Azure Resource Change History is here
I wrote not long ago about Azure Resource Graph and how it would change the way you script. It now enables us to track changes over time. Ever wanted to know what was the state of a resource 1 week before the laschange. It is now possible.
Before the Change History era
It was possible to keep track of resource changes in Azure, but you had to do it yourself. It was possible also to get notified via Azure Log Activity when an operation other than */read happens on a resource, but you don't really get the details of what is changing exactly, i.e. which properties.
Why Is It Important
Configuration drift (change) detection is important in several situations, let's imagine you are in a middle of an incident and need to understand quickly if something has changed or not since last deployment to help you troubleshoot. Using Change History in the portal or the Rest API, you can dig into these configuration drift to help you compare what has changed.
How can I use Change History?
In the portal, you can access Change History in Azure Policy's Change history or Azure Activity Logs Change history.
Using the Rest API, with the public preview (at the time of writing), Resource Change History API gives you access to the last 14 days of ARM resource's property changes. Very neat!
For a start, two (2) APIs are available:
resourceChanges: returns a list of change events for a resource and time interval.
resourceChangeDetails: returns the before and after resource content for a given resource and change event
There is a great article around the Change History API Microsoft documentation. I won't repeat the code samples here but in a nutshell: You make an API call to resourceChanges to get the list of changes available to consult, then call the resourceChangeDetails to get a beforeSnapshot and afterSnapshot to help you compare.
Here is an example of the return of a resourceChangeDetails call:
{
"changeId": "{\"beforeId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"beforeTime\":'2019-05-09T00:00:00.000Z\",\"afterId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"beforeTime\":'2019-05-10T00:00:00.000Z\"}",
"beforeSnapshot": {
"timestamp": "2019-03-29T01:32:05.993Z",
"content": {
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "Storage",
"id": "/subscriptions/{subscriptionId}/resourceGroups/MyResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount",
"name": "mystorageaccount",
"type": "Microsoft.Storage/storageAccounts",
"location": "westus",
"tags": {},
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": false,
"encryption": {
"services": {
"file": {
"enabled": true,
"lastEnabledTime": "2018-07-27T18:37:21.8333895Z"
},
"blob": {
"enabled": true,
"lastEnabledTime": "2018-07-27T18:37:21.8333895Z"
}
},
"keySource": "Microsoft.Storage"
},
"provisioningState": "Succeeded",
"creationTime": "2018-07-27T18:37:21.7708872Z",
"primaryEndpoints": {
"blob": "https://mystorageaccount.blob.core.windows.net/",
"queue": "https://mystorageaccount.queue.core.windows.net/",
"table": "https://mystorageaccount.table.core.windows.net/",
"file": "https://mystorageaccount.file.core.windows.net/"
},
"primaryLocation": "westus",
"statusOfPrimary": "available"
}
}
},
"afterSnapshot": {
"timestamp": "2019-03-29T01:54:24.42Z",
"content": {
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "Storage",
"id": "/subscriptions/{subscriptionId}/resourceGroups/MyResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount",
"name": "mystorageaccount",
"type": "Microsoft.Storage/storageAccounts",
"location": "westus",
"tags": {},
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"enabled": true,
"lastEnabledTime": "2018-07-27T18:37:21.8333895Z"
},
"blob": {
"enabled": true,
"lastEnabledTime": "2018-07-27T18:37:21.8333895Z"
}
},
"keySource": "Microsoft.Storage"
},
"provisioningState": "Succeeded",
"creationTime": "2018-07-27T18:37:21.7708872Z",
"primaryEndpoints": {
"blob": "https://mystorageaccount.blob.core.windows.net/",
"queue": "https://mystorageaccount.queue.core.windows.net/",
"table": "https://mystorageaccount.table.core.windows.net/",
"file": "https://mystorageaccount.file.core.windows.net/"
},
"primaryLocation": "westus",
"statusOfPrimary": "available"
}
}
}
}
Conclusion
There is great potential in being able to extract and consult configuration drift for troubleshooting or compliance need, give it a try and let me know what you think of it!