Azure Resource Manager & Bicep · 6-Phase Deep Dive · Templates, Modules, Stacks, What-If & CI/CD
Live ARM/Bicep progress across all teammates
Test your ARM/Bicep knowledge
Sync ARM/Bicep lab progress across devices.
Deployment commands, Bicep syntax, functions & patterns — quick reference
| az deployment group create --template-file main.bicep | Deploy Bicep/ARM to resource group |
| az deployment group what-if --template-file main.bicep | Preview changes (like terraform plan) |
| --parameters @params.json | Load parameters from file |
| --parameters key=value | Inline parameter override |
| --mode Complete | Complete mode — removes unlisted resources Danger |
| az deployment sub create --location eastus | Subscription-scope deployment |
| az deployment mg create --management-group-id myMG | Management group-scope deployment |
| az deployment group list -g myRG | List deployment history |
| az bicep install | Install Bicep CLI |
| az bicep build --file main.bicep | Compile Bicep → ARM JSON |
| az bicep decompile --file main.json | ARM JSON → Bicep (best-effort) |
| az bicep publish --file mod.bicep --target br:acr.azurecr.io/bicep/mod:v1 | Publish module to Bicep Registry |
| bicep format main.bicep | Auto-format Bicep file |
| az ts create --name mySpec -g myRG --version 1.0 --template-file main.bicep | Create Template Spec |
| az stack group create --name myStack -g myRG --template-file main.bicep --deny-settings-mode none | Create Deployment Stack |
// targetScope (default: resourceGroup) targetScope = 'subscription' // Parameters with decorators @description('Storage account name') @minLength(3) @maxLength(24) @allowed(['Standard_LRS', 'Premium_LRS']) param storageAccountName string param location string = resourceGroup().location @secure() param adminPassword string // Variable var uniqueName = '${storageAccountName}${uniqueString(resourceGroup().id)}' // Resource resource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = { name: toLower(uniqueName) location: location sku: { name: 'Standard_LRS' } kind: 'StorageV2' } // Output output blobEndpoint string = sa.properties.primaryEndpoints.blob
// Resource loop param storageNames array = ['sa1', 'sa2'] resource saLoop 'Microsoft.Storage/storageAccounts@2023-01-01' = [for name in storageNames: { name: name location: location sku: { name: 'Standard_LRS' } kind: 'StorageV2' }] @batchSize(2) // deploy 2 at a time (serial) resource saSerial ... = [for name in storageNames: { ... }] // Conditional resource resource sa 'Microsoft.Storage/storageAccounts@2023-01-01' = if (deployStorage) { name: storageAccountName ... } // Existing resource (read-only reference) resource existingSa 'Microsoft.Storage/storageAccounts@2023-01-01' existing = { name: existingStorageName }
// Local module module sa './modules/storage.bicep' = { name: 'storageDeploy' params: { name: storageAccountName location: location } } // Access module output output endpoint string = sa.outputs.blobEndpoint // Registry module (ACR) module sa 'br:myacr.azurecr.io/bicep/storage:v1.0' = { ... } // Public registry module module sa 'br/public:storage/storage-account:0.4' = { ... } // Template Spec as module module app 'ts:<sub-id>/myRG/mySpec:1.0' = { ... }
| uniqueString(rg().id) | Deterministic 13-char hash for unique names |
| concat(a, b, c) | Concatenate strings/arrays |
| format('{0}-{1}', a, b) | String formatting |
| toLower(str) | Lowercase string |
| resourceId('type', 'name') | Construct resource ID |
| reference(res).property | Get runtime resource property |
| resourceGroup().location | Current resource group location |
| subscription().subscriptionId | Current subscription ID |
| copyIndex() | Current loop index (ARM JSON) |
| if(cond, trueVal, falseVal) | ARM conditional expression |
| Assert-PSRule -InputPath . -Module PSRule.Rules.Azure | Validate templates (PowerShell) |
| Install-Module PSRule.Rules.Azure | Install PSRule Azure module |
| az deployment group what-if --result-format FullResourcePayloads | Full before/after diff output |
| az stack group delete --delete-all | Delete stack + all managed resources |
| --deny-settings-mode denyDelete | Prevent manual resource deletion |
| az policy state trigger-scan | Trigger policy compliance scan |
| bicepconfig.json linter rules | Configure Bicep linter severity per rule |
// params.json — reference KV secret at deploy time { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { "adminPassword": { "reference": { "keyVault": { "id": "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.KeyVault/vaults/<kv>" }, "secretName": "adminPassword" } } } }
You've completed all ARM/Bicep labs!