Keep your Azure Verified Modules
up to date, safely.

AvmUpdater scans your Bicep and Terraform code for outdated AVM modules, generates a ranked report, waits for your approval, then safely applies each update, rolling back anything that fails validation.

Get it on GitHub How it works ↓
  • v1.0.0
  • Free
  • Open source
  • Bicep & Terraform
  • PowerShell 7+
  • No sign-up

The problem

Keeping AVM modules current is risky by hand

Azure Verified Modules are pre-1.0 and evolve quickly. Manually tracking versions across dozens of files is tedious, and because AVM uses 0.x versioning, a minor bump can quietly introduce breaking changes.

Tedious manual tracking

Checking every module reference in your repo for newer versions takes time you could spend building instead.

0.x means breaking changes happen

A minor-version bump can remove a parameter, change a type, or rename an output, silently breaking your IaC if you're not careful.

AvmUpdater makes updates safe

It detects interface changes before you apply them, validates with the actual IaC toolchain, and rolls back anything that breaks.

The process

How AvmUpdater works

Four clear steps from discovery to safe deployment, with a human approval gate in the middle.

  1. Scan

    Walks your Bicep and Terraform files, finds every AVM module reference, and checks the current version against the latest available.

  2. Report

    Generates a clear Markdown and JSON overview of every available update, ranked by risk, flagging potential breaking changes to interface, parameters, and outputs.

  3. Approve

    You decide what to apply, interactively in the local CLI or via a GitHub or Azure DevOps Pull Request where merge equals approval.

  4. Safe update

    Bumps version references, then runs bicep build/lint or terraform init/validate/plan, detecting destroy/replace operations and rolling back any file that fails.

What you get

Everything you need for safe AVM updates

  • 3-layer breaking-change protection

    Checks version semantics, detects interface diffs, and validates with the IaC toolchain before committing any change.

  • Three approval modes

    Approve locally in the interactive CLI, open a GitHub Pull Request, or an Azure DevOps Pull Request, merge equals approval.

  • Markdown & JSON reports

    Every scan produces a human-readable Markdown overview and a machine-parseable JSON file for CI pipelines and auditing.

  • Bicep & Terraform

    First-class support for both IaC languages, using each one's native toolchain for validation.

  • CI-ready scheduled PRs

    Schedule AvmUpdater in your pipeline to open automatic Pull Requests whenever new module versions are available.

  • Idempotent & safe-by-default

    Running AvmUpdater multiple times produces the same result. No change is written unless it passes all validation checks.

  • Per-file rollback

    If a module update fails validation, only that file is rolled back; other successful updates are preserved.

  • Free & open source

    No sign-up, no paywall, no licence fees. Source and releases are on GitHub for you to inspect, fork, and contribute to.

Get started in minutes

Quick start

Requires PowerShell 7+. Clone the repo, import the module, and run your first scan.

PowerShell 
# Requires PowerShell 7+
git clone https://github.com/gettothe-cloud/avm-updater.git
Import-Module ./AvmUpdater
Invoke-AvmUpdate -Path . -ApprovalMode local

Prefer a release build? Download it from the GitHub Releases page

View the project on GitHub

Automate it

CI/CD setup

Run AvmUpdater on a schedule in GitHub Actions or Azure DevOps. It opens a Pull Request when updates are available — you merge to approve, never auto-merged.

GitHub Actions setup

  1. Add AvmUpdater to your infrastructure repo

    Copy the AvmUpdater/ folder into your repo, or add it as a Git submodule so it can be updated independently:

    git submodule add https://github.com/gettothe-cloud/avm-updater AvmUpdater
  2. Copy the workflow file

    Copy .github/workflows/avm-update.yml from the AvmUpdater repo into your infrastructure repo. The workflow runs on a weekly schedule (Mondays 08:00 UTC) and supports manual triggering.

  3. Enable workflow permissions

    Go to Settings → Actions → General, set Workflow permissions to Read and write, and enable Allow GitHub Actions to create and approve pull requests. The built-in GITHUB_TOKEN handles everything — no PAT needed for most repos.

  4. Push to main — the schedule activates automatically

    GitHub activates scheduled workflows on the default branch. If your default branch is not main, update the branches filter in the workflow file.

  5. Manual trigger (optional)

    Go to Actions → AVM Module Version Check → Run workflow. Available inputs:
    target_repositoryowner/repo to scan a different repository (leave empty to scan this repo).
    target_ref — branch or tag in the target repo (leave empty for default branch).
    include_risk — comma-separated risk tiers to include.
    dry_run — generate a report without opening a PR.

🔑 Secrets / tokens

The built-in GITHUB_TOKEN is all you need for same-repo scanning. The workflow already declares contents: write and pull-requests: write permissions.

To scan a different repository, store a fine-grained PAT as GH_PAT (Contents: Read & Write, Pull requests: Read & Write on the target repo). The workflow automatically prefers GH_PAT over GITHUB_TOKEN when set.

📁 Optional config file

Place config/avmupdater.config.json in your repo root to control which risk tiers trigger a PR, exclude paths, and customise branch prefix and report output directory.

Azure DevOps setup

  1. Add AvmUpdater and the pipeline YAML to your repo

    Copy the AvmUpdater/ module folder and azure-pipelines.avm-update.yml into your infrastructure repo.

  2. Enable System.AccessToken

    In your pipeline, go to Edit → ⋮ → Triggers, or set it in Project Settings → Pipelines → Settings → Allow scripts to access the OAuth token. The YAML already includes the required variable declaration.

  3. Grant Build Service permissions on the repository

    Go to Project Settings → Repositories → your-repo → Security, find [ProjectName] Build Service, and set Contribute and Create branch to Allow.

  4. Create the pipeline

    Go to Pipelines → New pipeline, select your repo, choose Existing Azure Pipelines YAML file, and set the path to /azure-pipelines.avm-update.yml. Click Save — the weekly cron activates automatically.

  5. Manual trigger (optional)

    Click Run pipeline and set the parameters you need:
    targetRepository — full clone URL to scan a different repository, e.g. https://dev.azure.com/org/project/_git/repo (leave empty to scan this repo).
    includeRisk — comma-separated risk tiers.
    dryRun — generate a report without opening a PR.

🔑 Secrets / tokens

The pipeline uses the built-in System.AccessToken for git push and PR creation in the same organisation.

To scan a repository in a different organisation, add a pipeline secret variable TARGET_REPO_TOKEN (PAT with Code: Read & Write and Pull Request: Read & Write).

To raise the GitHub API rate limit for interface diffs, also add a GITHUB_TOKEN pipeline secret variable.

📁 Optional config file

Same config/avmupdater.config.json works for both GitHub Actions and Azure DevOps. Control risk tiers, exclude paths, and set the branch prefix (azuredevops.branchPrefix).

Risk tier behaviour

Tier Meaning Default
LOW Patch bump, no detected interface changes Auto-included in PR
MEDIUM Minor bump on 0.x or no breaking signals detected Auto-included in PR
HIGH Major bump or detected breaking interface changes Auto-included in PR
UNKNOWN Diff and changelog both unavailable Auto-included in PR

All tiers are included in the PR by default. Review the PR diff and the attached report artifact before merging. Configure which tiers trigger a PR via autoApproveRiskTiers in avmupdater.config.json.

Full CI/CD setup guide on GitHub →

Questions

Frequently asked questions

Is AvmUpdater free?
Yes. AvmUpdater is completely free and open source. There is no sign-up, no paywall, and no licence fees. The source code and releases are on GitHub.
Which IaC languages does it support?
AvmUpdater supports both Bicep and Terraform. It uses each language's native toolchain for validation: bicep build/lint for Bicep, and terraform init/validate/plan for Terraform.
Will it change my live infrastructure?
No. AvmUpdater only updates module version references in your IaC source files and validates them locally. It detects potentially destructive Terraform plan operations (destroy/replace) and flags them before applying. Deploying to your infrastructure is always your decision. AvmUpdater never triggers a deployment.
What platforms and prerequisites does it need?
AvmUpdater requires PowerShell 7+ and runs on Windows, macOS, and Linux. You also need the relevant IaC toolchain installed: the Bicep CLI for Bicep projects, and Terraform for Terraform projects.
How do I report issues or contribute?
Open an issue or pull request on GitHub Issues. Contributions are welcome, see the repo README for guidelines.

Ready to keep your AVM modules current?

Get AvmUpdater for free, start scanning your Bicep and Terraform repos today, and stop worrying about breaking changes.

Get it on GitHub