-
Notifications
You must be signed in to change notification settings - Fork 3
Governance Anti Patterns Bicep Structure
Bicep file structure, module conventions, and deployment script patterns
Domain: bicep_structure
| Check | Description |
|---|---|
| ANTI-BCS-001 | Inline resource detected — use module references (module './modules/.bicep') for all resources. |
| ANTI-BCS-002 | listKeys()/listSas() detected — use managed identity with RBAC role assignments instead. |
| ANTI-BCS-003 | Hardcoded resource name detected — use variables or parameters for resource naming. |
| ANTI-BCS-004 | Bicep parameter missing @description decorator — add @description() to all parameters. |
| ANTI-BCS-005 | Bicep module missing output declarations — add outputs for resources consumed by downstream modules. |
| ANTI-BCS-006 | Deployment script missing error handling — add set -euo pipefail. |
| ANTI-BCS-007 | Outdated API version detected — use 2023 or 2024 API versions. |
Inline resource detected — use module references (module './modules/.bicep') for all resources.
Rationale: Inline resources in main.bicep create monolithic templates that are hard to test, reuse, and review.
Agents: bicep-agent
| Services | Triggers On | Correct Patterns |
|---|---|---|
| *All* |
|
|
listKeys()/listSas() detected — use managed identity with RBAC role assignments instead.
Rationale: listKeys() exposes secrets in ARM deployment outputs and template history; managed identity with RBAC avoids secret exposure entirely.
Agents: bicep-agent
| Services | Triggers On | Correct Patterns |
|---|---|---|
| *All* |
|
|
Hardcoded resource name detected — use variables or parameters for resource naming.
Rationale: Hardcoded resource names prevent reuse across environments and violate naming convention standards.
Agents: bicep-agent
| Services | Triggers On | Correct Patterns |
|---|---|---|
| *All* |
|
|
Bicep parameter missing @description decorator — add @description() to all parameters.
Rationale: Missing parameter descriptions make templates harder to use and prevent proper validation during deployment review.
Agents: bicep-agent
| Services | Triggers On | Correct Patterns |
|---|---|---|
| *All* |
|
|
Bicep module missing output declarations — add outputs for resources consumed by downstream modules.
Rationale: Missing outputs prevent downstream modules from referencing this module's resources, breaking the deployment chain.
Agents: bicep-agent
| Services | Triggers On | Correct Patterns |
|---|---|---|
| *All* |
|
|
Deployment script missing error handling — add set -euo pipefail.
Rationale: Deployment scripts without error handling silently continue after failures, leading to partial and inconsistent deployments.
Agents: bicep-agent
| Services | Triggers On | Correct Patterns |
|---|---|---|
| *All* |
|
|
Outdated API version detected — use 2023 or 2024 API versions.
Rationale: Old API versions miss security features, property changes, and may be deprecated by Azure.
Agents: bicep-agent
| Services | Triggers On | Correct Patterns |
|---|---|---|
| *All* |
|
|
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration