Bicep: Azure infrastructure as code — from zero to production

João Barros 13 de November de 2024 1 min read

Bicep is Microsoft's IaC (Infrastructure as Code) language for Azure, with cleaner syntax than pure ARM templates, automatic compilation to JSON and native integration with the Azure CLI and DevOps.

Basic structure of a Bicep file

// main.bicep
@description('Deployment environment')
@allowed(['dev', 'test', 'prod'])
param environment string

@description('Location of the resources')
param location string = resourceGroup().location

var prefix = 'bconcepts-${environment}'

// Resource: Storage Account
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
    name: 'sta${replace(prefix, '-', '')}'
    location: location
    sku: { name: 'Standard_LRS' }
    kind: 'StorageV2'
    properties: {
        isHnsEnabled: true    // ADLS Gen2
        minimumTlsVersion: 'TLS1_2'
    }
}

// Output to reference in other modules
output storageAccountId string = storageAccount.id

Modules — component reuse

// modules/keyvault.bicep
param name string
param location string
param principalId string

resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
    name: name
    location: location
    properties: {
        tenantId: subscription().tenantId
        sku: { name: 'standard', family: 'A' }
        enableRbacAuthorization: true
        enableSoftDelete: true
        softDeleteRetentionInDays: 90
    }
}

// main.bicep — use the module
module keyVault 'modules/keyvault.bicep' = {
    name: 'deploy-keyvault'
    params: {
        name: 'kv-${prefix}'
        location: location
        principalId: adf.identity.principalId  // grant access to ADF
    }
}

Deploy with the Azure CLI

az group create --name rg-analytics-prod --location westeurope

az deployment group create \
  --resource-group rg-analytics-prod \
  --template-file main.bicep \
  --parameters environment=prod \
  --what-if  # preview changes before applying

CI/CD pipeline (GitHub Actions)

name: Deploy Infrastructure
on: [push]
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: azure/login@v2
        with: { creds: ${{ secrets.AZURE_CREDENTIALS }} }
      - uses: azure/arm-deploy@v2
        with:
          resourceGroupName: rg-analytics-prod
          template: ./infra/main.bicep
          parameters: environment=prod

Conclusion

Bicep is the natural choice for IaC on Azure — less verbose than ARM, more native than Terraform for pure Azure resources. With modules, infrastructure is reusable and testable. Always add --what-if before a production deploy.