This repo contains code to publish a Bicep module to a Private Module Registry.

This demo will publish modules under the modules path to a Bicep registry as defined in bicepconfig.json. This is done using a GitHub Actions workflow and a wrapper script. The latest git tag will be used as the module version.

You will then be able to deploy a template that refers to this module from the registry 💪

• Azure CLI
• Bicep (install with az bicep install - you will need v0.4.1008 or newer)
• An Azure subscription with Owner permissions
• Permission to create a service principal in Azure AD

1. Fork this repo by clicking Fork in the top-right corner

1. Create a resource group

az group create -n bicep-registry-demo -l westeurope

2. Create an Azure Container Registry

az acr create -g bicep-registry-demo -l westeurope -n <registry name> --sku basic

❗ Make note of the registry name you choose. This name must be globally unique.

1. Set your registry in bicepconfig.json

   • Change the registryName for the alias demoRegistry to the unique name from the step above. The value should be <registry name>.azurecr.io.
   • Learn more about the Bicep configuration file here.

2. Create service principal with AcrPush permissions to the container registry, and add a secret to your GitHub repository

# Get the id of your ACR
SCOPE=$(az acr show -n <registry name> -g <resource group> --query id -o tsv)
#! Replace the values for registry name and resource group

az ad sp create-for-rbac --name "bicep-registry-demo-ci" --role AcrPush \
                         --scopes $SCOPE --sdk-auth

# The command should output a JSON object similar to this:
{
  "clientId": "<GUID>",
  "clientSecret": "<GUID>",
  "subscriptionId": "<GUID>",
  "tenantId": "<GUID>",
  (...)
}

# Copy this and add as a repository secret named AZURE_CREDENTIALS

1. Modify the template in modules/storage/main.bicep.
   • Example: Update the location parameter to restrict allowed values

@allowed([
  'northeurope'
  'westeurope'
])
param location string = 'westeurope'

2. Commit, tag and push changes

git add modules/storage/main.bicep
git commit -m "set allowed locations"
git tag v1.1.0
git push # push the commit
git push --tags # push the commit with tags

This will trigger the bicep-publish workflow and publish the module to the registry.

❗ Note that each new tag pushed will trigger a new published version.

To see the published modules in the registry see this.

There is a demo template in demo/main.bicep which uses the module from the registry:

module storage 'br/demoRegistry:storage:v1.1.0' = {
    ...
}

Note that this module refers to version v1.1.0. If you have published another version than this, please update the value in the template.

1. Deploy the template by running the following command:

az deployment group create -n registry-demo -g bicep-registry-demo -f ./demo/main.bicep

✔️ Congratulations! - you've successfully deployed a Bicep template that refers to a remote module in a private module registry!

To build upon this you can try:

• Adding another module in the modules directory. The name of the directory will be the module name and it must have a main.bicep file within it. The workflow will parse all modules in the odules directory. Note that currently all modules will be deployed with the same version (git tag).
• Consuming the module from the registry in a another workflow to deploy resources
  • You will need to set up a service principal that have AcrPull permissions and permissions to deploy resources (Contributor or equivalent)
• Add more robust versioning automation (e.g. always publish a latest version on push to main) and use GitHub Releases to publish specific versions, or add individual versioning of modules.

Delete the resource group and the resources in in by running:

az group delete -n bicep-registry-demo

• Bicep on Microsoft Learn
• Bicep overview
• Bicep modules
• Bicep module registry