Bicep Modules
File Structure
Section titled “File Structure”infra/bicep/smb-ready-foundation/├── main.bicep # Orchestration (subscription scope)├── main.bicepparam # Parameter file with defaults├── azure.yaml # azd project manifest├── deploy-mg.bicep # Management group deployment (Phase 1)├── hooks/│ ├── pre-provision.ps1 # MG policies, cleanup, validation│ └── post-provision.ps1 # Verification, retry, outputs├── scripts/│ └── Remove-SmbReadyFoundation.ps1└── modules/ ├── policy-assignments-mg.bicep # 30 MG-scoped policies ├── policy-assignments.bicep # 3 subscription-scoped policies ├── policy-backup-auto.bicep # VM backup auto-enrollment (DINE) ├── resource-groups.bicep # 6 resource groups ├── networking-hub.bicep # Hub VNet, Bastion, NSG, DNS ├── networking-spoke.bicep # Spoke VNet, NAT Gateway, NSG ├── networking-peering.bicep # VNet peering orchestration ├── networking-peering-spoke.bicep ├── route-tables.bicep # UDR for firewall routing ├── monitoring.bicep # Log Analytics Workspace ├── backup.bicep # Recovery Services Vault ├── migrate.bicep # Azure Migrate Project ├── budget.bicep # Cost Management Budget ├── firewall.bicep # Azure Firewall Basic ├── vpn-gateway.bicep # VPN Gateway VpnGw1AZ ├── keyvault.bicep # Key Vault + private endpoint ├── defender.bicep # Defender for Cloud └── automation.bicep # Automation AccountAVM Module Inventory
Section titled “AVM Module Inventory”All applicable modules use Azure Verified Modules (AVM) for reliability, security, and maintainability.
| Module | AVM Reference | Version | Used In |
|---|---|---|---|
| Virtual Network | avm/res/network/virtual-network | 0.8.0 | networking-hub, networking-spoke |
| Network Security Group | avm/res/network/network-security-group | 0.5.3 | networking-hub, networking-spoke |
| NAT Gateway | avm/res/network/nat-gateway | 2.1.0 | networking-spoke |
| Public IP Address | avm/res/network/public-ip-address | 0.12.0 | firewall |
| Azure Firewall | avm/res/network/azure-firewall | 0.10.1 | firewall |
| Firewall Policy | avm/res/network/firewall-policy | 0.3.4 | firewall |
| Route Table | avm/res/network/route-table | 0.5.0 | route-tables |
| VPN Gateway | avm/res/network/virtual-network-gateway | 0.10.1 | vpn-gateway |
| Private DNS Zone | avm/res/network/private-dns-zone | 0.8.1 | networking-hub, keyvault |
| Key Vault | avm/res/key-vault/vault | 0.13.3 | keyvault |
| Log Analytics | avm/res/operational-insights/workspace | 0.15.0 | monitoring |
| Automation Account | avm/res/automation/automation-account | 0.19.0 | automation |
| Recovery Services Vault | avm/res/recovery-services/vault | 0.11.1 | backup |
Justified Exceptions (No AVM Available)
Section titled “Justified Exceptions (No AVM Available)”| Resource | ARM Type | Rationale |
|---|---|---|
| Azure Migrate Project | Microsoft.Migrate/migrateProjects | No AVM module exists |
| Policy Assignments | Microsoft.Authorization/policyAssignments | Raw ARM simplest for subscription scope |
| VNet Peering | virtualNetworks/virtualNetworkPeerings | Inline in VNet module |
| Backup Policy | vaults/backupPolicies | Nested in vault module |
Deployment Phases
Section titled “Deployment Phases”Phase 0: Setup-ManagementGroupPermissions.ps1 (one-time, Global Admin) ↓Phase 1: pre-provision hook → deploy-mg.bicep (MG + 30 policies) ↓Phase 2: azd provision → main.bicep (subscription infra + 3+1 policies)Validation Status
Section titled “Validation Status”| Check | Status | Notes |
|---|---|---|
bicep build | ✅ Pass | Template compiles successfully |
bicep lint | ⚠️ Pass | Minor BCP318 warnings on conditional module outputs |
bicep format | ✅ Pass | All files formatted |
Step-by-Step Walkthrough Deploy using the Bicep track
ADR-0002: Bicep Implementation Architecture decisions for the Bicep track