Posted in

Bicep What-If — The “terraform plan” Equivalent for Azure Native IaC

by Mariusz Ferdyn - Microsoft Most Valuable Professional (MVP)

🔹 Feature: Bicep What-If — The “terraform plan” Equivalent for Azure Native IaC
🔹 What It Does: Love the safety of running Terraform plan before you apply? Bicep has the same thing. The what-if operation previews exactly how your resources will change before you deploy — Create, Modify, Delete — without touching a single live resource. No surprises, no “wait, why did that subnet disappear.” 🔍

What Is It Giving You:

✅ Dry-Run Before Every Deploy: what-if predicts the changes without making any. It diffs your Bicep file against the current state of Azure and shows you the delta. Just like a plan — but native, no extra tooling, no state file to babysit.
✅ Color-Coded Change Symbols: Output marks every change clearly — “+” Create, “~” Modify, “-” Delete. At a glance you see that a tag got dropped, an address prefix changed, or a subnet is about to be deleted. Read the diff, then decide.
✅ Confirm-With-What-If in One Command: Run az deployment group create –confirm-with-what-if (or -c) and Azure shows you the preview, then prompts “Are you sure?” Plan and apply in a single, gated step. This is the muscle memory Terraform people are looking for.
✅ Every Scope Supported: Works at resource group, subscription, management group, and tenant level. VS Code, Azure PowerShell, Azure CLI, and REST API all support it.
✅ Tunable Validation Levels: CLI 2.76.0+ adds –validation-level — Provider (full RBAC + preflight), ProviderNoRbac (read-only perms), or Template (static syntax only). Match the depth of validation to what you actually need.
✅ Machine-Readable Output for Pipelines: Add –no-pretty-print to get JSON instead of the text summary — drop what-if into CI/CD and gate deployments programmatically on the predicted change set.
✅ Bonus — bicep snapshot for Offline Diffs: Want to catch unintended logic changes with zero Azure connection? bicep snapshot generates and compares a normalized JSON of your infra locally. Pure offline plan-style testing.

⚠️ templateLink expansion isn’t supported — resources behind template links / template specs in nested deployments won’t appear in results.

So no — you don’t need Terraform just for the plan. Azure-native IaC had this all along. 😏

🌐 https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-what-if

Microsoft Certified Trainer, Office 365, AWS, Azure and Cloud Expert-Architect. In the IT world for over than 20 years.

Apart from the main area of Microsoft Azure expert in the field of infrastructure servers Windows Server 2003-2019, Microsoft Active Directory, Hyper-V Private Cloud, IIS, System Center, SQL.

Private Cloud, System Center, Hyper-V, Open Stack Expert and all Microsoft products Expert. Linux Server administrator.

My Azure community projects:

https://mazeball.azurewebsites.net/
https://github.com/MariuszFerdyn?tab=repositories

More