I recently interviewed for a position as an Azure Infrastructure Engineer where I was asked about drift detection in ARM and Bicep. When I mentioned that there isn't native support for this, the interviewer seemed a bit disappointed. I'm looking for advice on how organizations handle drift detection. Do you employ any custom solutions, and how do you manage ARM/Bicep in your workflows?
5 Answers
Did the interviewer maybe mean using Bicep's ‘what-if’ feature? That might have been what they were expecting you to discuss.
Bicep has a ‘complete’ mode that can wipe out everything not defined in your template. You might want to try running a what-if in that mode to uncover drift.
You're spot on that ARM and Bicep lack built-in drift detection! It seems the interviewer might have wanted to hear about real-world solutions. Companies often use Azure Policy for compliance checks, or custom scripts that compare the current state to templates. Some also automate checks using Azure Resource Graph queries. When you address such questions next time, mention the limitations but also share the creative solutions many teams implement.
Consider using deployment stacks with deny assignments—this can help prevent drift effectively. Another approach is using the ‘what-if’ command, though keep in mind it won’t catch resources that aren't defined in your templates but are still deployed.
You got the technical part right, but in interviews, it's helpful to discuss potential solutions too. Interviewers want to gauge your problem-solving skills. For drift detection, you can use Azure Policy alongside tight role-based access control (RBAC) for change governance. Also, running validation pipelines against your templates helps spot differences, though it's not foolproof for every resource type.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux