playbooks

home / skills / yldgio / codereview-skills / bicep

bicep skill

/skills/bicep

This skill helps you design secure, modular Azure Bicep templates with parameterization, naming, tagging, and module patterns for scalable IaC.

npx playbooks add skill yldgio/codereview-skills --skill bicep

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
3.4 KB
---
name: bicep
description: Azure Bicep IaC patterns, parameterization, security, and modular design
---

## Bicep Code Review Rules

### Security (Critical)
- Never hardcode secrets, connection strings, or keys
- Use Key Vault references for secrets
- Apply least privilege to managed identities
- Enable diagnostic settings for auditing
- Use private endpoints where available
- Enforce encryption at rest for all supported resources
- Validate Azure Policy compliance for resources
- Check regulatory standards compliance (HIPAA, PCI-DSS, etc.)
- Always escape or validate user-provided strings before using them in resource names, tags, and outputs to prevent injection risks
- Never use HTML comments (`<!-- -->`) or expose template syntax in outputs

### Parameters
- Use parameters for values that vary between deployments
- Mark sensitive parameters with `@secure()` decorator
- Provide `@description()` for all parameters
- Use `@allowed()` for constrained values
- Set sensible `@minLength()`, `@maxLength()`, `@minValue()`, `@maxValue()`
- Provide default values where appropriate to reduce required inputs
- Validate complex parameter types with parameter constraints, assertions, or custom validation logic
- Document parameter purpose and expected values

### Resource Naming (Essential)
- Use consistent naming convention
- Include environment, region, workload in names
- Use `uniqueString()` for globally unique names
- Follow Azure naming rules and restrictions

### Resource Tagging
- Tag all resources with standard tags (owner, environment, cost center)
- Use consistent tag naming conventions
- Include tags for governance (compliance, data classification)
- Define required tags in policy and enforce them

### Modules
- Break down large templates into modules
- One module per logical resource group
- Use outputs to pass values between modules
- Store shared modules in a registry

### Best Practices
- Use `existing` keyword to reference existing resources
- Use `dependsOn` only when implicit dependencies aren't enough
- Prefer symbolic names over `resourceId()` functions
- Use loops (`for`) instead of copy-paste for similar resources
- Include template metadata block with author, version, and docs
- Use meaningful error messages with `assert()` for validation

### API Version Management
- Avoid deprecated or preview resource API versions unless justified
- Document reasons for using preview features

### Outputs
- Output only values needed by other templates/scripts
- Mark sensitive outputs with `@secure()` (Bicep handles this)
- Include resource IDs for downstream references

### Example Patterns
```bicep
@description('Environment name')
@allowed(['dev', 'staging', 'prod'])
param environment string

@description('SQL admin password')
@secure()
param sqlAdminPassword string

metadata description = 'Azure Storage Account with Key Vault integration'
metadata author = 'Infrastructure Team'
metadata version = '1.0.0'

var baseName = 'myapp-${environment}-${uniqueString(resourceGroup().id)}'
var commonTags = {
  environment: environment
  owner: 'infrastructure-team'
  costCenter: 'IT-001'
}

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: '${baseName}sa'
  location: resourceGroup().location
  tags: commonTags
  sku: { name: 'Standard_LRS' }
  kind: 'StorageV2'
  properties: {
    minimumTlsVersion: 'TLS1_2'
    supportsHttpsTrafficOnly: true
  }
}
```

Overview

This skill encapsulates Azure Bicep Infrastructure-as-Code patterns focused on secure parameterization, modular design, naming and tagging conventions, and auditing best practices. It helps reviewers and authors apply consistent, policy-aligned templates and avoid common security and deployment pitfalls. The guidance is practical and ready to apply in CI/CD pipelines and code reviews.

How this skill works

The skill inspects Bicep templates for security issues (secrets, network exposure, diagnostic settings), parameter design (descriptions, constraints, secure markers), naming and tagging consistency, module boundaries, and API version usage. It reports deviations from recommended patterns and offers concrete fixes: parameter annotations, Key Vault references, proper use of existing resources, and modular refactors. It also suggests policy and auditing controls to enforce governance.

When to use it

  • During Bicep template code reviews to catch security and governance issues early
  • When authoring new IaC modules to apply consistent naming, tagging, and parameter patterns
  • Before merging changes to infrastructure repositories or generating ARM outputs
  • While integrating templates into CI/CD to enforce policy and validation gates
  • When migrating ARM templates to Bicep or modularizing large templates

Best practices

  • Never hardcode secrets; use Key Vault references and mark sensitive params with @secure()
  • Provide @description() and @allowed() for parameters and apply sensible min/max constraints
  • Use consistent naming conventions with environment, region, workload and uniqueString() for global names
  • Tag all resources with standard governance tags (owner, environment, cost center, compliance)
  • Break templates into single-responsibility modules and pass values via outputs
  • Enable diagnostic settings, prefer private endpoints, and enforce encryption at rest

Example use cases

  • Validate a storage account template: ensure TLS1_2, supportsHttpsTrafficOnly, and Key Vault integration
  • Refactor a monolithic template into modules: network, compute, and storage with clear outputs
  • Harden deployment parameters by adding @secure(), descriptions, allowed values and lengths
  • Audit templates for deprecated API versions and justify any preview usage
  • Ensure resource tags and naming meet organizational policy for cost allocation and compliance

FAQ

How should secrets be handled in Bicep?

Never hardcode secrets; declare parameters with @secure() and reference secrets from Azure Key Vault.

When should I use modules?

Use modules to encapsulate logical resource groups, make templates reusable, and simplify testing and maintenance.