AgentSkillsCN

Bicep AVM Mastery

利用 Azure Verified Modules (AVM)、Bicep 最佳实践,以及由 MCP 驱动的 Azure 基础设施即代码方案。

SKILL.md
--- frontmatter
name: "Bicep AVM Mastery"
description: "Azure Verified Modules (AVM), Bicep best practices, and MCP-powered infrastructure as code for Azure"

Skill: Bicep AVM Mastery

Azure Verified Modules (AVM), Bicep best practices, and MCP-powered infrastructure as code for Azure.

Metadata

FieldValue
Skill IDbicep-avm-mastery
Version1.0.0
CategoryCloud/Infrastructure
DifficultyAdvanced
PrerequisitesBasic Azure, infrastructure-as-code
Related Skillsazure-architecture-patterns, infrastructure-as-code

Overview

Bicep is Azure's domain-specific language for infrastructure as code. This skill covers Bicep best practices, Azure Verified Modules (AVM), and MCP tool integration for high-quality, production-ready deployments.

Why Bicep?

FeatureBicepARM JSONTerraform
SyntaxClean, readableVerboseHCL
Azure IntegrationNativeNativeProvider
State ManagementAzure-managedAzure-managedExternal
Learning CurveLowHighMedium
ToolingVS Code, MCPLimitedExtensive

Module 1: Bicep Best Practices

General Rules

  1. Avoid setting name for module statements — no longer required
  2. Use user-defined types for grouped param/output values instead of multiple params
  3. Prefer .bicepparam files over JSON parameters files

Resource Patterns

bicep
// ✅ CORRECT: Use parent property
resource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-09-01' = {
  parent: vnet  // Reference parent symbolically
  name: 'default'
  properties: {
    addressPrefix: '10.0.0.0/24'
  }
}

// ❌ AVOID: Slash in name property
resource subnetBad 'Microsoft.Network/virtualNetworks/subnets@2023-09-01' = {
  name: '${vnetName}/default'  // Don't do this
}

Type Safety

bicep
// ✅ CORRECT: Typed user-defined type
@export()
type storageAccountConfig = {
  @description('Storage account name')
  name: string
  @description('SKU for the storage account')
  sku: 'Standard_LRS' | 'Standard_GRS' | 'Premium_LRS'
  @description('Enable public access')
  allowPublicAccess: bool
}

// ❌ AVOID: Open types
param config object  // Too broad

Symbolic References

bicep
// ✅ CORRECT: Use symbolic references
output storageId string = storageAccount.id
output storageName string = storageAccount.name

// ❌ AVOID: resourceId() and reference()
output storageIdBad string = resourceId('Microsoft.Storage/storageAccounts', storageAccountName)

Security

bicep
// ✅ ALWAYS use @secure() for sensitive data
@secure()
param adminPassword string

@secure()
param connectionString string

Null Handling

bicep
// ✅ CORRECT: Safe dereference with coalesce
var subnetId = vnet.properties.subnets[?0].?id ?? 'default'

// ❌ AVOID: Non-null assertion or verbose ternary
var subnetIdBad = vnet!.properties.subnets[0].id

Module 2: Azure Verified Modules (AVM)

What is AVM?

Azure Verified Modules are Microsoft-supported, production-ready Bicep modules covering 328+ Azure resources. They follow best practices, are tested, and receive updates.

AVM Categories

CategoryCountExamples
Compute50+VMs, AKS, App Service, Functions
Networking40+VNets, NSGs, Load Balancers, Front Door
Storage30+Storage Accounts, Cosmos DB, SQL
Security25+Key Vault, Managed Identities, WAF
Integration20+Service Bus, Event Grid, Logic Apps
AI/ML15+Cognitive Services, OpenAI, ML Workspaces

Using AVM in Bicep

bicep
// Module from Bicep Registry (AVM)
module storageAccount 'br/public:avm/res/storage/storage-account:0.14.3' = {
  name: 'storageAccountDeployment'
  params: {
    name: 'st${uniqueString(resourceGroup().id)}'
    location: location
    skuName: 'Standard_LRS'
    kind: 'StorageV2'
    managedIdentities: {
      systemAssigned: true
    }
    networkAcls: {
      defaultAction: 'Deny'
      bypass: 'AzureServices'
    }
  }
}

Finding AVM Modules

Use the MCP tool to discover available modules:

code
mcp_bicep_list_avm_metadata → 328 modules with:
  - Module name and description
  - Latest version
  - Required/optional parameters
  - Usage examples

Module 3: MCP Tool Integration

Required Extensions & MCP Servers

ComponentID / NamePurpose
VS Code Extensionms-azuretools.vscode-bicepBicep language support, IntelliSense
VS Code Extensionms-azuretools.vscode-azure-github-copilotAzure Copilot integration
VS Code Extensionms-vscode.azure-accountAzure authentication
MCP Serverbicep-mcpAVM lookup, schema, validation, best practices

Installation:

bash
# VS Code Extensions (required for Bicep authoring)
code --install-extension ms-azuretools.vscode-bicep
code --install-extension ms-azuretools.vscode-azure-github-copilot
code --install-extension ms-vscode.azure-account

# MCP Server enabled via VS Code MCP gallery
# Settings: chat.mcp.gallery.enabled = true

Fallback Patterns (When MCP Unavailable)

If Bicep MCP tools are not available, use these alternatives:

MCP ToolFallback Approach
list_avm_metadataBrowse https://aka.ms/avm/modules
get_az_resource_type_schemaUse bicep list-api-types CLI or ARM reference docs
get_bicep_best_practicesReference https://learn.microsoft.com/azure/azure-resource-manager/bicep/best-practices
get_bicep_file_diagnosticsVS Code Bicep extension shows diagnostics automatically
format_bicep_fileRun bicep format <file> CLI
decompile_arm_template_fileRun az bicep decompile --file <file> CLI

Manual AVM Module Discovery:

bash
# Search Bicep Registry for modules
az bicep registry list --resource-group bicep-registry

# Or browse AVM directly
# https://github.com/Azure/bicep-registry-modules

Available Bicep MCP Tools

ToolPurpose
mcp_bicep_list_avm_metadataBrowse 328 Azure Verified Modules
mcp_bicep_get_az_resource_type_schemaGet resource type properties
mcp_bicep_get_bicep_best_practicesCurrent best practices
mcp_bicep_get_bicep_file_diagnosticsValidate Bicep files
mcp_bicep_format_bicep_fileAuto-format code
mcp_bicep_decompile_arm_template_fileConvert ARM JSON → Bicep
mcp_bicep_get_file_referencesFind file dependencies
mcp_bicep_get_deployment_snapshotPreview deployment changes

Common Workflows

Find the Right AVM Module

code
User: "I need to deploy a storage account with private endpoints"

Alex → mcp_bicep_list_avm_metadata 
  Filter: storage
  Returns: avm/res/storage/storage-account (v0.14.3)
    - Supports privateEndpoints parameter
    - Supports networkAcls
    - Includes diagnosticSettings

Get Resource Schema

code
User: "What properties does App Service support?"

Alex → mcp_bicep_get_az_resource_type_schema
  provider: Microsoft.Web
  resourceType: sites
  Returns: Full property schema with descriptions

Validate Before Deploy

code
User: "Check my Bicep file for errors"

Alex → mcp_bicep_get_bicep_file_diagnostics
  filePath: main.bicep
  Returns: BCP036 errors, warnings, suggestions

Convert Legacy ARM

code
User: "Convert this ARM template to Bicep"

Alex → mcp_bicep_decompile_arm_template_file
  filePath: azuredeploy.json
  Returns: Clean Bicep code

Module 4: Project Patterns

Recommended Structure

text
infrastructure/
├── main.bicep              # Entry point
├── main.bicepparam         # Parameters (env-specific)
├── modules/
│   ├── networking.bicep    # Custom modules
│   ├── compute.bicep
│   └── data.bicep
├── types/
│   └── shared.bicep        # Shared user-defined types
└── bicepconfig.json        # Bicep configuration

bicepconfig.json

json
{
  "analyzers": {
    "core": {
      "rules": {
        "no-hardcoded-location": {
          "level": "error"
        },
        "secure-parameter-default": {
          "level": "error"
        },
        "prefer-interpolation": {
          "level": "warning"
        }
      }
    }
  },
  "moduleAliases": {
    "br": {
      "public": {
        "registry": "mcr.microsoft.com/bicep"
      }
    }
  }
}

Environment-Specific Parameters

bicep
// main.bicepparam (for dev)
using './main.bicep'

param environment = 'dev'
param skuName = 'Standard_LRS'
param instanceCount = 1
bicep
// main.bicepparam (for prod)  
using './main.bicep'

param environment = 'prod'
param skuName = 'Standard_GRS'
param instanceCount = 3

Module 5: Deployment Patterns

Azure CLI

bash
# What-if preview
az deployment group what-if \
  --resource-group myRG \
  --template-file main.bicep \
  --parameters main.bicepparam

# Deploy
az deployment group create \
  --resource-group myRG \
  --template-file main.bicep \
  --parameters main.bicepparam

GitHub Actions

yaml
- name: Deploy Bicep
  uses: azure/arm-deploy@v2
  with:
    resourceGroupName: ${{ env.RESOURCE_GROUP }}
    template: ./infrastructure/main.bicep
    parameters: ./infrastructure/main.bicepparam
    deploymentMode: Incremental

Azure DevOps

yaml
- task: AzureCLI@2
  inputs:
    azureSubscription: 'AzureConnection'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az deployment group create \
        --resource-group $(resourceGroup) \
        --template-file infrastructure/main.bicep \
        --parameters infrastructure/main.bicepparam

Common Diagnostic Codes

CodeMeaningFix
BCP036Invalid propertyCheck resource schema
BCP037Invalid property valueVerify allowed values
BCP081Hallucinated resource/propertyUse schema lookup
BCP035Missing required propertyAdd required params
BCP334Expected literal valueUse string/number directly

Activation Patterns

TriggerResponse
"Bicep", "infrastructure as code Azure"Full skill activation
"AVM", "Azure Verified Modules"Module 2
"Bicep MCP", "validate Bicep"Module 3
"Bicep project structure"Module 4
"deploy Bicep", "CI/CD Bicep"Module 5
"BCP error", "Bicep diagnostic"Common Diagnostic Codes

Skill created: 2026-02-14 | Category: Cloud/Infrastructure | Status: Active | MCP-Enhanced: Yes


Synapses

  • [.github/skills/infrastructure-as-code/SKILL.md] (High, Extends, Bidirectional) - "Bicep is an IaC tool covered in depth here"
  • [.github/skills/azure-architecture-patterns/SKILL.md] (High, Implements, Bidirectional) - "Bicep deploys architectures designed with WAF"
  • [.github/skills/azure-devops-automation/SKILL.md] (Medium, Uses, Forward) - "CI/CD pipelines deploy Bicep code"