Governance Anti Patterns Bicep Structure - Azure/az-prototype GitHub Wiki

Bicep Structure

Bicep file structure, module conventions, and deployment script patterns

Domain: bicep_structure

Checks (7)

Check Description
ANTI-BCS-001 Inline resource detected — use module references (module './modules/.bicep') for all resources.
ANTI-BCS-002 listKeys()/listSas() detected — use managed identity with RBAC role assignments instead.
ANTI-BCS-003 Hardcoded resource name detected — use variables or parameters for resource naming.
ANTI-BCS-004 Bicep parameter missing @description decorator — add @description() to all parameters.
ANTI-BCS-005 Bicep module missing output declarations — add outputs for resources consumed by downstream modules.
ANTI-BCS-006 Deployment script missing error handling — add set -euo pipefail.
ANTI-BCS-007 Outdated API version detected — use 2023 or 2024 API versions.

ANTI-BCS-001

Inline resource detected — use module references (module './modules/.bicep') for all resources.

Rationale: Inline resources in main.bicep create monolithic templates that are hard to test, reuse, and review.
Agents: bicep-agent

Targets

Services Triggers On Correct Patterns
*All*
  • 'resource '
  • 'module identity './modules/identity.bicep''
  • 'module monitoring './modules/monitoring.bicep''

ANTI-BCS-002

listKeys()/listSas() detected — use managed identity with RBAC role assignments instead.

Rationale: listKeys() exposes secrets in ARM deployment outputs and template history; managed identity with RBAC avoids secret exposure entirely.
Agents: bicep-agent

Targets

Services Triggers On Correct Patterns
*All*
  • 'listKeys('
  • 'listAccountSas('
  • 'listServiceSas('
  • 'Microsoft.ManagedIdentity/userAssignedIdentities'
  • 'identity: { type: 'UserAssigned' }'

ANTI-BCS-003

Hardcoded resource name detected — use variables or parameters for resource naming.

Rationale: Hardcoded resource names prevent reuse across environments and violate naming convention standards.
Agents: bicep-agent

Targets

Services Triggers On Correct Patterns
*All*
  • 'name: ''
  • 'var storageAccountName = '${prefix}-st-${suffix}''
  • 'name: storageAccountName'

ANTI-BCS-004

Bicep parameter missing @description decorator — add @description() to all parameters.

Rationale: Missing parameter descriptions make templates harder to use and prevent proper validation during deployment review.
Agents: bicep-agent

Targets

Services Triggers On Correct Patterns
*All*
  • 'param '
  • '@description('The Azure region for all resources')'
  • 'param location string'

ANTI-BCS-005

Bicep module missing output declarations — add outputs for resources consumed by downstream modules.

Rationale: Missing outputs prevent downstream modules from referencing this module's resources, breaking the deployment chain.
Agents: bicep-agent

Targets

Services Triggers On Correct Patterns
*All*
  • 'module '
  • 'output storageAccountId string = storage.outputs.id'
  • 'output identityPrincipalId string = identity.outputs.principalId'

ANTI-BCS-006

Deployment script missing error handling — add set -euo pipefail.

Rationale: Deployment scripts without error handling silently continue after failures, leading to partial and inconsistent deployments.
Agents: bicep-agent

Targets

Services Triggers On Correct Patterns
*All*
  • 'az deployment group create'
  • 'set -euo pipefail'
  • '#!/bin/bash'

ANTI-BCS-007

Outdated API version detected — use 2023 or 2024 API versions.

Rationale: Old API versions miss security features, property changes, and may be deprecated by Azure.
Agents: bicep-agent

Targets

Services Triggers On Correct Patterns
*All*
  • '@2021-'
  • '@2020-'
  • '@2019-'
  • '@2023-'
  • '@2024-'
⚠️ **GitHub.com Fallback** ⚠️