azure-bicep-patterns
Reusable Azure Bicep patterns: hub-spoke, private endpoints, diagnostics, AVM composition. USE FOR: Bicep template design, hub-spoke networking, private endpoint patterns, AVM modules. DO NOT USE FOR: Terraform code, architecture decisions, troubleshooting, diagram generation.
89
86%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Azure Bicep Patterns Skill
Reusable infrastructure patterns for Azure Bicep templates. Complements
iac-bicep-best-practices.instructions.md (style) and azure-defaults skill (naming, tags, regions).
Quick Reference
| Pattern | When to Use | Reference |
|---|---|---|
| Hub-Spoke Networking | Multi-workload environments with shared services | hub-spoke-pattern |
| Private Endpoint Wiring | Any PaaS service requiring private connectivity | private-endpoint-pattern |
| Diagnostic Settings | Every deployed resource (mandatory) | common-patterns |
| Conditional Deployment | Optional resources controlled by parameters | common-patterns |
| Module Composition | Breaking main.bicep into reusable modules | common-patterns |
| Managed Identity Binding | Any service-to-service authentication | common-patterns |
| Budget & Cost Monitoring | Every deployment (mandatory) | budget-pattern |
| What-If / AVM Pitfalls | Pre-deployment validation & AVM gotchas | avm-pitfalls |
Canonical Example — Module Interface
// modules/storage.bicep — every module follows this contract
@description('Storage account name')
param name string
param location string
param tags object
param logAnalyticsWorkspaceName string
output resourceId string = storageAccount.id
output resourceName string = storageAccount.name
output principalId string = storageAccount.identity.?principalId ?? ''Accept name, location, tags, logAnalyticsWorkspaceName; output resourceId, resourceName, principalId.
Key Rules Summary
- Hub-Spoke: Hub holds shared infra; spokes peer to hub only; NSGs per subnet
- Private Endpoints: Always wire PE + DNS Zone Group + DNS Zone; see group ID table in reference
- Diagnostics:
categoryGroup: 'allLogs'+AllMetrics; pass workspace name not ID - Conditional:
boolparams with defaults; guard outputs with ternary - Identity:
guid()for idempotent role names;principalType: 'ServicePrincipal'; scope narrowly - Budget: 3 forecast thresholds (80%/100%/120%); amount and emails MUST be parameters
- What-If: Run before every deploy; watch for unexpected deletes and SKU downgrades
- AVM: Always pin versions; wrap modules to override defaults; verify outputs in README
- AVM Version Fallback: When AVM version helpers are incomplete, query public MCR tag listings
(
mcr.microsoft.com/v2/bicep/{module}/tags/list) to discover authoritative published versions
Gotchas
- AVM output shapes vary across modules — Different AVM modules expose different outputs. Always check the module README before referencing outputs.
- Tag merging in AVM modules — Some AVM modules merge tags internally. Verify deployed tags include all required policy tags after deployment.
- What-If red flags — Watch for unexpected deletes, SKU downgrades, public access changes, authentication mode changes, or identity removal. Always run what-if before deploy.
- MCR version discovery — When AVM version helpers are incomplete,
query
mcr.microsoft.com/v2/bicep/{module}/tags/listfor authoritative published versions.
Reference Index
| File | Content |
|---|---|
| hub-spoke-pattern.md | Hub-spoke VNet orchestration with peering |
| private-endpoint-pattern.md | PE wiring + DNS zone groups + group ID table |
| common-patterns.md | Diagnostics, conditional deploy, module composition, managed identity |
| budget-pattern.md | Consumption budget, forecast alerts, anomaly detection |
| avm-pitfalls.md | What-if interpretation, AVM gotchas, learn more links |
Learn More
| Topic | How to Find |
|---|---|
| AVM module catalog | microsoft_docs_search(query="Azure Verified Modules registry Bicep") |
| Resource type schema | microsoft_docs_search(query="{resource-type} Bicep template reference") |
- Repository
- jonathan-vella/azure-agentic-infraops
- Commit
ec7b8ff
- Last updated
- Created
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.