Skip to content
SMB Ready Foundation

ADR-0002: Bicep Implementation

Status: Implemented | Date: 2026-01-28

Context

Section titled “Context”

Following ADR-0001 approval, the implementation phase required decisions about Bicep template structure, organization, and deployment patterns. Key forces:

  • Subscription-scope deployment for policies and budgets
  • Cross-resource group dependencies (hub and spoke span multiple RGs)
  • Conditional resources (Firewall and VPN Gateway are optional per scenario)
  • Azure Policies must deploy before any resources
  • Globally unique resources need deterministic suffixes

Decision

Section titled “Decision”
  • Two-template approach: deploy-mg.bicep for management group scope (30 MG policies), main.bicep for subscription scope (everything else)
  • AVM-first mandate: All modules must use Azure Verified Modules where available (13 of 18 modules)
  • Unique suffix: uniqueString(subscription().subscriptionId) — generated once in main.bicep, passed to all modules
  • azd orchestration: azd up with pre-provision hook for MG deployment, post-provision for verification
  • Conditional modules: deployFirewall and deployVpnGateway boolean parameters control optional resources

Consequences

Section titled “Consequences”

Positive: Clean separation of MG and subscription scopes, AVM modules provide tested + maintained building blocks, azd simplifies partner deployment.

Negative: Two-template approach requires a pre-provision hook (added complexity), BCP318 warnings on conditional module outputs, some resources lack AVM modules (justified exceptions documented).