How to retrieve the properties of an Azure resource how they were when the resource was first created?

Question

When you create an Azure resource, you must specify the properties the newly created resource must have. Once created, many of those properties can be changed; the tags of a resource for example.

I'd like to be able to programmatically (i.e. not via the Portal) retrieve the properties of a resource as they were at initial deployment time of that resource, even in case the resource no longer exists. I don't have a need for a long history, a day or two retention for the creation record is more than sufficient.

How can I achieve this?

Things I've tried:

• Querying the resourcechanges table in the Resource Graph. I do get the creation record, but the record does not contain the properties of the resource. This is documented behavior: The changes property dictionary is only included when changeType is Update.
• Looking in Change Analysis. That does give me the deletion event (and properties as they were at deletion time), but it does not give me the creation event.
• Resource Creation events in Event Grid. Unfortunately, those also don't contain the properties. (If all else fails I could set something up that would, upon reception of the creation event, immediately query the resource, but if at all possible I'd like to avoid this.)

When looking at the Event Log of the resource group, the creation record looks like this (I have randomized the GUIDs):

{
    "targetResourceType": "microsoft.managedidentity/userassignedidentities",
    "changeAttributes": {
        "previousResourceSnapshotId": null,
        "newResourceSnapshotId": "08585057886968675807_6dad72a1-ddf9-4bf8-95b6-9e20644861f1_1719005433_1695818188",
        "correlationId": "c7a2848b-748a-471b-9fac-622028b717b7",
        "changesCount": 0,
        "timestamp": "2023-09-27T12:36:28.6100000Z"
    },
    "targetResourceId": "/subscriptions/e26fef86-e3b2-4558-98b9-8d8553db6ec1/resourceGroups/rg-jo-test/providers/Microsoft.ManagedIdentity/userAssignedIdentities/changetrackingtest",
    "changeType": "Create",
    "changes": {}
}

That newResourceSnapshotId sure looks like it could contain what I need, but I wouldn't know if it's possible to retrieve it, let alone how.

How can I obtain the properties of a resource how they were at deployment time, even when the resource has been deleted at the time of the query?

Answer 1

By querying the deployment logs using PowerShell:

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-history

But keep in mind that there is a limit of 600 deployments, if you have more than that azure automatically deletes them.

Another option would be: Azure Monitor provides a feature called "Azure Resource Logs" (formerly known as Activity Logs) that captures the deployment history and other activities in your Azure subscription. You can configure these logs to be sent to Log Analytics for analysis and monitoring.You can query them then using KQL queries, here is an example query:

AzureActivity
| where ResourceGroupName == "<YourResourceGroupName>"
| where OperationName == "Microsoft.Resources/deployments/write"
| project ActivityName, Caller, ResourceId, Resource, ResourceGroup, OperationName, Status, EventTimestamp
| order by EventTimestamp desc

Here is another query

// Define a function to get the resource snapshot by ID
let get_resource_snapshot = (snapshotId:string) {
    ResourceSnapshots
    | where id == snapshotId
    | project properties
};

// Query the resourcechanges table for the creation events
resourcechanges
| where changeType == "Create"
| extend targetResourceId = tostring(properties.targetResourceId),
         newResourceSnapshotId = tostring(properties.changeAttributes.newResourceSnapshotId)
| join kind=leftouter (Resources | extend targetResourceId = id) on targetResourceId // Join with the Resources table to get the current properties
| project targetResourceId, changeType, changeAttributes.timestamp, currentProperties = properties, newResourceSnapshotId // Select the relevant columns
| extend initialProperties = get_resource_snapshot(newResourceSnapshotId) // Invoke the function to get the initial properties from the snapshot ID
| project-away newResourceSnapshotId // Remove the snapshot ID column
| order by changeAttributes.timestamp desc // Order by the creation timestamp in descending order`