Vetting Azure Managed Applications through CI/CD

The Azure Marketplace can be used to publish so-called Managed Applications and offer them to customers. Like with Google Play or the Apple App-Store, these Managed Application undergo a review process before they are made available. When we went through this process with ux4iot, we picked up some best practices, one of which we want to share in this blog post.

There are two destinations for publishing Azure Managed Applications. The first option is to make them available in the so-called Service Catalog. This means that they will only be available inside of your organization. This is useful for bundling functionality for internal purposes.

If you want to commercialize your application, however, you have to publish it to the Azure Marketplace, where it can be found and used by people outside of your own org. You submit the application via the Microsoft Partner Center and thereby kick off a validation process, where Microsoft staff is checking formal aspects of your submission (e.g. if your privacy policy is acceptable) as well as technical criteria. For the latter, the ARM template (mainTemplate.json) that is at the heart of the Managed Application is evaluated, as well as other relevant files (e.g. createUiDefinition.json which defines the workflow for creating new instances of your app).

Since the validation process is partly manual, it can take a couple of days. When technical issues are found, you are given feedback and potentially asked to correct any shortcomings. In order to speed things up and prevent time-consuming back and forth between yourself and the reviewers, you should perform the validity checks yourself before submitting your app. Luckily, the tools that are used by the Microsoft staff for vetting the applications are available, in the form of the Azure Resource Manager Template Toolkit (arm-ttk).

It makes sense to integrate arm-ttk in the CI/CD process of your Managed App, so that the checks are automatically performed for every new version of your app.

In order to facilitate this process, we at Device Insight have created a Docker image that holds arm-ttk. You can find the repo containing the build on GitHub. The resulting Docker image can be retrieved from the GitHub container registry.

Usage is quite simple:

     TEMPLATE_DIR=$(mktemp -d)
cp mainTemplate.json createUiDefinition.json $TEMPLATE_DIR
docker run \
    --rm -ti \
    -v $TEMPLATE_DIR:/template \    

This checks your mainTemplate.json and createUiDefinition.json and outputs its findings. If there are problems the execution of the Docker container will fail with a non-zero exit code, conveniently also failing your CI/CD job. If no problems are found, the exit code will be zero and the CI/CD job will be successful.

The reason why a temporary directory is used in the example instead of mounting the directory holding the mainTemplate.json and other files directly is that arm-ttk will check all files with a json extension. There might be other json files alongside mainTemplate.json which contain content unknown to arm-ttk, causing it to fail.

Here is some example output:

If you fix all findings that arm-ttk reports, it should be smooth sailing getting your Managed Application approved for publication in the Azure Marketplace.

Recommended posts

Stefan Hudelmaier

Managed Applications and tags

How to set tags of a managed resource group when deploying Azure Managed Applications.
Robert Lohr

Use Azure AD Workload Identity for Pod-Assigned Managed Identity in AKS

How to make your life easier using Azure AD Workload Identity for authentication within AKS.