// Compare Bicep templates against a live Azure environment by querying Azure directly and parsing the Bicep template. Presents categorized change results (Create, Modify, Delete, No Change) without deploying anything. Does NOT use ARM what-if.
Reverse-engineer a live Azure scope (resource group or filtered subscription) into a professional Draw.io architecture diagram. Discovers resources via Azure MCP, infers relationships from resource properties, filters infrastructure-only resources, and generates a diagram following established AzVerify conventions.
Reverse-engineer a live Azure scope (resource group or filtered subscription) into deployment-ready Bicep templates. Discovers resources via Azure MCP, extracts full configurations, generates modular Bicep with parameter files, and documents out-of-scope dependencies that require separate changes.
Compare Bicep templates against a Draw.io Azure architecture diagram to detect resource-level divergence. Reports differences and offers resolution ā update Bicep to match the diagram, update the diagram to match Bicep, or selectively resolve per resource.
Check a Bicep template against the Azure Policy assignments in the target Azure environment to determine whether the resources would be compliant before deployment. Uses the checkPolicyRestrictions REST API for fast server-side evaluation, with a legacy CLI fallback. Produces a per-resource compliance report with remediation guidance.
Deep-compare a Draw.io Azure architecture diagram against a live Azure environment ā checks both resource existence AND every tracked configuration property (SKU, size, settings, etc.) against expected values. Reports existence drift and property-level drift with severity classification, and offers per-property resolution.
Compare a Draw.io Azure architecture diagram against a live Azure environment to detect drift. Supports quick mode (existence check) and deep mode (full property-level comparison). Reports differences and offers resolution ā update the diagram, update Azure, or selectively resolve per resource.
| name | azv-bicep-whatif |
| description | Compare Bicep templates against a live Azure environment by querying Azure directly and parsing the Bicep template. Presents categorized change results (Create, Modify, Delete, No Change) without deploying anything. Does NOT use ARM what-if. |
| license | MIT |
| metadata | {"author":"AzVerify","version":"1.0","project":"AzVerify"} |
Compare Bicep templates against a live Azure environment by querying Azure directly and parsing the Bicep template. Reports resources that will be created, modified, deleted, or left unchanged ā without using ARM what-if.
Approach: This skill does NOT use
az deployment group what-if. Instead it:
- Parses the Bicep template and parameter file to build an expected resource model
- Queries Azure directly using
az resource listand per-resourceaz <service> showcommands to build an actual resource model- Compares both models to identify existence-level and property-level differences
Input: A solution folder containing Bicep templates (main.bicep) and a .bicepparam file, plus an Azure target scope (resource group name or subscription ID). The user can specify these, or the skill will auto-discover and prompt for missing inputs.
Tools required: File system tools (read files), Terminal (for running az CLI commands), Azure MCP server tools
Reference files:
.github/skills/shared/azure-resource-model.md ā Shared resource metadata model definition.github/skills/shared/azure-resource-configs.md ā Per-resource-type configuration schemas (useful for interpreting property changes)Shared procedures (MUST follow):
.github/skills/shared/procedures/azure-authentication.md ā Azure session check procedure.github/skills/shared/procedures/bicep-parsing.md ā Bicep template parsing procedureFollow the procedure in .github/skills/shared/procedures/azure-authentication.md. HARD GATE ā stop if not authenticated.
Identify the solution folder, the Bicep template, the parameter file, and the target scope.
If the user specifies a folder path:
If no folder is specified:
main.bicep filemain.bicep exists in the solution folder## No Bicep Template Found
No `main.bicep` file found in `<folder-path>`.
This skill requires a Bicep template to run the what-if analysis.
If exactly one .bicepparam file exists in the solution folder:
If multiple .bicepparam files exist:
## Multiple Parameter Files Found
Found multiple `.bicepparam` files in `<folder-path>`:
1. `app-dev.bicepparam`
2. `app-prod.bicepparam`
Which parameter file should I use? (1/2)
If no .bicepparam file exists:
ā ļø No `.bicepparam` file found in `<folder-path>`. Default parameter values from `azure-resource-configs.md` will be used as expected values.
If the user specifies a resource group name:
az group show --name <name> ā if this fails, report an error and stopIf the user specifies a subscription ID:
If no scope is specified, try to infer it:
.bicepparam file: Look for a using declaration or comments indicating the target resource groupThe `.bicepparam` file references resource group `<name>`. Use this as the target scope? (yes/no)
Which Azure resource group should I compare the templates against?
Read the Bicep template and parameter file to build an expected resource model ā what the templates declare should exist.
3a. Read and parse the .bicepparam file
Read the .bicepparam file and extract all parameter values. These are the user-specified values that override defaults. For each param <name> = <value> line, record the name and resolved value.
3b. Read and parse main.bicep and all module files
Read main.bicep and every Bicep module it references in modules/. For each resource block that is either declared inline or inside a module, extract:
Microsoft.Web/sites).bicepparam file if the name is a parameter reference (e.g., name: appServiceName ā resolve appServiceName to its value).github/skills/shared/azure-resource-configs.md for this resource type (e.g., sku.name, properties.siteConfig.linuxFxVersion, properties.httpsOnly)serverFarmId)For properties that reference parameters (e.g., linuxFxVersion: appServiceRuntimeStack), resolve them using the .bicepparam values. If the parameter has no value in .bicepparam, use the default from azure-resource-configs.md.
3c. Build the expected resource model
Produce a structured model (as defined in .github/skills/shared/azure-resource-model.md) with all declared resources and their resolved property values. This is the "desired state" from the templates.
Display a summary of what was parsed:
## Template Resources
Parsed **N resources** from `<solution-folder>/main.bicep`:
| # | Resource | Type | Key Properties |
|---|----------|------|----------------|
| 1 | vnet-01 | Microsoft.Network/virtualNetworks | addressPrefix: 10.0.0.0/16 |
| 2 | vm-01 | Microsoft.Compute/virtualMachines | vmSize: Standard_B2s |
| 3 | webapp-azverify | Microsoft.Web/sites | runtime: DOTNET\|10.0, httpsOnly: true |
Before querying Azure, verify that all resource providers required by the Bicep template are registered in the active subscription. Unregistered providers will cause deployment failures.
4a. Extract required provider namespaces
From the expected resource model (Step 3), extract a unique list of top-level resource provider namespaces. Derive the namespace from each resource type by taking the first segment (e.g., Microsoft.Compute/virtualMachines ā Microsoft.Compute, Microsoft.Network/virtualNetworks ā Microsoft.Network).
4b. Query registered providers
Run:
az provider list --query "[?registrationState=='Registered'].namespace" -o json
This returns all currently registered provider namespaces in the subscription.
4c. Compare and report
Compare the required namespaces (4a) against the registered namespaces (4b) using case-insensitive matching.
If all providers are registered:
If one or more providers are NOT registered:
## ā ļø Unregistered Resource Providers
The following resource providers are **required by the Bicep template** but are **not registered** in subscription `<sub-name>` (`<sub-id>`). Deployment will fail unless they are registered first.
| # | Provider Namespace | Required By |
|---|-------------------|-------------|
| 1 | Microsoft.App | my-container-app (Microsoft.App/containerApps) |
| 2 | Microsoft.Cache | my-redis (Microsoft.Cache/redis) |
**To register the missing providers, run:**
```bash
az provider register --namespace Microsoft.App
az provider register --namespace Microsoft.Cache
Note: Provider registration can take a few minutes. Check status with:
az provider show --namespace <namespace> --query registrationState -o tsv
- **Continue execution** ā this is a warning, not a hard gate. The what-if comparison is still valuable for planning.
### 5. Query Azure for Actual Resource Model
Query the target resource group to build an **actual resource model** ā what is currently deployed in Azure.
**5a. List all resources in the target scope**
Run:
```bash
az resource list --resource-group <rg-name> -o json
This returns all resources currently in the resource group. Build an initial resource model from the results.
Exclude infrastructure-only resources that are auto-created by Azure and not declared in Bicep templates:
Microsoft.Compute/disks that are OS disks (managed by VMs)Microsoft.Network/networkInterfaces that are PE-managed NICs (where managedBy is set to a Private Endpoint)Microsoft.Network/networkWatchers ā auto-created by Azuremicrosoft.alertsManagement/smartDetectorAlertRules ā auto-createdMicrosoft.Portal/dashboards ā portal artifacts5b. Retrieve full properties for each resource
For each resource, retrieve full properties using the most specific CLI command available:
az vm show, az webapp show, az appservice plan show, az network vnet show, az network vnet subnet show, az network nic show, az network private-endpoint show, az network private-dns zone show, az storage account show, az keyvault show, az redis show, az cosmosdb show, az sql server show, az acr show, az containerapp showaz resource show --ids <resourceId> -o json for child resources or types without specific CLI commands--ids <resourceId> -o jsonShow progress: Querying Azure resources (1/N): vnet-01...
5c. Extract tracked properties from query results
For each resource, extract the property values that correspond to the tracked properties in azure-resource-configs.md for that resource type. Use the ARM JSON paths from the config schema to navigate the JSON response.
Compare the expected resource model (Step 3) against the actual Azure resource model (Step 5) to classify each resource.
6a. Existence-level classification
Match resources by type AND name (case-insensitive). Classify each resource as:
Matching rules:
6b. Property-level comparison (for matched resources)
For resources matched in both models, compare each tracked property from azure-resource-configs.md:
azure-resource-configs.mdtrue/"true"/"True" all equal true[], null, absent ā all equivalent for array properties"30" equals 30azure-resource-configs.md6c. Classify final change type
After property comparison, refine the classification:
Display a categorized comparison report.
Header (always shown): Title, target scope, template/parameters paths, summary table with counts per category (š Create, āļø Modify, šļø Delete, ā No Change).
If no changes: Show "ā No changes ā all template resources match Azure" and stop.
Per-category sections:
azure-resource-configs.md.<details> section listing matched resourcesIf deletions detected, warn user to verify intentional exclusions and check diagram with azv-bicep-diagram-sync.
When changes exist, suggest: deploy command (az deployment group create), review Critical severity items, and sync check with azv-bicep-diagram-sync.