')[copyIndex('agentPoolProfiles')].maxCount, json('null'))]",
              "minCount": "[if(parameters('agentPoolProfiles')[copyIndex('agentPoolProfiles')].enableAutoScaling, parameters('agentPoolProfiles')[copyIndex('agentPoolProfiles')].minCount, json('null'))]",
              "type": "VirtualMachineScaleSets",
              "availabilityZones": "[parameters('agentPoolProfiles')[copyIndex('agentPoolProfiles')].availabilityZones]"
            }
          }
        ],
        "networkProfile": {
          "loadBalancerSku": "standard",
          "networkPlugin": "azure",
          "networkPolicy": "calico",
          "serviceCidr": "10.0.0.0/16",
          "dnsServiceIp": "10.0.0.10",
          "dockerBridgeCidr": "172.17.0.1/16"
        },
        "servicePrincipalProfile": {
          "clientId": "[parameters('servicePrincipalClientId')]",
          "secret": "[parameters('servicePrincipalClientSecret')]"
        },
        "aadProfile": {
          "clientAppId": "[parameters('aadClientAppId')]",
          "serverAppId": "[parameters('aadServerAppId')]",
          "serverAppSecret": "[parameters('aadServerAppSecret')]",
          "tenantId": "[parameters('aadTenantId')]"
        }
      }
    }

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
That secrets like secret and serverAppSecret are not shown in plain text instead display a message like sensitive information. Similar what Terraform does with secrets.

For secrets it should not matter if I am providing them in plain text with a template parameter file or using a Key Vault reference. They should always be replaced with sensitive information or something similar, but do not display them in plain text in the output.

    "aadServerAppSecret": {
      "reference": {
        "keyVault": {
          "id": "/subscriptions/REDACTED/resourceGroups/operations-management/providers/Microsoft.KeyVault/vaults/REDACTED"
        },
        "secretName": "aadServerAppSecret"
      }
    }

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)
I manually replaced sensitive information with REDACTED in the output.

Note: As What-If is currently in preview, the result may contain false positive predictions (noise).
You can help us improve the accuracy of the result by opening an issue here: https://aka.ms/WhatIfIssues.

Resource and property changes are indicated with these symbols:
  + Create
  * Ignore

The deployment will update the following scope:

Scope: /subscriptions/REDACTED/resourceGroups/aks

  + Microsoft.ContainerService/managedClusters/akstestwhatif

      apiVersion:                                                               "2019-08-01"
      id:
"/subscriptions/REDACTED/resourceGroups/aks/providers/Microsoft.ContainerService/managedClusters/akstestwhatif"
      location:                                                                 "northeurope"
      name:                                                                     "akstestwhatif"
      properties.aadProfile.clientAppId:                                        "REDACTED"
      properties.aadProfile.serverAppId:                                        "REDACTED"
      properties.aadProfile.serverAppSecret:                                    "REDACTED"
      properties.aadProfile.tenantId:                                           "REDACTED"
      properties.addonProfiles.kubeDashboard.enabled:                           false
      properties.addonProfiles.omsagent.config.logAnalyticsWorkspaceResourceID:
"/subscriptions/REDACTED/resourceGroups/operations-management/providers/Microsoft.OperationalInsights/workspaces/REDACTED"
      properties.addonProfiles.omsagent.enabled:                                true
      properties.agentPoolProfiles: [
        0:

          availabilityZones: [
            0: "1"
            1: "2"
            2: "3"
          ]
          count:             3
          enableAutoScaling: true
          maxCount:          6
          maxPods:           250
          minCount:          3
          name:              "nodepool1"
          osDiskSizeGB:      128
          osType:            "Linux"
          type:              "VirtualMachineScaleSets"
          vmSize:            "Standard_D2_v3"
          vnetSubnetID:      "/subscriptions/REDACTED/resourceGroups/aks/providers/Microsoft.Network/virtualNetworks/aks-vnet/subnets/aks-subnet"

        1:

          count:        2
          maxPods:      250
          name:         "nodepool2"
          osDiskSizeGB: 128
          osType:       "Linux"
          type:         "VirtualMachineScaleSets"
          vmSize:       "Standard_D2_v3"
          vnetSubnetID: "/subscriptions/REDACTED/resourceGroups/aks/providers/Microsoft.Network/virtualNetworks/aks-vnet/subnets/aks-subnet"

      ]
      properties.dnsPrefix:                                                     "akstestwhatif"
      properties.enableRBAC:                                                    true
      properties.kubernetesVersion:                                             "1.14.8"
      properties.networkProfile.dnsServiceIp:                                   "10.0.0.10"
      properties.networkProfile.dockerBridgeCidr:                               "172.17.0.1/16"
      properties.networkProfile.loadBalancerSku:                                "standard"
      properties.networkProfile.networkPlugin:                                  "azure"
      properties.networkProfile.networkPolicy:                                  "calico"
      properties.networkProfile.serviceCidr:                                    "10.0.0.0/16"
      properties.nodeResourceGroup:                                             "akstestwhatif-worker"
      properties.servicePrincipalProfile.clientId:                              "REDACTED"
      properties.servicePrincipalProfile.secret:                                "REDACTED"
      type:                                                                     "Microsoft.ContainerService/managedClusters"

  * Microsoft.Network/publicIPAddresses/azst-aks1-ambassador
  * Microsoft.Network/trafficmanagerprofiles/aks
  * Microsoft.Network/trafficmanagerprofiles/akscnicalc
  * Microsoft.Network/trafficmanagerprofiles/appinsights
  * Microsoft.Network/trafficmanagerprofiles/helloworld
  * Microsoft.Network/trafficmanagerprofiles/src
  * Microsoft.Network/virtualNetworks/aks-vnet
  * Microsoft.Storage/storageAccounts/aksmasterlogs

Resource changes: 1 to create, 8 to ignore.

Additional context
Add any other context about the problem here.

Microsoft.Sql/servers/{servername}/databases (2017-10-01-preview)

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Sql/servers/{servername}/databases

apiVersion (i.e. 2019-04-01)
2017-10-01-preview

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

  {
                    "type": "databases",
                    "apiVersion": "2017-10-01-preview",
                    "name": "[parameters('databaseName')]",
                    "location": "[parameters('serverLocation')]",
                    "dependsOn": [
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'), '/elasticpools/', parameters('elasticPoolName'))]"
                    ],
                    "tags": "[parameters('databaseTags')]",
                    "properties": {
                        "collation": "[parameters('collation')]",
                        "elasticPoolId": "[resourceId('Microsoft.Sql/servers/elasticpools', parameters('serverName') , parameters('elasticPoolName'))]",
                        "sampleName": "[parameters('sampleName')]",
                        "zoneRedundant": "[parameters('zoneRedundant')]",
                        "licenseType": "[parameters('licenseType')]"
                    }
                }

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
Add any other context about the problem here.
check #21 for full template

Microsoft.Logic/workflows (2017-07-01)

Describe the noise

Logic App deployments showing outgoing IP addresses, which I believe are read-only properties.

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.LogicApp/workflows

apiVersion (i.e. 2019-04-01)
2017-07-01

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

    {
      "apiVersion": "2016-06-01",
      "type": "Microsoft.Web/connections",
      "name": "[variables('storageAccountConnectorName')]",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
      ],
      "properties": {
        "displayName": "[concat('Azure Table Storage (', variables('storageAccountName'), ')')]",
        "parameterValues": {
          "storageAccount": "[variables('storageAccountName')]",
          "sharedKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value]"
        },
        "api": {
          "id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuretables')]"
        }
      }
    },
    {
      "apiVersion": "2016-06-01",
      "type": "Microsoft.Web/connections",
      "name": "[variables('sendGridConnectorName')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "displayName": "SendGrid",
        "parameterValues": {
          "apiKey": "[parameters('sendGridApiKey')]"
        },
        "api": {
          "id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/sendgrid')]"
        }
      }
    },
    {
      "type": "Microsoft.Logic/workflows",
      "apiVersion": "2017-07-01",
      "name": "[variables('weeklyEmailLogicAppName')]",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[resourceId('Microsoft.Web/connections', variables('storageAccountConnectorName'))]",
        "[resourceId('Microsoft.Web/connections', variables('sendGridConnectorName'))]"
      ],
      "properties": {
        "state": "Enabled",
        "definition": "[parameters('weeklyEmailDefinition').definition]",
        "parameters": {
          "$connections": {
            "value": {
              "azuretables": {
                "connectionId": "[resourceId('Microsoft.Web/connections', variables('storageAccountConnectorName'))]",
                "connectionName": "azuretables",
                "id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuretables')]"
              },
              "sendgrid": {
                "connectionId": "[resourceId('Microsoft.Web/connections', variables('sendGridConnectorName'))]",
                "connectionName": "sendgrid",
                "id": "[concat(subscription().id,'/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/sendgrid')]"
              }
            }
          }
        }
      }
    }

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
Template hasn't changed, see current noise

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)
Looks like some read-only properties are getting marked as changed, e.g. - properties.endpointsConfiguration.connector.outgoingIpAddresses.

- properties.endpointsConfiguration:

        connector.outgoingIpAddresses: [
          0:

            address: "40.71.11.80/28"

          1:

            address: "40.71.249.205"

          2:

            address: "191.237.41.52"

          3:

            address: "40.114.40.132"

          4:

            address: "40.71.249.139"

        ]
        workflow.accessEndpointIpAddresses: [
          0:

            address: "137.135.106.54"

          1:

            address: "40.117.99.79"

          2:

            address: "40.117.100.228"

          3:

            address: "137.116.126.165"

        ]
        workflow.outgoingIpAddresses: [
          0:

            address: "13.92.98.111"

          1:

            address: "40.121.91.41"

          2:

            address: "40.114.82.191"

          3:

            address: "23.101.139.153"

          4:

            address: "23.100.29.190"

          5:

            address: "23.101.136.201"

          6:

            address: "104.45.153.81"

          7:

            address: "23.101.132.208"

        ]

Additional context
Add any other context about the problem here.

Location parameter required but not accepted

Describe the bug
According to Get-Help New-AzDeploymentWhatIf -Detailed, a location parameter is required. However, specifying it as input to the cmdlet produces a Parameter set cannot be resolved using the specified named parameters error.

To Reproduce
Steps to reproduce the behavior:

Issue New-AzDeploymentWhatIf specifying -Location

Expected behavior
New-AzDeploymentWhatIf should accept a required parameter.

Screenshots
Here's the output of Get-Help and the results of running the cmdlet both with and without specifying -Location

Client [e.g. PowerShell, CLI, API)
Windows 10 Enterprise, 1809 with Windows PowerShell 5.1.
PSVersion 5.1.17763.1007 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.17763.1007 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1

Additional context
This could be a newbie error -- this is my first attempt at using New-AzDeploymentWhatIf

Microsoft.Sql/servers/{servername}/vulnerabilityAssessments/Default (2018-06-01-preview)

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Sql/servers/{servername}/vulnerabilityAssessments/Default

apiVersion (i.e. 2019-04-01)
2018-06-01-preview

Client (PowerShell, Azure CLI, or API)

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

 {
                    "type": "vulnerabilityAssessments",
                    "apiVersion": "2018-06-01-preview",
                    "name": "Default",
                    "dependsOn": [
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
                        "[concat('Microsoft.Storage/storageAccounts/', variables('storageName'))]",
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'), '/securityAlertPolicies/Default')]"
                    ],
                    "properties": {
                        "storageContainerPath": "[if(parameters('enableVA'), concat(reference(variables('storageName'), '2018-02-01').primaryEndpoints.blob, 'vulnerability-assessment'), '')]",
                        "storageAccountAccessKey": "[if(parameters('enableVA'), listKeys(variables('storageName'), '2018-02-01').keys[0].value, '')]",
                        "recurringScans": {
                            "isEnabled": true,
                            "emailSubscriptionAdmins": true,
                            "emails": []
                        }
                    },
                    "condition": "[parameters('enableVA')]"
                }

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
The full template is at #21

Microsoft.Web/connections (2016-06-01)

Describe the noise

Read-only data and parameterValues with expressions

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Web/connections

apiVersion (i.e. 2019-04-01)
2016-06-01

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

    {
      "apiVersion": "2016-06-01",
      "type": "Microsoft.Web/connections",
      "name": "[variables('storageAccountConnectorName')]",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
      ],
      "tags": "[variables('tags')]",
      "properties": {
        "displayName": "[concat('Azure Table Storage (', variables('storageAccountName'), ')')]",
        "parameterValues": {
          "storageAccount": "[variables('storageAccountName')]",
          "sharedKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value]"
        },
        "api": {
          "id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuretables')]"
        }
      }
    }

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
No changes.

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

~ Microsoft.Web/connections/mystorageaccount [2016-06-01]
    - properties.api.brandColor:  "#804998"
    - properties.api.category:    "Standard"
    - properties.api.description: "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schemaless design. Sign into your Storage account to create, update, and query tables and more."
    - properties.api.displayName: "Azure Table Storage"
    - properties.api.iconUri:     "https://connectoricons-prod.azureedge.net/azuretables/icon_1.0.1327.1946.png"
    - properties.api.name:        "azuretables"
    - properties.api.type:        "Microsoft.Web/locations/managedApis"
    - properties.nonSecretParameterValues:

        storageAccount: "mystorageaccount"

    - properties.testLinks: [
        0:

          method:     "get"
          requestUri: "https://management.azure.com:443/subscriptions/89eeadc3-f5ad-436c-8afa-d5e5db194363/resourceGroups/refunderware-dev-east/providers/Microsoft.Web/connections/refunderwaredeveast/extensions/proxy/Tables?api-version=2016-06-01"

      ]
    + properties.parameterValues:

        sharedKey:      "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value]"
        storageAccount: "mystorageaccount"

Additional context
Add any other context about the problem here.

Microsoft.Insights/components (2015-05-01)

Describe the noise

Application Insights is reporting changes when no changes were made.

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Insights/components

apiVersion (i.e. 2019-04-01)
2015-05-01

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

    {
      "type": "Microsoft.Insights/components",
      "name": "[variables('applicationInsightsName')]",
      "apiVersion": "2015-05-01",
      "location": "[resourceGroup().location]",
      "tags": "[variables('tags')]",
      "kind": "web",
      "properties": {
        "Name": "[variables('applicationInsightsName')]",
        "Application_Type": "web"
      }
    }

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
No changes

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

~ Microsoft.Insights/components/myappinsights [2015-05-01]
    - properties.publicNetworkAccessForIngestion: "Enabled"
    - properties.publicNetworkAccessForQuery:     "Enabled"
    - properties.Ver:                             "v2"
    + properties.Flow_Type:                       "Bluefield"
    + properties.Request_Source:                  "rest"

Additional context
Add any other context about the problem here.

Microsoft.Insights/components/proactiveDetectionConfigs (2018-05-01-preview)

Describe the noise

Showing read-only properties or default properties that haven't changed.

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Insights/components/proactiveDetectionConfigs

apiVersion (i.e. 2019-04-01)
2018-05-01-preview

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

"variables": {
    "applicationInsightsProactiveRules": [
      "slowpageloadtime",
      "slowserverresponsetime",
      "longdependencyduration",
      "degradationinserverresponsetime",
      "degradationindependencyduration",
      "extension_traceseveritydetector",
      "extension_exceptionchangeextension",
      "extension_memoryleakextension",
      "extension_securityextensionspackage",
      "extension_billingdatavolumedailyspikeextension"
    ]}
    ...
    {
      "apiVersion": "2018-05-01-preview",
      "name": "[concat(variables('applicationInsightsName'), '/', variables('applicationInsightsProactiveRules')[copyIndex()])]",
      "type": "Microsoft.Insights/components/proactiveDetectionConfigs",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]"
      ],
      "copy": {
        "name": "proactiveDetectionConfigs",
        "count": "[length(variables('applicationInsightsProactiveRules'))]"
      },
      "properties": {
        "name": "[variables('applicationInsightsProactiveRules')[copyIndex()]]",
        "sendEmailsToSubscriptionOwners": false,
        "customEmails": [
        ],
        "enabled": false
      }
    }

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
No noise as there are no changes.

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

~ Microsoft.Insights/components/myappinsights/proactiveDetectionConfigs/degradationindependencyduration [2018-05-01-preview]
    - properties.ruleDefinitions:

        Description:                "Smart Detection rules notify you of performance anomaly issues."
        DisplayName:                "Degradation in dependency duration"
        HelpUrl:                    "https://docs.microsoft.com/en-us/azure/application-insights/app-insights-proactive-performance-diagnostics"
        IsEnabledByDefault:         true
        IsHidden:                   false
        IsInPreview:                false
        Name:                       "degradationindependencyduration"
        SupportsEmailNotifications: true

Additional context
Add any other context about the problem here.

Noise in Virtual Machine deployment

Describe the noise

When deploying a basic virtual machine including a dedicated network, some noise occurs
(these are all the resources from this template. If you prefer separate issues per resource type, please let me know.

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Compute/virtualMachines
Microsoft.Network/networkInterfaces
Microsoft.Network/publicIPAddresses
Microsoft.Network/virtualNetworks

apiVersion (i.e. 2019-04-01)
2019-03-01 for the VirtualMachine,
2019-09-01 for the other resources

Client (PowerShell, Azure CLI, or API)
PowerShell 6.2.3

Relevant ARM Template code (we only need the resource object specified in #1 and #2, but if it's easier you can include the entire template
link to template in gist

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
No noise. I have deployed this template and directly after that ran whatif, so everything should be ignored

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Resource and property changes are indicated with these symbols:
  - Delete
  ~ Modify
  * Ignore

The deployment will update the following scopes:

Scope: /subscriptions/[SubscriptionID]/resourceGroups/[Resourcegroup]

  ~ Microsoft.Compute/virtualMachines/SimpleVM
    - properties.osProfile.allowExtensionOperations:    true
    - properties.osProfile.requireGuestProvisionSignal: true
    - properties.osProfile.windowsConfiguration:

        enableAutomaticUpdates: true
        provisionVMAgent:       true

    - properties.storageProfile.osDisk.caching:         "ReadWrite"
    - properties.storageProfile.osDisk.diskSizeGB:      127
    - properties.storageProfile.osDisk.managedDisk:

        id:                 "/subscriptions/[SUBSCRIPTIONID]/resourceGroups/[resourcegroupname]/providers/Microsoft.Compute/disk
s/SimpleVM_OsDisk_1_ced41fc814c04d2b97b02e587c8bce40"
        storageAccountType: "Standard_LRS"

    - properties.storageProfile.osDisk.name:            "SimpleVM_OsDisk_1_ced41fc814c04d2b97b02e587c8bce40"
    - properties.storageProfile.osDisk.osType:          "Windows"
    ~ properties.storageProfile.dataDisks: [
      ~ 0:

        - caching:      "None"
        - managedDisk:

            id:                 "/subscriptions/[SUBSCRIPTIONID]/resourceGroups/[resourcegroupname]/providers/Microsoft.Compute/
disks/SimpleVM_disk2_dbb4804aa80e45ed8f38bcd286edabd4"
            storageAccountType: "Standard_LRS"

        - name:         "SimpleVM_disk2_dbb4804aa80e45ed8f38bcd286edabd4"
        - toBeDetached: false

      ]

  ~ Microsoft.Network/networkInterfaces/myVMNic
    - properties.dnsSettings:                 {}
    - properties.enableAcceleratedNetworking: false
    - properties.enableIPForwarding:          false
    - properties.virtualMachine:

        id: 
"/subscriptions/[SUBSCRIPTIONID]/resourceGroups/[resourcegroupname]/providers/Microsoft.Compute/virtualMachines/SimpleVM"

    ~ properties.ipConfigurations: [
      ~ 0:

        - properties.primary:                 true
        - properties.privateIPAddress:        "10.0.0.4"
        - properties.privateIPAddressVersion: "IPv4"
        ~ properties.publicIPAddress.id:
"/subscriptions/[SUBSCRIPTIONID]/resourceGroups/[resourcegroupname]/providers/Microsoft.Network/publicIPAddresses/myPublicIP"
=> "/subscriptions/[SUBSCRIPTIONID]/resourceGroups/[resourcegroupname]/providers/Microsoft.Network/publicIPAddresses/myPublicIP"
        ~ properties.subnet.id:               "/subscriptions/[SUBSCRIPTIONID]/resourceGroups/[resourcegroupname]/providers/Microsoft.Network/virtualNetworks/MyVNET/subnets/Subnet" => "/subscriptions/[SUBSCRIPTIONID]/resourceGrou
ps/[resourcegroupname]/providers/Microsoft.Network/virtualNetworks/MyVNET/subnets/Subnet"

      ]

  ~ Microsoft.Network/publicIPAddresses/myPublicIP
    - properties.dnsSettings.fqdn:       "blb234woefi.westeurope.cloudapp.azure.com"
    - properties.idleTimeoutInMinutes:   4
    - properties.ipAddress:              "24.97.131.255"
    - properties.ipConfiguration:

        id: "/subscriptions/[SUBSCRIPTIONID]/resourceGroups/[resourcegroupname]/providers/Microsoft.Network/networkInterfaces/my
VMNic/ipConfigurations/ipconfig1"

    - properties.publicIPAddressVersion: "IPv4"
    - sku:

        name: "Basic"


  ~ Microsoft.Network/virtualNetworks/MyVNET
    - properties.enableDdosProtection: false
    - properties.enableVmProtection:   false
    ~ properties.subnets: [
      ~ 0:

        - properties.privateEndpointNetworkPolicies:    "Enabled"
        - properties.privateLinkServiceNetworkPolicies: "Enabled"

      ]

Additional context
Add any other context about the problem here.

Microsoft.Network/privateEndpoints

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Network/privateEndpoints

apiVersion (i.e. 2019-04-01)
2019-11-01
2020-04-01

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
No change in privateLinkServiceConnections property

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

 ~ Microsoft.Network/privateEndpoints/production-keyVault [2019-11-01]
    ~ properties.privateLinkServiceConnections: [
      ~ 0:

        - id: "/subscriptions/<subscription id>/resourceGroups/test-vnet-rg-1/providers/Microsoft.Network/privateEndpoints/production-keyVault/privateLinkServiceConnections/serviceConnection-production-keyVault"

      ]

  ~ Microsoft.Network/privateEndpoints/production-keyVault [2020-04-01]
    - properties.customDnsConfigs: [
        0:

          fqdn: "lz-kv-prd.vault.azure.net"
          ipAddresses: [
            0: "10.0.3.4"
          ]

      ]
    ~ properties.privateLinkServiceConnections: [
      ~ 0:

        - id: "/subscriptions/<subscription id>/resourceGroups/test-vnet-rg-1/providers/Microsoft.Network/privateEndpoints/production-keyVault/privateLinkServiceConnections/serviceConnection-production-keyVault"

      ]

Additional context
Add any other context about the problem here.

Microsoft.Web/sites (2015-08-01)

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Web/sites

apiVersion (i.e. 2019-04-01)
2015-08-01

Client (PowerShell, Azure CLI, or API)

Relevant ARM Template code (we only need the resource object specified in #1 and #2, but if it's easier you can include the entire template

  {
      "apiVersion": "2016-08-01",
      "type": "Microsoft.Web/sites",
      "name": "[variables('functionAppName')]",
      "location": "[resourceGroup().location]",
      "kind": "functionapp",
      "dependsOn": [
        "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
        "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
      ],
      "properties": {
        "phpVersion": "",
        "remoteDebuggingEnabled": true,
        "remoteDebuggingVersion": "VS2017",
        "ftpsState": "Disabled",
        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
        "siteConfig": {
          "appSettings": [
            {
              "name": "AzureWebJobsDashboard",
              "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]"
            },
            {
              "name": "AzureWebJobsStorage",
              "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]"
            },
            {
              "name": "WEBSITE_CONTENTSHARE",
              "value": "[toLower(variables('functionAppName'))]"
            },
            {
              "name": "AzureWebJobsDisableHomepage",
              "value": "true"
            },
            {
              "name": "FUNCTIONS_EXTENSION_VERSION",
              "value": "~2"
            },
            {
              "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
              "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]"
            },
            {
              "name": "QueueConnectionString",
              "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]"
            },
            {
              "name": "UserAdministrationGraphSiteId",
              "value": "[parameters('userAdministrationGraphSiteId')]"
            },
            {
              "name": "UserAdministrationSharePointListId",
              "value": "[parameters('userAdministrationSharePointListId')]"
            },
            {
              "name": "DefaultO365UserLicense",
              "value": "[parameters('defaultO365UserLicense')]"
            },
            {
              "name": "DefaultExchangeGroupId",
              "value": "[parameters('defaultExchangeGroupId')]"
            },
            {
              "name": "DefaultExchangeOnlineLicense",
              "value": "[parameters('defaultExchangeOnlineLicense')]"
            },
            {
              "name": "UserEmailSender",
              "value": "[variables('userEmailSender')]"
            },
            {
              "name": "UserEmailPasswordCopy",
              "value": "[variables('userEmailPasswordCopy')]"
            },
            {
              "name": "SendPasswordQueueName",
              "value": "[variables('sendPasswordQueueName')]"
            },
            {
              "name": "AddToGroupUsersQueueName",
              "value": "[variables('addToGroupUsersQueueName')]"
            },
            {
              "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
              "value": "[reference(concat('microsoft.insights/components/', variables('functionAppName'))).InstrumentationKey]"
            },
            {
              "name": "FUNCTIONS_WORKER_RUNTIME",
              "value": "dotnet"
            }
          ]
        }
      }     
    }

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
Add any other context about the problem here.

web/site (2018-11-01) that uses containers exposes acr password, app settings shows as create

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template
https://github.com/anthony-c-martin/arm-templator-transpiler/blob/alex/examples/container-appsvc-sql/web-stack.json

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
appSettings were not changed, but show up as being created and expose password to container registry

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Microsoft.Network/publicIPAddresses

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Network/publicIPAddresses

apiVersion (i.e. 2019-04-01)
2020-04-01

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
No change. Read only property natGateway should not change as association happens on Nat Gateway resource so this property is only read only.

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

  ~ Microsoft.Network/publicIPAddresses/pubip0004 [2020-04-01]
    - properties.natGateway:

        id: "/subscriptions/<subscriptionId>/resourceGroups/test-vnet-rg-1/providers/Microsoft.Network/natGateways/natgw00002"

Additional context
Add any other context about the problem here.

Microsoft.ContainerRegistry/registries (2019-05-01)

Describe the noise

Resource type

Microsoft.ContainerRegistry/registries

apiVersion

2019-05-01

Client

PowerShell

Relevant ARM Template code

{
	"name": "[variables('acrName')]",
	"type": "Microsoft.ContainerRegistry/registries",
	"apiVersion": "2019-05-01",
	"location": "[variables('location')]",
	"comments": "Container registry for storing docker images",
	"tags": {
		"displayName": "Container Registry",
		"container.registry": "[variables('acrName')]"
	},
	"sku": {
		"name": "[variables('acrSku')]",
		"tier": "[variables('acrSku')]"
	},
	"properties": {
		"adminUserEnabled": "[variables('acrAdminUserEnabled')]"
	}
}

Expected response

I expected no noise since the template has not been modified since the resources were deployed.

Current (noisy) response

Resource and property changes are indicated with these symbols:
  - Delete
  ~ Modify

The deployment will update the following scope:

Scope: /subscriptions/3762d87c-ddb8-425f-b2fc-29e5e859edaf/resourceGroups/acrtest123

  ~ Microsoft.ContainerRegistry/registries/testacr001nepet [2019-05-01]
    - properties.policies:

        quarantinePolicy.status: "disabled"
        retentionPolicy.days:    7
        retentionPolicy.status:  "disabled"
        trustPolicy.status:      "disabled"
        trustPolicy.type:        "Notary"

Resource changes: 1 to modify.

WhatIf Module installation - Az.Resources not catalog signed

When running the install process to install the module the following occurs

Install-Module -Name Az.Resources -Repository WhatIfRepository -RequiredVersion 2.0.1-alpha4 -AllowPrerelease -AllowClobber -Credential $credential

The Error below is shown:
PackageManagement\Install-Package : The version '2.0.1' of the module 'Az.Resources' being installed is not catalog signed. Ensure that the version '2.0.1' of the module
'Az.Resources' has the catalog file 'Az.Resources.cat' and signed with the same publisher 'CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US' as the
previously-installed module 'Az.Resources' with version '1.10.0' under the directory 'C:\Users\pegrimsd\Documents\WindowsPowerShell\Modules\Az.Resources\1.10.0'. If you still want
to install or update, use -SkipPublisherCheck parameter.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\2.2.3\PSModule.psm1:9685 char:34

... talledPackages = PackageManagement\Install-Package @PSBoundParameters
```
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : InvalidOperation: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Exception
- FullyQualifiedErrorId : ModuleIsNotCatalogSigned,Validate-ModuleAuthenticodeSignature,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage

Expected behavior
Update install docs to run with the command:
Install-Module -Name Az.Resources -Repository WhatIfRepository -RequiredVersion 2.0.1-alpha4 -AllowPrerelease -AllowClobber -Credential $credential -SkipPublisherCheck
Screenshots

Client PowerShell

Additional context

Key Vault and Diagnostic settings noise

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
In the code.

apiVersion (i.e. 2019-04-01)
In the code.

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template
Cannot be provided as it is private.

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
No changes at all as no changes are done. What-If was run after configuration was run.

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)
Everything that is shown as modification/create is noise.

Additional context

Resource and property changes are indicated with these symbols:
  - Delete
  + Create
  ~ Modify
  = NoChange

The deployment will update the following scopes:

Scope: /subscriptions/<subscription name>

  = resourceGroups/<resource group name> [2020-01-01]

Scope: /subscriptions/<subscription name>/resourceGroups/<resource group name>

  ~ Microsoft.KeyVault/vaults/<key vault name> [2019-09-01]
    + properties.networkAcls:

        bypass:        "AzureServices"
        defaultAction: "Allow"

    ~ properties.accessPolicies: [
        0:

          objectId:     "<object id 1>"
          permissions.certificates: [
            0: "all"
          ]
          permissions.keys: [
            0: "all"
          ]
          permissions.secrets: [
            0: "all"
          ]
          permissions.storage: [
            0: "all"
          ]
          tenantId:     "<tenant id>"

       1:

          objectId:     "<object id 2>"
          permissions.certificates: [
            0: "all"
          ]
          permissions.keys: [
            0: "all"
          ]
          permissions.secrets: [
            0: "all"
          ]
          permissions.storage: [
            0: "all"
          ]
          tenantId:     "<tenant id>"

        2:

          objectId:     "<object id 3>"
          permissions.certificates: [
            0: "get"
          ]
          permissions.secrets: [
            0: "get"
          ]
          tenantId:     "<tenant id>"

      ] => "[if( empty( parameters( 'keyVault' ).accessPolicies ), json( '[]' ), reference( concat( 'accessPoliciesTransform-', uniqueString( parameters( 'keyVault' ).name ) ), variables( 'apiVersions' ).deployments ).outputs.policies.value )]"


~ Microsoft.KeyVault/vaults/<key vault name>/providers/Microsoft.Insights/diagnosticSettings/keyVaultLogsToLogAnalytics [2017-05-01-preview]
    ~ properties.logs: [
      ~ 0:

        - retentionPolicy:

            days:    0
            enabled: false


      ]
    ~ properties.metrics: [
      ~ 0:

        - retentionPolicy:

            days:    0
            enabled: false


      ]

Microsoft.EventGrid/topics/{topic}/providers/Microsoft.EventGrid/eventSubscriptions (2018-01-01)

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.EventGrid/topics/{topic}/providers/Microsoft.EventGrid/eventSubscriptions

apiVersion (i.e. 2019-04-01)
2018-01-01

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object specified in 1 and 2, but if it's easier you can include the entire template

{
            "type": "Microsoft.EventGrid/topics",
            "apiVersion": "2018-01-01",
            "name": "[parameters('eventGridTopicName')]",
            "location": "[parameters('location')]"
        },
        {
            "type": "Microsoft.EventGrid/topics/providers/eventSubscriptions",
            "apiVersion": "2018-01-01",
            "name": "[concat(parameters('eventGridTopicName'), '/Microsoft.EventGrid/', parameters('eventGridSubscriptionName'))]",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[parameters('eventGridTopicName')]"
            ],
            "properties": {
                "destination": {
                    "endpointType": "WebHook",
                    "properties": {
                        "endpointUrl": "[parameters('eventGridSubscriptionUrl')]"
                    }
                },
                "filter": {
                    "includedEventTypes": [
                        "All"
                    ]
                }
            }
        }

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
Add any other context about the problem here.

I used the following template: https://github.com/Azure/azure-quickstart-templates/tree/master/101-event-grid

Microsoft.ContainerInstance/containerGroups (2018-10-01)

Describe the noise

Resource type

Microsoft.ContainerInstance/containerGroups

apiVersion

2018-10-01

Client (PowerShell, Azure CLI, or API)

PowerShell

Relevant ARM Template code

{
	"name": "containerGroup1",
	"type": "Microsoft.ContainerInstance/containerGroups",
	"apiVersion": "2018-10-01",
	"location": "[resourceGroup().location]",
	"properties": {
		"containers": [{
			"name": "nepeters",
			"properties": {
				"image": "neilpeterson/nepetersv1",
				"ports": [{
					"port": 80
				}],
				"resources": {
					"requests": {
						"cpu": 1,
						"memoryInGB": 2
					}
				}
			}
		}],
		"osType": "Linux",
		"ipAddress": {
			"type": "Public",
			"ports": [{
				"protocol": "TCP",
				"port": 80
			}]
		}
	}
}

Expected response

I expected no noise since the template has not been modified since the resources were deployed.

Current (noisy) response

Resource and property changes are indicated with these symbols:
  - Delete
  ~ Modify

The deployment will update the following scope:

Scope: /subscriptions/3762d87c-ddb8-425f-b2fc-29e5e859edaf/resourceGroups/aci-whatif

  ~ Microsoft.ContainerInstance/containerGroups/containerGroup1 [2018-10-01]
    - properties.ipAddress.ip: "40.88.23.55"
    ~ properties.containers: [    
      ~ 0:

        - properties.instanceView:

            currentState.startTime: "2019-12-02T00:13:57Z"
            currentState.state:     "Running"

        ~ properties.resources.requests.cpu:        1 => 1
        ~ properties.resources.requests.memoryInGB: 2 => 2

      ]

Resource changes: 1 to modify.

Additional context

Seems like these two are not necessarily noise as each property is specified in the template. Regardless, the results are erroneous.

 ~ properties.resources.requests.cpu:        1 => 1
 ~ properties.resources.requests.memoryInGB: 2 => 2

microsoft.resources/deploymentscripts (2019-10-01-preview)

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template
https://github.com/alex-frankel/VbDemos/blob/master/deployment-script-create-cert-uri.json

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
The only property that was actually updates was forceUpdateTag

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
Add any other context about the problem here.

Microsoft.DocumentDB/databaseAccounts (2019-08-01)

Describe the noise

Resource type

Microsoft.DocumentDB/databaseAccounts

apiVersion

2019-08-01

Client

PowerShell

Relevant ARM Template code

{
	"name": "nepeters",
	"type": "Microsoft.DocumentDB/databaseAccounts",
	"apiVersion": "2019-08-01",
	"location": "[resourceGroup().location]",
	"tags": {},
	"kind": "GlobalDocumentDB",
	"properties": {
		"consistencyPolicy": {
			"defaultConsistencyLevel": "Eventual",
			"maxStalenessPrefix": 1,
			"maxIntervalInSeconds": 5
		},
		"locations": [{
			"locationName": "eastus",
			"failoverPriority": 0
		}],
		"databaseAccountOfferType": "Standard",
		"enableAutomaticFailover": true,
		"capabilities": [{
			"name": "EnableTable"
		}]
	}
}

Expected response

I expected no noise since the template has not been modified since the resources were deployed.

Current (noisy) response

Resource and property changes are indicated with these symbols:
  - Delete
  ~ Modify

The deployment will update the following scope:

Scope: /subscriptions/3762d87c-ddb8-425f-b2fc-29e5e859edaf/resourceGroups/whatif-cd

  ~ Microsoft.DocumentDB/databaseAccounts/nepeters [2019-08-01]
    - properties.disableKeyBasedMetadataWriteAccess:   false
    - properties.EnabledApiTypes:                      "Table, Sql"
    - properties.enableMultipleWriteLocations:         false
    - properties.enablePartitionKeyMonitor:            false
    - properties.isVirtualNetworkFilterEnabled:        false
    - properties.tableEndpoint:                        "https://nepeters.table.cosmos.azure.com:443/"
    ~ properties.consistencyPolicy.maxStalenessPrefix: 100 => 1
    ~ properties.locations: [
      ~ 0:

        - isZoneRedundant: false

      ]

Resource changes: 1 to modify.

Microsoft.Web/certificates (2019-08-01)

Describe the noise

Showing a read-only? property change as well as a property change that hasn't changed.

Resource type (i.e. Microsoft.Storage/storageAccounts)

apiVersion (i.e. 2019-04-01)
2019-08-01

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

    {
      "condition": "[variables('uiUseHostname')]",
      "name": "[variables('uiHostname')]",
      "type": "Microsoft.Web/certificates",
      "apiVersion": "2019-08-01",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[resourceId('Microsoft.Web/sites/hostnameBindings', variables('uiName'), variables('uiHostname'))]"
      ],
      "tags": "[variables('tags')]",
      "properties": {
        "canonicalName": "[variables('uiHostname')]",
        "hostNames": [
          "[variables('uiHostname')]"
        ],
        "serverFarmId": "[resourceId('Microsoft.Web/serverFarms', variables('uiPlanName'))]"
      }
    }

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)

No changes.

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

~ Microsoft.Web/certificates/mycertificate.site.com [2019-08-01]

    - properties.webSpace:     "uiServerFarm-EastUSwebspace"
    + properties.serverFarmId: "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Web/serverFarms/uiServerFarm"

Additional context
Add any other context about the problem here.

PowerShell ISE not supported

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Run the WhatIf module in Powershell ISE

Lables for Delete / modify / create are not displayed correctly (see screenshot)

Expected behavior
Powershell ISE to support the WhatIf module in the same way as Powershell

Screenshots

Client
PowerShell ISE

Additional context

CLI/Feature request: --hide-ignored flag

I run a nested subscription level template for my entire subscription, with a "main" arm template creating RG's and calling upon resource-group level templates.

using az deployment sub what-if works fine, but we have disks and snapshots created from services in AKS which should be ignored. In the hundreds. I can't see any flag. Not sure if using --query is possible, for this. the command docs state that "json" output is default, but my output does not remind me of json, hard to query..

Client [e.g. PowerShell, CLI, API)

Windows 10 1909
CLI version 2.5.1

Microsoft.Network/networkSecurityGroups

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Network/networkSecurityGroups

apiVersion (i.e. 2019-04-01)
2019-11-01

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
No change in securityRules proeprty

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

 ~ Microsoft.Network/networkSecurityGroups/test-vnet-2_Subnet1-nsg [2019-11-01]
    ~ properties.securityRules: [
      - 1:

          name:                                "AllowSameSubnetInBound"
          properties.access:                   "Allow"
          properties.description:              "Allow incoming traffic from within the subnet"
          properties.destinationAddressPrefix: "10.0.1.0/24"
          properties.destinationPortRange:     "*"
          properties.direction:                "Inbound"
          properties.priority:                 4093
          properties.protocol:                 "*"
          properties.sourceAddressPrefix:      "10.0.1.0/24"
          properties.sourcePortRange:          "*"

      - 2:

          name:                                "DenyAzureLoadBalancerInBound"
          properties.access:                   "Deny"
          properties.description:              "Deny incoming traffic from Azure load balancers"
          properties.destinationAddressPrefix: "*"
          properties.destinationPortRange:     "*"
          properties.direction:                "Inbound"
          properties.priority:                 4095
          properties.protocol:                 "*"
          properties.sourceAddressPrefix:      "AzureLoadBalancer"
          properties.sourcePortRange:          "*"

    - 3:

          name:                                "AllowAzureLoadBalancerInBound"
          properties.access:                   "Allow"
          properties.description:              "Allow incoming traffic from Azure load balancers"
          properties.destinationAddressPrefix: "VirtualNetwork"
          properties.destinationPortRange:     "*"
          properties.direction:                "Inbound"
          properties.priority:                 4094
          properties.protocol:                 "*"
          properties.sourceAddressPrefix:      "AzureLoadBalancer"
          properties.sourcePortRange:          "*"

      - 4:

          name:                                "DenyVnetInBound"
          properties.access:                   "Deny"
          properties.description:              "Deny all inbound traffic"
          properties.destinationAddressPrefix: "VirtualNetwork"
          properties.destinationPortRange:     "*"
          properties.direction:                "Inbound"
          properties.priority:                 4096
          properties.protocol:                 "*"
          properties.sourceAddressPrefix:      "VirtualNetwork"
          properties.sourcePortRange:          "*"

      ]

Additional context
Add any other context about the problem here.

New-AzDeploymentWhatIf should be New-AzDeployment -WhatIf

Describe the bug
This cmdlet is inappropriately named. I thought it was a bug in the documentation. The expected Powershell syntax is:

New-AzDeployment -WhatIf

WhatIf support is built into Powershell as a language feature. Implementing this correctly will make it easier to understand and use in other scripts.

This command is either named wrong or should be implemented as New-AzDeployment -WhatIf

Microsoft.Sql/servers (2017-10-01-preview)

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Sql/servers

apiVersion (i.e. 2019-04-01)
2017-10-01-preview

Client (PowerShell, Azure CLI, or API)

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

{
            "type": "Microsoft.Sql/servers",
            "apiVersion": "2015-05-01-preview",
            "name": "[parameters('serverName')]",
            "location": "[parameters('serverLocation')]",
            "tags": "[parameters('serverTags')]",
            "properties": {
                "administratorLogin": "[parameters('administratorLogin')]",
                "administratorLoginPassword": "[parameters('administratorLoginPassword')]",
                "version": "12.0"
            }
        }

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
Add any other context about the problem here.
There are other noises from other resources that come from the following template:

{
    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "administratorLogin": {
            "type": "String"
        },
        "administratorLoginPassword": {
            "type": "SecureString"
        },
        "collation": {
            "type": "String"
        },
        "databaseName": {
            "type": "String"
        },
        "skuName": {
            "type": "String"
        },
        "tier": {
            "type": "String"
        },
        "poolLimit": {
            "type": "String"
        },
        "poolSize": {
            "type": "Int"
        },
        "perDatabasePerformanceMin": {
            "type": "String"
        },
        "perDatabasePerformanceMax": {
            "type": "String"
        },
        "serverLocation": {
            "type": "String"
        },
        "serverName": {
            "type": "String"
        },
        "elasticPoolName": {
            "type": "String"
        },
        "sampleName": {
            "defaultValue": "",
            "type": "String"
        },
        "zoneRedundant": {
            "defaultValue": false,
            "type": "Bool"
        },
        "licenseType": {
            "defaultValue": "",
            "type": "String"
        },
        "enableADS": {
            "defaultValue": false,
            "type": "Bool"
        },
        "allowAzureIps": {
            "defaultValue": true,
            "type": "Bool"
        },
        "databaseTags": {
            "defaultValue": {},
            "type": "Object"
        },
        "serverTags": {
            "defaultValue": {},
            "type": "Object"
        },
        "elasticPoolTags": {
            "defaultValue": {},
            "type": "Object"
        },
        "enableVA": {
            "defaultValue": false,
            "type": "Bool"
        },
        "enablePrivateEndpoint": {
            "defaultValue": false,
            "type": "Bool"
        },
        "privateEndpointNestedTemplateId": {
            "defaultValue": "",
            "type": "String"
        },
        "privateEndpointSubscriptionId": {
            "defaultValue": "",
            "type": "String"
        },
        "privateEndpointResourceGroup": {
            "defaultValue": "",
            "type": "String"
        },
        "privateEndpointName": {
            "defaultValue": "",
            "type": "String"
        },
        "privateEndpointLocation": {
            "defaultValue": "",
            "type": "String"
        },
        "privateEndpointSubnetId": {
            "defaultValue": "",
            "type": "String"
        },
        "privateLinkServiceName": {
            "defaultValue": "",
            "type": "String"
        },
        "privateLinkServiceServiceId": {
            "defaultValue": "",
            "type": "String"
        },
        "privateEndpointVnetSubscriptionId": {
            "defaultValue": "",
            "type": "String"
        },
        "privateEndpointVnetResourceGroup": {
            "defaultValue": "",
            "type": "String"
        },
        "privateEndpointVnetName": {
            "defaultValue": "",
            "type": "String"
        },
        "privateEndpointSubnetName": {
            "defaultValue": "",
            "type": "String"
        },
        "enablePrivateDnsZone": {
            "defaultValue": false,
            "type": "Bool"
        },
        "privateEndpointDnsRecordUniqueId": {
            "defaultValue": "",
            "type": "String"
        },
        "privateEndpointTemplateLink": {
            "defaultValue": "",
            "type": "String"
        },
        "privateDnsForPrivateEndpointTemplateLink": {
            "defaultValue": "",
            "type": "String"
        },
        "privateDnsForPrivateEndpointNicTemplateLink": {
            "defaultValue": "",
            "type": "String"
        },
        "privateDnsForPrivateEndpointIpConfigTemplateLink": {
            "defaultValue": "",
            "type": "String"
        },
        "allowClientIp": {
            "defaultValue": false,
            "type": "Bool"
        },
        "clientIpRuleName": {
            "defaultValue": "",
            "type": "String"
        },
        "clientIpValue": {
            "defaultValue": "",
            "type": "String"
        }
    },
    "variables": {
        "subscriptionId": "[subscription().subscriptionId]",
        "resourceGroupName": "[resourceGroup().name]",
        "uniqueStorage": "[uniqueString(variables('subscriptionId'), variables('resourceGroupName'), parameters('serverLocation'))]",
        "storageName": "[tolower(concat('sqlva', variables('uniqueStorage')))]",
        "subnetPoliciesTemplateName": "[concat('SubnetPolicies-', if(parameters('enablePrivateEndpoint'), parameters('privateEndpointNestedTemplateId'), ''))]",
        "privateEndpointTemplateName": "[concat('PrivateEndpoint-', if(parameters('enablePrivateEndpoint'), parameters('privateEndpointNestedTemplateId'), ''))]",
        "deploymentTemplateApi": "2018-05-01",
        "privateEndpointApi": "2019-04-01",
        "privateEndpointId": "[if(parameters('enablePrivateEndpoint'), resourceId(parameters('privateEndpointSubscriptionId'), parameters('privateEndpointResourceGroup'), 'Microsoft.Network/privateEndpoints', parameters('privateEndpointName')), '')]",
        "privateEndpointVnetId": "[if(parameters('enablePrivateEndpoint'), resourceId(parameters('privateEndpointVnetSubscriptionId'), parameters('privateEndpointVnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('privateEndpointVnetName')), '')]",
        "privateEndpointSubnetResourceId": "[if(parameters('enablePrivateEndpoint'), resourceId(parameters('privateEndpointVnetSubscriptionId'), parameters('privateEndpointVnetResourceGroup'), 'Microsoft.Network/virtualNetworks/subnets', parameters('privateEndpointVnetName'), parameters('privateEndpointSubnetName')), '')]"
    },
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2016-01-01",
            "name": "[variables('storageName')]",
            "location": "[parameters('serverLocation')]",
            "sku": {
                "name": "Standard_LRS"
            },
            "kind": "Storage",
            "properties": {},
            "condition": "[parameters('enableVA')]"
        },
        {
            "type": "Microsoft.Sql/servers",
            "apiVersion": "2015-05-01-preview",
            "name": "[parameters('serverName')]",
            "location": "[parameters('serverLocation')]",
            "tags": "[parameters('serverTags')]",
            "properties": {
                "administratorLogin": "[parameters('administratorLogin')]",
                "administratorLoginPassword": "[parameters('administratorLoginPassword')]",
                "version": "12.0"
            },
            "resources": [
                {
                    "type": "Microsoft.Sql/servers/elasticpools",
                    "apiVersion": "2017-10-01-preview",
                    "name": "[concat(parameters('serverName'), '/', parameters('elasticPoolName'))]",
                    "location": "[parameters('serverLocation')]",
                    "dependsOn": [
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
                    ],
                    "tags": "[parameters('elasticPoolTags')]",
                    "sku": {
                        "name": "[parameters('skuName')]",
                        "tier": "[parameters('tier')]",
                        "capacity": "[parameters('poolLimit')]"
                    },
                    "properties": {
                        "perDatabaseSettings": {
                            "minCapacity": "[parameters('perDatabasePerformanceMin')]",
                            "maxCapacity": "[parameters('perDatabasePerformanceMax')]"
                        },
                        "zoneRedundant": "[parameters('zoneRedundant')]",
                        "licenseType": "[parameters('licenseType')]",
                        "storageMB": "[parameters('poolSize')]"
                    }
                },
                {
                    "type": "databases",
                    "apiVersion": "2017-10-01-preview",
                    "name": "[parameters('databaseName')]",
                    "location": "[parameters('serverLocation')]",
                    "dependsOn": [
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'), '/elasticpools/', parameters('elasticPoolName'))]"
                    ],
                    "tags": "[parameters('databaseTags')]",
                    "properties": {
                        "collation": "[parameters('collation')]",
                        "elasticPoolId": "[resourceId('Microsoft.Sql/servers/elasticpools', parameters('serverName') , parameters('elasticPoolName'))]",
                        "sampleName": "[parameters('sampleName')]",
                        "zoneRedundant": "[parameters('zoneRedundant')]",
                        "licenseType": "[parameters('licenseType')]"
                    }
                },
                {
                    "type": "firewallrules",
                    "apiVersion": "2014-04-01-preview",
                    "name": "AllowAllWindowsAzureIps",
                    "location": "[parameters('serverLocation')]",
                    "dependsOn": [
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
                    ],
                    "properties": {
                        "endIpAddress": "0.0.0.0",
                        "startIpAddress": "0.0.0.0"
                    },
                    "condition": "[parameters('allowAzureIps')]"
                },
                {
                    "type": "firewallrules",
                    "apiVersion": "2014-04-01-preview",
                    "name": "[parameters('clientIpRuleName')]",
                    "location": "[parameters('serverLocation')]",
                    "dependsOn": [
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
                    ],
                    "properties": {
                        "endIpAddress": "[parameters('clientIpValue')]",
                        "startIpAddress": "[parameters('clientIpValue')]"
                    },
                    "condition": "[parameters('allowClientIp')]"
                },
                {
                    "type": "securityAlertPolicies",
                    "apiVersion": "2017-03-01-preview",
                    "name": "Default",
                    "dependsOn": [
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'), '/databases/', parameters('databaseName'))]"
                    ],
                    "properties": {
                        "state": "Enabled",
                        "disabledAlerts": [],
                        "emailAddresses": [],
                        "emailAccountAdmins": true
                    },
                    "condition": "[parameters('enableADS')]"
                },
                {
                    "type": "vulnerabilityAssessments",
                    "apiVersion": "2018-06-01-preview",
                    "name": "Default",
                    "dependsOn": [
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
                        "[concat('Microsoft.Storage/storageAccounts/', variables('storageName'))]",
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'), '/securityAlertPolicies/Default')]"
                    ],
                    "properties": {
                        "storageContainerPath": "[if(parameters('enableVA'), concat(reference(variables('storageName'), '2018-02-01').primaryEndpoints.blob, 'vulnerability-assessment'), '')]",
                        "storageAccountAccessKey": "[if(parameters('enableVA'), listKeys(variables('storageName'), '2018-02-01').keys[0].value, '')]",
                        "recurringScans": {
                            "isEnabled": true,
                            "emailSubscriptionAdmins": true,
                            "emails": []
                        }
                    },
                    "condition": "[parameters('enableVA')]"
                }
            ]
        },
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "[variables('deploymentTemplateApi')]",
            "name": "[variables('subnetPoliciesTemplateName')]",
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "resources": [
                        {
                            "apiVersion": "[variables('privateEndpointApi')]",
                            "name": "[concat(parameters('privateEndpointVnetName'), '/', parameters('privateEndpointSubnetName'))]",
                            "location": "[parameters('privateEndpointLocation')]",
                            "properties": {
                                "privateEndpointNetworkPolicies": "Disabled"
                            },
                            "type": "Microsoft.Network/virtualNetworks/subnets"
                        }
                    ]
                }
            },
            "subscriptionId": "[if(parameters('enablePrivateEndpoint'), parameters('privateEndpointVnetSubscriptionId'), variables('subscriptionId'))]",
            "resourceGroup": "[if(parameters('enablePrivateEndpoint'), parameters('privateEndpointVnetResourceGroup'), variables('resourceGroupName'))]",
            "condition": "[parameters('enablePrivateEndpoint')]"
        },
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "[variables('deploymentTemplateApi')]",
            "name": "[variables('privateEndpointTemplateName')]",
            "dependsOn": [
                "[resourceId(variables('subscriptionId'), variables('resourceGroupName'), 'Microsoft.Sql/servers/databases/', parameters('serverName'), parameters('databaseName'))]",
                "[variables('subnetPoliciesTemplateName')]"
            ],
            "properties": {
                "mode": "Incremental",
                "parameters": {
                    "privateEndpointName": {
                        "value": "[parameters('privateEndpointName')]"
                    },
                    "privateEndpointConnectionId": {
                        "value": ""
                    },
                    "privateEndpointConnectionName": {
                        "value": "[parameters('privateLinkServiceName')]"
                    },
                    "privateEndpointId": {
                        "value": "[variables('privateEndpointId')]"
                    },
                    "privateEndpointApiVersion": {
                        "value": "[variables('privateEndpointApi')]"
                    },
                    "privateLinkServiceId": {
                        "value": "[parameters('privateLinkServiceServiceId')]"
                    },
                    "groupId": {
                        "value": "SqlServer"
                    },
                    "subnetId": {
                        "value": "[variables('privateEndpointSubnetResourceId')]"
                    },
                    "location": {
                        "value": "[parameters('privateEndpointLocation')]"
                    },
                    "tags": {
                        "value": {}
                    }
                },
                "templatelink": {
                    "contentVersion": "1.0.0.0",
                    "uri": "[parameters('privateEndpointTemplateLink')]"
                }
            },
            "subscriptionId": "[if(parameters('enablePrivateEndpoint'), parameters('privateEndpointSubscriptionId'), variables('subscriptionId'))]",
            "resourceGroup": "[if(parameters('enablePrivateEndpoint'), parameters('privateEndpointResourceGroup'), variables('resourceGroupName'))]",
            "condition": "[parameters('enablePrivateEndpoint')]"
        },
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "[variables('deploymentTemplateApi')]",
            "name": "[concat('PrivateDns-', parameters('privateEndpointNestedTemplateId'))]",
            "dependsOn": [
                "[variables('privateEndpointTemplateName')]"
            ],
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "resources": [
                        {
                            "type": "Microsoft.Network/privateDnsZones",
                            "apiVersion": "2018-09-01",
                            "name": "[string('privatelink.database.windows.net')]",
                            "location": "global",
                            "tags": {},
                            "properties": {}
                        },
                        {
                            "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
                            "apiVersion": "2018-09-01",
                            "name": "[concat(string('privatelink.database.windows.net'), '/', uniqueString(variables('privateEndpointVnetId')))]",
                            "location": "global",
                            "dependsOn": [
                                "[string('privatelink.database.windows.net')]"
                            ],
                            "properties": {
                                "virtualNetwork": {
                                    "id": "[variables('privateEndpointVnetId')]"
                                },
                                "registrationEnabled": false
                            }
                        },
                        {
                            "apiVersion": "[variables('deploymentTemplateApi')]",
                            "name": "[concat('EndpointDnsRecords-', parameters('privateEndpointDnsRecordUniqueId'))]",
                            "type": "Microsoft.Resources/deployments",
                            "dependsOn": [
                                "[string('privatelink.database.windows.net')]"
                            ],
                            "properties": {
                                "mode": "Incremental",
                                "templatelink": {
                                    "contentVersion": "1.0.0.0",
                                    "uri": "[parameters('privateDnsForPrivateEndpointTemplateLink')]"
                                },
                                "parameters": {
                                    "privateDnsName": {
                                        "value": "[string('privatelink.database.windows.net')]"
                                    },
                                    "privateEndpointNicResourceId": {
                                        "value": "[if(parameters('enablePrivateEndpoint'), reference(concat('Microsoft.Resources/deployments/', variables('privateEndpointTemplateName'))).outputs.networkInterfaceId.value, '')]"
                                    },
                                    "nicRecordsTemplateUri": {
                                        "value": "[parameters('privateDnsForPrivateEndpointNicTemplateLink')]"
                                    },
                                    "ipConfigRecordsTemplateUri": {
                                        "value": "[parameters('privateDnsForPrivateEndpointIpConfigTemplateLink')]"
                                    },
                                    "uniqueId": {
                                        "value": "[parameters('privateEndpointDnsRecordUniqueId')]"
                                    },
                                    "existingRecords": {
                                        "value": {}
                                    }
                                }
                            }
                        }
                    ]
                }
            },
            "subscriptionId": "[if(parameters('enablePrivateEndpoint'), parameters('privateEndpointVnetSubscriptionId'), variables('subscriptionId'))]",
            "resourceGroup": "[if(parameters('enablePrivateEndpoint'), parameters('privateEndpointVnetResourceGroup'), variables('resourceGroupName'))]",
            "condition": "[and(parameters('enablePrivateEndpoint'), parameters('enablePrivateDnsZone'))]"
        }
    ]
}

Alert rule is reported for creation although it is already there

Describe the bug
Alert rule is reported for creation although it is already there

 + Microsoft.Insights/activityLogAlerts/Advisor Recommendations [2017-04-01]

      apiVersion:             "2017-04-01"
      id:                     "/subscriptions/<>/resourceGroups/<>/providers/Microsoft.Insights/activityLogAlerts/Advisor Recommendations"
      location:               "Global"
      name:                   "Advisor Recommendations"
      properties.actions.actionGroups: [
        0:

          actionGroupId: "/subscriptions/<>/resourceGroups/<>/providers/Microsoft.Insights/actionGroups/test"

      ]
      properties.condition.allOf: [
        0:

          equals: "Recommendation"
          field:  "category"

        1:

          equals: "Microsoft.Advisor/recommendations/available/action"
          field:  "operationName"

      ]
      properties.description: ""
      properties.enabled:     true
      properties.scopes: [
        0: "/subscriptions/<>"
      ]
      type:                   "Microsoft.Insights/activityLogAlerts"

Strangely I have a few other activity log alerts in that deployment and they are reported without change but this one is reported for creation.

New-AzResourceGroupDeployment -Confirm continues on error

Describe the bug
When you use New-AzResourceGroupDeployment -Confirm and there is an error in the template, the errormessage is given, but after that the confirm-menu still shows.

To Reproduce
Steps to reproduce the behavior:

Create a template with an error (one that would fail Test-AzResourceGroupDeployment
Run

New-AzResourceGroupDeployment -ResourceGroupName $ResourcegroupName -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParameterFile -Confirm

Expected behavior
That the error message is displayed and the terminal returns to the prompt.

Actual behaviour
The errormessage is displayed and after that the terminal returns the menu:
Are you sure you want to execute the deployment etc

Screenshots

Client [e.g. PowerShell, CLI, API)

Name                           Value
----                           -----
PSVersion                      7.0.0
PSEdition                      Core
GitCommitId                    7.0.0
OS                             Microsoft Windows 10.0.18362
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

[Suggestion] Make automated tests for the cmdlet

Hi,

After reporting the first noise reports. I noticed that it always has the same pattern.

deploy template successfully
use New-AzDeploymentWhatIf with the same template
If there are changes suggested in the output, then make a noise report.

My assumption: noise is something that the "What if" returns changes within the template even if the exact same template was used for the first deployment and is now used with a "what if" cmdlet.

Suggestion: Design automated tests for this

How would an automated test look like:

You deploy an ARM-Template into a resource group
You call New-AzDeploymentWhatIf with the same template again
if no Delete, Create or Modify statements appear then there is no noise, otherwise it is a false positive
for false-positive: automatically log the output, the noise properties and the template somewhere so it can be looked at

Use community power for testable templates

The community could help a lot with this:
https://github.com/Azure/azure-quickstart-templates

You could run these automated tests against the existing quickstart templates.
The only problem: many of the need to have the parameter files edited to have default values.

If a solution for the parameter files is found, then you have a vast amount of different ARM templates you could test against.

Logic App noise - case sensitive noise

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
In code

apiVersion (i.e. 2019-04-01)
In code

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template
It is not public

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
No changes for properties.endpointsConfiguration, properties.parameters.webhookUrl, properties.definition.parameters.customerName.type, properties.definition.parameters.tenantId.type, properties.definition.parameters.timeZoneName.type and properties.definition.parameters.webhookUrl.type

endpointsConfiguration is never configured and I suspect is it some read only property. It should not show as modified.

The others are input properties for the Logic App code. The one that is secure string is shown as changed but it should not as the value is the same as before. I suspect because it is a secret somehow it thinks that is changed. Also that value should not be exposed if it is secure string.

The types of the logic app input parameters are also reported as change for some reason.
Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Resource and property changes are indicated with these symbols:
  - Delete
  + Create
  ~ Modify
  * Ignore
  = NoChange

The deployment will update the following scopes:

Scope: /subscriptions/<subscription Id>

  = Microsoft.Insights/diagnosticSettings/subscriptionLogsToLogAnalytics-3ea7qjbovitsc [2017-05-01-preview]
  = resourceGroups/<resource group name> [2019-05-01]

Scope: /subscriptions/<subscription Id>/resourceGroups/<resource group name>

~ Microsoft.Logic/workflows/<logic app name> [2017-07-01]
    - properties.endpointsConfiguration:

        connector.outgoingIpAddresses: [
          0:

            address: "<some IP Address range>"

          1:

            address: "<some IP Address>"

          2:

            address: "<some IP Address>"

          3:

            address: "<some IP Address>"

          4:

            address: "<some IP Address>"

        ]
        workflow.accessEndpointIpAddresses: [
          0:

            address: "<some IP Address>"

          1:

            address: "<some IP Address>"

          2:

            address: "<some IP Address>"

          3:

            address: "<some IP Address>"

        ]
        workflow.outgoingIpAddresses: [
          0:

            address: "<some IP Address>"

          1:

            address: "<some IP Address>"

          2:

            address: "<some IP Address>"

          3:

            address: "<some IP Address>"

          4:

            address: "<some IP Address>"

          5:

            address: "<some IP Address>"

          6:

            address: "<some IP Address>"

          7:

            address: "<some IP Address>"

        ]
        + properties.parameters.webhookUrl:

        value: "<webhook URL>"

    ~ properties.definition.parameters.customerName.type: "String" => "string"
    ~ properties.definition.parameters.tenantId.type:     "String" => "string"
    ~ properties.definition.parameters.timeZoneName.type: "String" => "string"
    ~ properties.definition.parameters.webhookUrl.type:   "SecureString" => "securestring"

Additional context
Add any other context about the problem here.

Microsoft.Insights/scheduledqueryrules

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Insights/scheduledqueryrules

apiVersion (i.e. 2019-04-01)
2018-04-16

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
Changes of properties. I am changing properties.enabled, properties.schedule.frequencyInMinutes and properties.schedule.timeWindowInMinutes, properties.action.aznsAction.actionGroup but none of these are reported as changed. I would guess any property on that RP will never report as changed. The whole resource is reported as ignored for some reason.

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

  * Microsoft.Insights/scheduledqueryrules/8a42db29-6d48-551c-92c6-f6aec5adadd5

VERBOSE: 12:38:46 - Resource Microsoft.Insights/scheduledQueryRules '8a42db29-6d48-551c-92c6-f6aec5adadd5' provisioning status is succeeded

Additional context
Add any other context about the problem here.

Microsoft.Sql/servers/{servername}/securityAlertPolicies/Default (2017-03-01-preview)

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Sql/servers/{servername}/securityAlertPolicies/Default

apiVersion (i.e. 2019-04-01)
2017-03-01-preview

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

  {
                    "type": "securityAlertPolicies",
                    "apiVersion": "2017-03-01-preview",
                    "name": "Default",
                    "dependsOn": [
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
                        "[concat('Microsoft.Sql/servers/', parameters('serverName'), '/databases/', parameters('databaseName'))]"
                    ],
                    "properties": {
                        "state": "Enabled",
                        "disabledAlerts": [],
                        "emailAddresses": [],
                        "emailAccountAdmins": true
                    },
                    "condition": "[parameters('enableADS')]"
                }

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
Full template can be seen at #21

Microsoft.Insights/workbooks

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Insights/workbooks

apiVersion (i.e. 2019-04-01)
2018-06-17-preview

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed)
The below properties are reported as change/delete

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

 ~ Microsoft.Insights/workbooks/603c8485-50b1-54a3-b5d7-919ee52d632b [2018-06-17-preview]
    - properties.timeModified: "2020-05-13T12:38:39.6976932Z"
    - properties.userId:       "10032000962af628"
    - tags.hidden-title:       "Event Hubs Metrics (lz-event-hubs-monitoring)"
    ~ properties.sourceId:     "azure monitor" => "Azure Monitor"

Additional context
Add any other context about the problem here.

Protected settings are shown in plaintext for the output on Microsoft.Compute/virtualMachines/extensions

Describe the bug
Protected settings are shown in the output on Microsoft.Compute/virtualMachines/extensions

To Reproduce
Any VM extension that has protected settings.

See image:

https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/2019-07-01/virtualmachines/extensions

--> https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/2019-07-01/virtualmachines/extensions#virtualmachineextensionproperties-object

Sample of output where secret is shown.

similar issue to #4

Expected behavior
Protected settings should be obfuscated.

Microsoft.Web/serverfarms (2015-04-01)

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Web/serverfarms

apiVersion (i.e. 2019-04-01)
2015-04-01

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object specified in #1 and #2, but if it's easier you can include the entire template

{
      "type": "Microsoft.Web/serverfarms",
      "apiVersion": "2015-04-01",
      "name": "[variables('hostingPlanName')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "name": "[variables('hostingPlanName')]",
        "computeMode": "Dynamic",
        "sku": "Dynamic"
      }
    }

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
Add any other context about the problem here.

Confusing / unclear -nameFromTemplate parameter

Issue

I tried to run the following command to test the new New-AzDeploymentWhatIf cmdlet.

New-AzDeploymentWhatIf -ScopeType ResourceGroup -ResourceGroupName aks -TemplateFile ./aks.json -TemplateParameterFile ./aks.parameters.json -Verbose

I got the error message that I shall provide -nameFromTemplate parameter.

Running the command New-AzDeploymentWhatIf -ScopeType ResourceGroup -ResourceGroupName aks -TemplateFile ./aks.json -TemplateParameterFile ./aks.parameters.json -nameFromTemplate akstestwhatif -Verbose succeeded.

But I was confused that -nameFromTemplate overrides the value of the name parameter I am using in my template and template parameter file to specify the name of the AKS cluster. azst-aks-demo in that particular case.

Note: As What-If is currently in preview, the result may contain false positive predictions (noise).
You can help us improve the accuracy of the result by opening an issue here: https://aka.ms/WhatIfIssues.

Resource and property changes are indicated with these symbols:
  + Create
  * Ignore

The deployment will update the following scope:

Scope: /subscriptions/REDACTED/resourceGroups/aks

  + Microsoft.ContainerService/managedClusters/akstestwhatif

      apiVersion:                                                               "2019-08-01"
      id:
"/subscriptions/REDACTED/resourceGroups/aks/providers/Microsoft.ContainerService/managedClusters/akstestwhatif"
      location:                                                                 "northeurope"
      name:                                                                     "akstestwhatif"

What to expect?

Get rid of -nameFromTemplate parameter or adjust the documentation to clearly point out which use case this parameter covers.

Microsoft.Databricks/workspaces (2018-04-01)

Describe the noise

Resource type (i.e. Microsoft.Storage/storageAccounts)
Microsoft.Databricks/workspaces

apiVersion (i.e. 2019-04-01)
2018-04-01

Client (PowerShell, Azure CLI, or API)
PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

  {
            "type": "Microsoft.Databricks/workspaces",
            "apiVersion": "2018-04-01",
            "name": "[parameters('workspaceName')]",
            "location": "westeurope",
            "sku": {
                "name": "[parameters('tier')]"
            },
            "properties": {
                "ManagedResourceGroupId": "[variables('managedResourceGroupId')]"
            }
        }

Expected response
I expected no noise since the template has not been modified since the resources were deployed

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

Additional context
Add any other context about the problem here.
Created with the standard template over the portal GUI

Microsoft.KeyVault/vaults/secrets (2018-02-14)

Describe the noise

Resource type

Microsoft.KeyVault/vaults/secrets

apiVersion

2018-02-14

Client

PowerShell

Relevant ARM Template code

{
	"type": "secrets",
	"name": "nepeters",
	"apiVersion": "2018-02-14",
	"dependsOn": [
		"[resourceId('Microsoft.KeyVault/vaults', 'nepeters')]"
	],
	"properties": {
		"value": "nepeters"
	}
}

Expected response

I expected no noise since the template has not been modified since the resources were deployed.

Current (noisy) response

Resource and property changes are indicated with these symbols:
  - Delete
  + Create
  ~ Modify
  = NoChange

The deployment will update the following scope:

Scope: /subscriptions/3762d87c-ddb8-425f-b2fc-29e5e859edaf/resourceGroups/whatif-kv3

  ~ Microsoft.KeyVault/vaults/nepeters/secrets/nepeters [2018-02-14]
    - location:         "eastus"
    - properties.attributes:

        created: 1575248425
        enabled: true
        updated: 1575248425

    + properties.value: "nepeters"

  = Microsoft.KeyVault/vaults/nepeters [2018-02-14]

Resource changes: 1 to modify, 1 no change.

Additional context

Parent resource Microsoft.KeyVault/vaults validates without issue or noise.

The term 'New-AzDeploymentWhatIf' is not recognized as the name of a cmdlet, function, script file, or operable program

I'm trying to prepare my environment for using New-AzDeploymentWhatIf, but can't make it run both on my Mac with PowerShell Az version 3.3.0 and 4.0.2-preview:
https://prnt.sc/qrwhoz
..and Azure Cloud Shell (PowerShell Az version is also 3.3.0):
https://prnt.sc/qrwf4w

Microsoft.Sql/servers (2015-05-01-preview)

Describe the noise

Resource type

Microsoft.Sql/servers

apiVersion

2015-05-01-preview

Client

PowerShell

Relevant ARM Template code

{
	"name": "nepeters",
	"type": "Microsoft.Sql/servers",
	"apiVersion": "2015-05-01-preview",
	"location": "[resourceGroup().location]",
	"properties": {
		"administratorLogin": "neillocal",
		"administratorLoginPassword": "Password2020!"
	}
}

Expected response

I expected no noise since the template has not been modified since the resources were deployed.

Current (noisy) response

Resource and property changes are indicated with these symbols:
  - Delete
  ~ Modify
  * Ignore

The deployment will update the following scope:

Scope: /subscriptions/3762d87c-ddb8-425f-b2fc-29e5e859edaf/resourceGroups/whatif-sql

  ~ Microsoft.Sql/servers/nepeters [2015-05-01-preview]
    - kind:               "v12.0"
    - properties.version: "12.0"

  * Microsoft.Sql/servers/nepeters/databases/master

Resource changes: 1 to modify, 1 to ignore.

azure / arm-template-whatif Goto Github PK

arm-template-whatif's Introduction

Welcome to the ARM Template What-If issues repo

Install PowerShell module

What types of issues are you looking for?

Why does noise occur?

How do I submit an issue?

Sample issue

Contributing

arm-template-whatif's People

Contributors

Stargazers

Watchers

Forkers

arm-template-whatif's Issues

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Suggestion: Design automated tests for this

Use community power for testable templates

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Describe the noise

Issue

What to expect?

Describe the noise

Describe the noise

Describe the noise

Recommend Projects

Recommend Topics

Recommend Org