Learn how to modularize your ARM Templates
As Azure environments grow more complex, modularization of Azure Resource Manager (ARM) templates becomes essential for maintaining scalability, reusability, and clarity. ARM templates can be modularized through the use of linked templates, nested templates, and other techniques to better manage and organize your infrastructure as code (IaC).
Below, we explore different ways to modularize ARM templates, including the use of linked templates, nested templates, deployment modes, and securing external templates.
1. Linked Templates
A linked template allows you to reference an external ARM template from within another template. This method is ideal when you need to break down complex deployments into smaller, reusable components. It enables you to deploy multiple related resources across different templates while keeping a modular structure.
How Linked Templates Work:
The parent template references an external child template by using the templateLink property.
This way, the parent template can delegate the deployment to external templates stored in locations like Azure Storage, GitHub, or other accessible URLs.
Example of Linked Template:
Here’s an example of how you can use a linked template to deploy resources in an external template:
Parent Template (Main Template):
xxxxxxxxxx261{2 "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",3 "contentVersion": "1.0.0.0",4 "resources": [5 {6 "type": "Microsoft.Resources/deployments",7 "apiVersion": "2023-03-01",8 "name": "deployNetworkResources",9 "properties": {10 "mode": "Incremental",11 "templateLink": {12 "uri": "https://example.com/templates/networkTemplate.json",13 "contentVersion": "1.0.0.0"14 },15 "parameters": {16 "vnetName": {17 "value": "myVirtualNetwork"18 },19 "subnetName": {20 "value": "mySubnet"21 }22 }23 }24 }25 ]26}Child Template (Linked Template):
xxxxxxxxxx271{2 "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",3 "contentVersion": "1.0.0.0",4 "resources": [5 {6 "type": "Microsoft.Network/virtualNetworks",7 "apiVersion": "2023-03-01",8 "location": "East US",9 "name": "[parameters('vnetName')]",10 "properties": {11 "addressSpace": {12 "addressPrefixes": [13 "10.0.0.0/16"14 ]15 }16 }17 },18 {19 "type": "Microsoft.Network/virtualNetworks/subnets",20 "apiVersion": "2023-03-01",21 "name": "[concat(parameters('vnetName'), '/mySubnet')]",22 "properties": {23 "addressPrefix": "10.0.1.0/24"24 }25 }26 ]27}In this example:
The parent template references the child template using the
templateLinkproperty.Parameters for the child template (
vnetNameandsubnetName) are passed from the parent.
Benefits of Linked Templates:
Modular and reusable templates.
You can maintain separate, reusable components (e.g., network, storage, VM templates).
Centralized management of templates stored in a repository.
2. Nested Templates
A nested template is similar to a linked template, but the referenced template is embedded directly within the parent template. It allows you to include one template inside another, but the child template is included as a JSON object within the parent template.
Example of Nested Template:
Here’s an example of a nested template that defines resources directly within the parent template:
Parent Template with Nested Template:
xxxxxxxxxx411{2 "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",3 "contentVersion": "1.0.0.0",4 "resources": [5 {6 "type": "Microsoft.Resources/deployments",7 "apiVersion": "2023-03-01",8 "name": "nestedDeployNetworkResources",9 "properties": {10 "mode": "Incremental",11 "template": {12 "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",13 "contentVersion": "1.0.0.0",14 "resources": [15 {16 "type": "Microsoft.Network/virtualNetworks",17 "apiVersion": "2023-03-01",18 "location": "East US",19 "name": "myVirtualNetwork",20 "properties": {21 "addressSpace": {22 "addressPrefixes": [23 "10.0.0.0/16"24 ]25 }26 }27 },28 {29 "type": "Microsoft.Network/virtualNetworks/subnets",30 "apiVersion": "2023-03-01",31 "name": "myVirtualNetwork/mySubnet",32 "properties": {33 "addressPrefix": "10.0.1.0/24"34 }35 }36 ]37 }38 }39 }40 ]41}Here:
The nested template is defined directly inside the parent template under the
templateproperty.No external storage is needed for the template.
Benefits of Nested Templates:
Templates are self-contained within a single ARM template.
Simplifies resource deployment when you don’t need to reuse templates elsewhere.
Easier to manage as long as the complexity is not high.
3. Deployment Modes in ARM Templates
When deploying ARM templates, Azure offers different deployment modes that control how resources are handled during deployment:
Incremental Mode (Default):
Incremental mode deploys only the resources that are defined in the template, adding and updating resources but leaving existing resources untouched.
This is the default mode for deployments.
It ensures that new resources are added or updated without removing existing ones.
Example of Incremental Mode:
xxxxxxxxxx31{2 "mode": "Incremental"3}Use cases:
When you want to add new resources without affecting existing ones.
Ideal for rolling updates or incremental changes to an infrastructure.
Complete Mode:
Complete mode will remove any resources that are not defined in the template but were part of the previous deployment.
It ensures that only the resources specified in the template exist after the deployment.
Example of Complete Mode:
xxxxxxxxxx31{2 "mode": "Complete"3}Use cases:
When you want to clean up old or unused resources that were previously deployed.
Ideal for environments where the template is the "single source of truth" and should ensure exact alignment with the definition.
Validate Mode:
The Validate mode is used to check whether the template is valid and can be successfully deployed.
It does not actually deploy resources; it only verifies whether the template syntax and parameters are correct and if the resources can be provisioned successfully.
Example of Validate Mode:
xxxxxxxxxx31{2 "mode": "Validate"3}Use cases:
During CI/CD pipeline checks to validate the template before actual deployment.
When you need to test the template’s correctness without making changes to resources.
4. External Templates and External Parameters
External templates and parameters allow you to store templates and parameter files outside of the current deployment, which enhances reusability and modularization. You can reference external templates and parameter files from locations like Azure Storage, GitHub, or other accessible URLs.
Example of Using External Parameters:
xxxxxxxxxx201{2 "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",3 "contentVersion": "1.0.0.0",4 "resources": [5 {6 "type": "Microsoft.Resources/deployments",7 "apiVersion": "2023-03-01",8 "name": "externalTemplateDeployment",9 "properties": {10 "mode": "Incremental",11 "templateLink": {12 "uri": "https://example.com/templates/mytemplate.json"13 },14 "parametersLink": {15 "uri": "https://example.com/parameters/myparameters.json"16 }17 }18 }19 ]20}Here:
The parent template references an external template (
templateLink) and external parameters (parametersLink).This enables reusability of templates across multiple deployments.
5. Securing an External Template
When using external templates and external parameters, it's important to secure them to prevent unauthorized access.
Follow the following steps to Secure External Templates.
Use Azure Storage Accounts:
Store templates in Azure Blob Storage with Azure Active Directory (AAD) authentication or Shared Access Signatures (SAS) tokens for access control.
Use SAS Tokens:
Provide secure, time-limited access to templates by using SAS tokens.
For example:
xxxxxxxxxx31"templateLink": {2 "uri": "https://mystorageaccount.blob.core.windows.net/templates/mytemplate.json?sv=2023-01-01&se=2023-12-31&sp=rl&sig=xyz"3}Use GitHub or Other Repositories with Security Controls:
If using GitHub, control access to the repository using GitHub’s security and permissions features.
Use encrypted GitHub actions or CI/CD pipelines to securely fetch templates and parameters.
Use Encryption:
Store sensitive parameters (like passwords or keys) in Azure Key Vault and reference them within the templates to avoid hardcoding secrets.
Summary
Modularizing ARM templates improves scalability, reusability, and maintainability in large-scale Azure deployments. Key strategies include:
Linked templates: Reference external templates.
Nested templates: Include external templates directly within the parent.
Deployment modes: Choose between incremental, complete, or validate modes to control resource updates.
External templates: Store templates and parameters externally to facilitate reuse.
Securing templates: Use Azure Storage, SAS tokens, or encryption to protect sensitive templates and parameters.
By adopting these strategies, you can efficiently manage complex infrastructure deployments in a modular, secure, and scalable manner.
Leave a Reply