Azure · glennmusa · Nov 3, 2021 · Oct 26, 2021 · Oct 26, 2021 · Oct 26, 2021
@@ -27,6 +27,10 @@ By default, this template deploys **[Azure Firewall Premium](https://docs.micros
 - See [Setting the Firewall SKU](#Setting-the-Firewall-SKU) for steps on how to use the Standard SKU instead.
 - See [Setting the Firewall Location](#Setting-the-Firewall-Location) for steps on how to deploy into a different region.
 
+After a deployment is complete, you can refer to the provisioned resources programmaticaly with the Azure CLI.
+
+- See [Reference Deployment Output](#Reference-Deployment-Output) for steps on how to use `az deployment` subcommands and JMESPath to query for specific properties.
+
 ### Azure CLI
 
 Use `az deployment sub` to deploy MLZ across 1:M subscriptions (and `az deployment sub create --help` for more information).
@@ -246,6 +250,88 @@ az deployment sub create \
  --template-file "src/bicep/mlz.bicep"
 ```
 
+### Reference Deployment Output
+
+After you've deployed Mission Landing Zone you'll probably want to integrate additional services or infrastructure.
+
+You can use the `az deployment sub show` command with a `--query` argument to retrieve information about the resources you deployed.
+
+Before giving the next steps a try, it's probably a good idea to [review the Azure CLI's documentation on querying with JMESPath](https://docs.microsoft.com/en-us/cli/azure/query-azure-cli).
+
+First off, let's say you deployed Mission Landing Zone with a deployment name of `myMissionLandingZone`:
+
+```plaintext
+az deployment sub create \
+ --name "myMissionLandingZone" \
+ --location "East US" \
+ --template-file "src/bicep/mlz.bicep"
+```
+
+Once it's complete, you could see all the resources provisioned in that deployment by querying the `properties.outputResources` property:
+
+```plaintext
+az deployment sub show \
+ --name "myMissionLandingZone" \
+ --query "properties.outputResources"
+```
+
+That's a lot of resources. Thankfully, the template produces outputs for just the things you _probably_ need at `properties.outputs`:
+
+```plaintext
+az deployment sub show \
+ --name "myMissionLandingZone" \
+ --query "properties.outputs"
+```
+
+For example, if you need just the Firewall Private IP address you could retrieve it like this:
+
+```plaintext
+az deployment sub show \
+ --name "myMissionLandingZone" \
+ --query "properties.outputs.firewallPrivateIPAddress.value"
+```
+
+Or, if you need just the Log Analytics Workspace that performs central logging you could retrieve it like this:
+
+```plaintext
+az deployment sub show \
+ --name "myMissionLandingZone" \
+ --query "properties.outputs.logAnalyticsWorkspaceResourceId.value"
+```
+
+Or, say you wanted to deploy resources into the Identity spoke. You could retrieve information about the Identity spoke by querying it from the `properties.outputs.spokes` array like this:
+
+```plaintext
+az deployment sub show \
+ --name "myMissionLandingZone" \
+ --query "properties.outputs.spokes.value[?name=='identity']"
+```
+
+Which would return an output similar to:
+
+```json
+[
+ {
+ "name": "identity",
+ "networkSecurityGroupName": "identity-nsg",
+ "networkSecurityGroupResourceId": ".../providers/Microsoft.Network/networkSecurityGroups/identity-nsg",
+ "resourceGroupId": ".../resourceGroups/mlz-identity",
+ "resourceGroupName": "mlz-identity",
+ "subnetAddressPrefix": "10.0.110.0/27",
+ "subnetName": "identity-subnet",
+ "subscriptionId": "<A GUID>",
+ "virtualNetworkName": "identity-vnet",
+ "virtualNetworkResourceId": ".../providers/Microsoft.Network/virtualNetworks/identity-vnet"
+ }
+]
+```
+
+Bicep templates, the Azure CLI, and JMESpath queries allows you to manually, or in an automated fashion, compose infrastructure incrementally and pass output from one template as input to another.
+
+Read more about `az deployment` at: [https://docs.microsoft.com](https://docs.microsoft.com/en-us/cli/azure/deployment?view=azure-cli-latest)
+
+Read more about JMESPath queries at: <https://jmespath.org/>
+
 ## Development Pre-requisites
 
 If you want to develop with Bicep you'll need these:

@@ -48,46 +48,29 @@ az deployment sub show \
 
 ```plaintext
 {
- "hubSubscriptionId": {
- "type": "String",
- "value": "0987654-3210..."
- },
- ...
- "hubResourceGroupName": {
- "type": "String",
- "value": "mlz-dev-hub"
- },
- ...
- "hubVirtualNetworkName": {
+ "firewallPrivateIPAddress": {
  "type": "String",
- "value": "hub-vnet"
+ "value": "10.0.100.4"
  },
- ...
- "hubVirtualNetworkId": {
- "type": "String",
- "value": "/subscriptions/.../providers/Microsoft.Network/virtualNetworks/hub-vnet"
+ "hub": {
+ "type": "Object",
+ "value": {
+ ...
+ "resourceGroupName": "mlz-dev-hub",
+ ...
+ "subscriptionId": "...",
+ "virtualNetworkName": "hub-vnet",
+ "virtualNetworkResourceId": "/subscriptions/.../providers/Microsoft.Network/virtualNetworks/hub-vnet"
+ }
  },
- ...
  "logAnalyticsWorkspaceResourceId": {
  "type": "String",
  "value": "/subscriptions/.../providers/Microsoft.OperationalInsights/workspaces/mlz-dev-laws"
  },
  ...
- "firewallPrivateIPAddress": {
- "type": "String",
- "value": "10.0.100.4"
- },
 }
 ```
 
-...and if you're on a BASH terminal, this command (take note to replace "myMlzDeployment" with your deployment name) will export the values as environment variables:
-
-<!-- markdownlint-disable MD013 -->
-```bash
-export $(az deployment sub show --name "myMlzDeployment" --query "properties.outputs.{ args: [ join('', ['hubSubscriptionId=', hubSubscriptionId.value]), join('', ['hubResourceGroupName=', hubResourceGroupName.value]), join('', ['hubVirtualNetworkName=', hubVirtualNetworkName.value]), join('', ['hubVirtualNetworkResourceId=', hubVirtualNetworkResourceId.value]), join('', ['logAnalyticsWorkspaceResourceId=', logAnalyticsWorkspaceResourceId.value]), join('', ['firewallPrivateIPAddress=', firewallPrivateIPAddress.value]) ] }.args" --output tsv | xargs)
-```
-<!-- markdownlint-enable MD013 -->
-
 ## Deploy the example
 
 Once you have the Mission LZ output values, you can pass those in as parameters to this deployment.

@@ -55,41 +55,27 @@ az deployment sub show \
 ```plaintext
 {
  ...
- "hubResourceGroupName": {
- "type": "String",
- "value": "mlz-dev-hub"
- },
- ...
- "hubVirtualNetworkName": {
- "type": "String",
- "value": "hub-vnet"
- },
- ...
- "hubSubnetResourceId": {
- "type": "String",
- "value": "/subscriptions/.../providers/Microsoft.Network/virtualNetworks/hub-vnet/subnets/hub-subnet"
- },
- ...
- "hubNetworkSecurityGroupResourceId": {
- "type": "String",
- "value": "/subscriptions/.../providers/Microsoft.Network/networkSecurityGroups/hub-nsg"
+ "hub": {
+ "type": "Object",
+ "value": {
+ ...
+ "resourceGroupName": "mlz-dev-hub",
+ ...
+ "networkSecurityGroupResourceId": "/subscriptions/.../providers/Microsoft.Network/networkSecurityGroups/hub-nsg
+ ...
+ "subnetResourceId": "/subscriptions/.../providers/Microsoft.Network/virtualNetworks/hub-vnet/subnets/hub-subnet",
+ ...
+ "virtualNetworkName": "hub-vnet"
+ }
  },
- ...
  "logAnalyticsWorkspaceResourceId": {
  "type": "String",
  "value": "/subscriptions/.../providers/Microsoft.OperationalInsights/workspaces/mlz-dev-laws"
  },
+ ...
 }
 ```
 
-...and if you're on a BASH terminal, this command (take note to replace "myMlzDeployment" with your deployment name) will export the values as environment variables:
-
-<!-- markdownlint-disable MD013 -->
-```bash
-export $(az deployment sub show --name "myMlzDeployment" --query "properties.outputs.{ args: [ join('', ['hubResourceGroupName=', hubResourceGroupName.value]), join('', ['hubVirtualNetworkName=', hubVirtualNetworkName.value]), join('', ['hubSubnetResourceId=', hubSubnetResourceId.value]), join('', ['hubNetworkSecurityGroupResourceId=', hubNetworkSecurityGroupResourceId.value]), join('', ['logAnalyticsWorkspaceResourceId=', logAnalyticsWorkspaceResourceId.value]) ] }.args" --output tsv | xargs)
-```
-<!-- markdownlint-enable MD013 -->
-
 ## Deploy the example
 
 Once you have the Mission LZ output values, you can pass those in as parameters to this deployment.