BICEP – Azure Bicep Template Library

A comprehensive, menu-driven library of Azure Bicep templates with parameter packs, deep variants, and an optional Registry (AVM) mode. This repository is structured to be used as-is at the repo root (no subfolder required).

Screenshots are under docs/images/ and render on GitHub.

---

Quick start

# 1) Clone
git clone https://github.com/jaycalderwood/BICEP
cd BICEP

# 2) (Optional) Install prerequisites
./scripts/Install-Prereqs.ps1 -Verbose

# 3) Launch the interactive menu
./scripts/Invoke-BicepLibrary.ps1

What you can do from the menu

• Browse/search templates
• What-If preview or Deploy at RG/Subscription/MG/Tenant scope
• Change defaults: location/scope
• Toggle Local/Registry mode
• Create an AVM registry wrapper on the fly

---

Repository structure

BICEP/
├─ scripts/                             # PS helper scripts: invoke, what-if, deploy, registry wrapper tools
│  ├─ Install-Prereqs.ps1
│  ├─ Invoke-BicepLibrary.ps1
│  ├─ New-BicepDeployment.ps1
│  ├─ Test-BicepDeployment.ps1
│  ├─ New-RegistryModuleWrapper.ps1
│  └─ Set-AvmWrapperVersion.ps1
├─ templates/                           # Organized by domain
│  ├─ core/                             # RG, Storage, Key Vault (base) ...
│  ├─ networking/                       # VNet, AppGW (WAF/mTLS/SNI/blue-green), Azure Firewall/Policy, vWAN, ER, ILB, PE, DNS, Private Link suite
│  ├─ compute/                          # VMs, VMSS, availability sets, disks
│  ├─ identity/                         # UAMI, AKS Workload Identity
│  ├─ security/                         # KV advanced/RBAC/HSM, Defender bits, policies
│  ├─ data/                             # Cosmos variants, SQL DB/MI, FOG + Private Endpoints
│  ├─ platform/                         # AKS variants (private, UDR+FW, uptime+NATGW, AGIC), Front Door Std/Premium (+ WAF rules), Event Hubs (Kafka + PE), ACR, Container Apps
│  ├─ monitoring/                       # LA workspace, App Insights, Sentinel enablement + data connectors, diagnostic settings
│  ├─ avd/                              # Host pool + app group + workspace
│  └─ wrappers/
│     └─ avm/                           # Seed wrappers for Azure Verified Modules (AVM)
├─ params/                              # Matching parameter packs for most templates
├─ docs/
│  └─ images/
│     ├─ menu.png
│     ├─ whatif.png
│     └─ structure.png
├─ .github/workflows/ci.yml             # CI builds all *.bicep on push/PR
├─ LICENSE
└─ README.md

---

Screenshots

Menu

What-If

Structure

---

Using Registry (AVM) mode

1. Start the menu: ./scripts/Invoke-BicepLibrary.ps1
2. Choose “Toggle source (Local/Registry)” to switch to registry mode.
3. Pick “Create registry module wrapper” and enter the module reference, e.g.:
   • br/public:avm/res/network/virtual-network:0.18.0
4. The wrapper is saved to templates/wrappers/avm/*.bicep and becomes the current selection for What-If/Deploy.

Update all seed wrapper versions at once:

./scripts/Set-AvmWrapperVersion.ps1 -Version 0.18.0

AVM module names/versions are listed in the public module index. Supply parameters per the module’s README.

---

Notable deep variants included

• App Gateway: WAF v2 with mTLS (single/multi-root), SNI multi-site, blue/green with path-based routing, per-host WAF policies.
• AKS: private clusters with UDR via Azure Firewall, Uptime SLA + managed NAT Gateway, AGIC addon, Ingress NGINX via Flux (private ILB), Workload Identity wiring.
• Networking: vWAN secure hub, spoke onboarding, full spoke buildout (VNet, RTs, PE), ExpressRoute circuit + gateway.
• Security: Azure Firewall Policy with App/Network/DNAT; Key Vault advanced + RBAC-only + BYOK (HSM).
• Data: Cosmos secure with PE, multi-region multi-write + zone redundant, autoscale DB/containers + RBAC role/assignment; SQL DB FOG + Private Endpoints; SQL MI (AD-only) + MI Failover Group.
• Edge: Front Door Std/Premium with origins, per-route WAF policies, advanced WAF rules (rate-limit/IP/header) + exclusions.
• Monitoring/SIEM: Sentinel enablement, data connectors (ASC/Defender & TI), diagnostic settings to LA + Storage + Event Hub.

Each template typically has a matching file under params/*.parameters.json you can copy and adjust.

---

CI (GitHub Actions)

• The workflow at .github/workflows/ci.yml runs on push/PR and builds every Bicep file to validate syntax.
• Badge at top shows the status for the main branch.

---

Contributing

1. Add a new template under templates/<domain>/... with a descriptive name.
2. Add a matching params/<name>.parameters.json (if applicable).
3. Run the menu locally and What-If the new template.
4. Commit with a clear message and open a PR (or push if you’re working on main).

---

License

MIT — see LICENSE.

---

Last updated: 2025-08-29 13:19 UTC

---

Fetch EVERYTHING (AVM + Quickstarts)

AVM wrappers (all modules)

Generate wrappers for all AVM Bicep modules (resource + pattern + utility) straight into templates/wrappers/avm:

# All resource modules only (fast)
./scripts/Sync-AVMModules.ps1 -Version 0.18.0

# Everything (resource + pattern + utility)
./scripts/Sync-AVMModules.ps1 -Version 0.18.0 -IncludePatterns -IncludeUtilities

Source: AVM Bicep Module Index (azure.github.io).

Quickstarts breadth (optional)

Bring in community quickstarts and auto-convert ARM JSON to Bicep:

# Full import
./scripts/Import-QuickstartsToBicep.ps1

# Filter to networking and SQL only
./scripts/Import-QuickstartsToBicep.ps1 -Filter "microsoft.network|microsoft.sql"

Keep wrappers fresh (CI)

A scheduled workflow .github/workflows/sync-avm.yml runs weekly to sync any new modules/tags.