arm-ttk

ARM TTK (Azure Resource Manager Template Toolkit) is the official Microsoft toolkit for analyzing and testing Azure Resource Manager Templates. It validates ARM templates for coding best practices and ensures they follow recommended guidelines.

Key Features:

Best Practice Validation: Checks templates against Microsoft's recommended ARM template coding standards
Security Analysis: Validates security practices such as preventing secrets from being output in plain text
Intent Validation: Identifies unused parameters, variables, and resources to ensure clean template code
Language Best Practices: Ensures proper use of ARM template language constructs (e.g., using environment functions instead of hard-coded values)
Azure Marketplace Compliance: Same tests used to validate templates for Azure QuickStart Repository and Azure Marketplace
Extensible Framework: Allows for easy expansion and individual selection of tests

Note: Starting with ARM TTK v0.10, investment in new tests is being moved to the Bicep linter. ARM TTK remains available to support JSON ARM templates and createUiDefinition scenarios.

ARM TTK helps ensure your ARM templates are secure, maintainable, and follow Azure best practices for infrastructure as code.

arm-ttk documentation

Visit Official Web Site
See How to configure arm-ttk rules
- If custom .arm-ttk.psd1 config file isn't found, .arm-ttk.psd1 will be used

Configuration in MegaLinter

Enable arm-ttk by adding ARM_ARM_TTK in ENABLE_LINTERS variable
Disable arm-ttk by adding ARM_ARM_TTK in DISABLE_LINTERS variable

Variable	Description	Default value
ARM_ARM_TTK_ARGUMENTS	User custom arguments to add in linter CLI call Ex: `-s --foo "bar"`
ARM_ARM_TTK_COMMAND_REMOVE_ARGUMENTS	User custom arguments to remove from command line before calling the linter Ex: `-s --foo "bar"`
ARM_ARM_TTK_FILTER_REGEX_INCLUDE	Custom regex including filter Ex: `(src\\|lib)`	Include every file
ARM_ARM_TTK_FILTER_REGEX_EXCLUDE	Custom regex excluding filter Ex: `(test\\|examples)`	Exclude no file
ARM_ARM_TTK_CLI_LINT_MODE	Override default CLI lint mode - `file`: Calls the linter for each file - `project`: Call the linter from the root of the project	`file`
ARM_ARM_TTK_FILE_EXTENSIONS	Allowed file extensions. `"*"` matches any extension, `""` matches empty extension. Empty list excludes all files Ex: `[".py", ""]`	`[".json"]`
ARM_ARM_TTK_FILE_NAMES_REGEX	File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: `["Dockerfile(-.+)?", "Jenkinsfile"]`	Include every file
ARM_ARM_TTK_PRE_COMMANDS	List of bash commands to run before the linter	None
ARM_ARM_TTK_POST_COMMANDS	List of bash commands to run after the linter	None
ARM_ARM_TTK_UNSECURED_ENV_VARIABLES	List of env variables explicitly not filtered before calling ARM_ARM_TTK and its pre/post commands	None
ARM_ARM_TTK_CONFIG_FILE	arm-ttk configuration file nameUse `LINTER_DEFAULT` to let the linter find it	`.arm-ttk.psd1`
ARM_ARM_TTK_RULES_PATH	Path where to find linter configuration file	Workspace folder, then MegaLinter default rules
ARM_ARM_TTK_DISABLE_ERRORS	Run linter but consider errors as warnings	`false`
ARM_ARM_TTK_DISABLE_ERRORS_IF_LESS_THAN	Maximum number of errors allowed	`0`
ARM_ARM_TTK_CLI_EXECUTABLE	Override CLI executable	`['arm-ttk']`

IDE Integration

Use arm-ttk in your favorite IDE to catch errors before MegaLinter !

	IDE	Extension Name	Install
	Visual Studio Code	ARMTTKExtension

MegaLinter Flavors

This linter is available in the following flavors

Flavor	Description	Embedded linters
all	Default MegaLinter Flavor	127
dotnet	Optimized for C, C++, C# or VB based projects	65
dotnetweb	Optimized for C, C++, C# or VB based projects with JS/TS	74

Behind the scenes

How are identified applicable files

File extensions: .json
Detected file content (regex): schema\.management\.azure\.com

How the linting is performed

arm-ttk is called one time by identified file (file CLI lint mode)

Example calls

pwsh -NoProfile -NoLogo -Command "
    Import-Module /usr/bin/arm-ttk;
    Test-AzTemplate -TemplatePath myfile.json;
    if (${Error}.Count) {exit 1}"
    "

"pwsh -NoProfile -NoLogo -Command "
    Import-Module /usr/bin/arm-ttk;
    ${config} = $(Import-PowerShellDataFile -Path ".arm-ttk.psd1");
    Test-AzTemplate @config -TemplatePath myfile.json;
    if (${Error}.Count) {exit 1}
    "

Help content


cmdlet Import-Module at command pipeline position 1
Supply values for the following parameters:
Name[0]:
Import-Module: Cannot process command because of one or more missing mandatory parameters: Name.
Test-AzTemplate: 
Line |
   2 |  $TAZ_V = (Test-AzTemplate -help);
     |            ~~~~~~~~~~~~~~~
     | The term 'Test-AzTemplate' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Installation on mega-linter Docker image

Dockerfile commands :

# Parent descriptor install
# renovate: datasource=github-tags depName=PowerShell/PowerShell
ARG POWERSHELL_VERSION=7.5.2
RUN curl -L https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-musl-x64.tar.gz -o /tmp/powershell.tar.gz \
    && mkdir -p /opt/microsoft/powershell/7 \
    && tar zxf /tmp/powershell.tar.gz -C /opt/microsoft/powershell/7 \
    && chmod +x /opt/microsoft/powershell/7/pwsh \
    && ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh

# Linter install
# renovate: datasource=github-tags depName=Azure/arm-ttk
ARG ARM_TTK_VERSION=20250401
ARG ARM_TTK_NAME='arm-ttk.zip'
ARG ARM_TTK_DIRECTORY='/opt/microsoft'
ENV ARM_TTK_PSD1="${ARM_TTK_DIRECTORY}/arm-ttk/arm-ttk/arm-ttk.psd1"
RUN curl --retry 5 --retry-delay 5 -sLO "https://github.com/Azure/arm-ttk/releases/download/${ARM_TTK_VERSION}/${ARM_TTK_NAME}" \
    && unzip "${ARM_TTK_NAME}" -d "${ARM_TTK_DIRECTORY}" \
    && rm "${ARM_TTK_NAME}" \
    && ln -sTf "${ARM_TTK_PSD1}" /usr/bin/arm-ttk \
    && chmod a+x /usr/bin/arm-ttk