Bicep AVM 精通：Azure 验证模块与基础设施即代码最佳实践

Bicep AVM Mastery by fabioc-aloha/lithium

GitHub

安装命令

npx skills add https://github.com/fabioc-aloha/lithium --skill 'Bicep AVM Mastery'

云服务开发运维

🇨🇳中文介绍

技能：Bicep AVM 精通

Azure 验证模块 (AVM)、Bicep 最佳实践，以及基于 MCP 的 Azure 基础设施即代码。

元数据

字段	值
技能 ID	bicep-avm-mastery
版本	1.1.0
类别	云/基础设施
难度	高级
先决条件	基础 Azure 知识、基础设施即代码
相关技能	azure-architecture-patterns, infrastructure-as-code
最后验证日期	2026年2月

⚠️ 陈旧性提示：AVM 注册表每月都在增长——模块数量和版本号频繁变化。请始终使用 mcp_bicep_list_avm_metadata 来枚举当前模块，而不是依赖硬编码的计数。注意新的模块类别以及 avm/res 与 avm/ptn 的命名变化。

概述

Bicep 是 Azure 用于基础设施即代码的领域特定语言。本技能涵盖 Bicep 最佳实践、Azure 验证模块 (AVM) 以及 MCP 工具集成，以实现高质量、生产就绪的部署。

为什么选择 Bicep？

特性	Bicep	ARM JSON	Terraform
语法	简洁、可读性强	冗长	HCL
Azure 集成	原生支持	原生支持	通过 Provider
状态管理	Azure 托管	Azure 托管	外部管理
学习曲线	低	高	中等
工具支持	VS Code, MCP	有限	广泛

模块 1：Bicep 最佳实践

通用规则

避免为模块语句设置 name —— 不再需要
使用用户定义类型 来分组参数/输出值，而不是使用多个参数
优先使用 .bicepparam 文件 而非 JSON 参数文件

资源模式

// ✅ 正确：使用 parent 属性
resource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-09-01' = {
  parent: vnet  // 通过符号引用父资源
  name: 'default'
  properties: {
    addressPrefix: '10.0.0.0/24'
  }
}

// ❌ 避免：在 name 属性中使用斜杠
resource subnetBad 'Microsoft.Network/virtualNetworks/subnets@2023-09-01' = {
  name: '${vnetName}/default'  // 不要这样做
}

类型安全

// ✅ 正确：类型化的用户定义类型
@export()
type storageAccountConfig = {
  @description('存储账户名称')
  name: string
  @description('存储账户的 SKU')
  sku: 'Standard_LRS' | 'Standard_GRS' | 'Premium_LRS'
  @description('启用公共访问')
  allowPublicAccess: bool
}

// ❌ 避免：开放类型
param config object  // 过于宽泛

符号引用

// ✅ 正确：使用符号引用
output storageId string = storageAccount.id
output storageName string = storageAccount.name

// ❌ 避免：使用 resourceId() 和 reference()
output storageIdBad string = resourceId('Microsoft.Storage/storageAccounts', storageAccountName)

安全性

// ✅ 始终对敏感数据使用 @secure()
@secure()
param adminPassword string

@secure()
param connectionString string

Null 处理

// ✅ 正确：使用合并运算符进行安全解引用
var subnetId = vnet.properties.subnets[?0].?id ?? 'default'

// ❌ 避免：非空断言或冗长的三元运算符
var subnetIdBad = vnet!.properties.subnets[0].id

模块 2：Azure 验证模块 (AVM)

什么是 AVM？

Azure 验证模块是 微软支持、生产就绪的 Bicep 模块，涵盖 328+ 种 Azure 资源。它们遵循最佳实践，经过测试，并会接收更新。

AVM 类别

类别	数量	示例
计算	50+	虚拟机、AKS、应用服务、函数
网络	40+	虚拟网络、网络安全组、负载均衡器、Front Door
存储	30+	存储账户、Cosmos DB、SQL
安全	25+	Key Vault、托管标识、WAF
集成	20+	服务总线、事件网格、逻辑应用
AI/ML	15+	认知服务、OpenAI、机器学习工作区

在 Bicep 中使用 AVM

// 来自 Bicep 注册表的模块 (AVM)
module storageAccount 'br/public:avm/res/storage/storage-account:0.14.3' = {
  name: 'storageAccountDeployment'
  params: {
    name: 'st${uniqueString(resourceGroup().id)}'
    location: location
    skuName: 'Standard_LRS'
    kind: 'StorageV2'
    managedIdentities: {
      systemAssigned: true
    }
    networkAcls: {
      defaultAction: 'Deny'
      bypass: 'AzureServices'
    }
  }
}

查找 AVM 模块

使用 MCP 工具来发现可用模块：

mcp_bicep_list_avm_metadata → 328 个模块，包含：
  - 模块名称和描述
  - 最新版本
  - 必需/可选参数
  - 使用示例

模块 3：MCP 工具集成

必需的扩展和 MCP 服务器

组件	ID / 名称	用途
VS Code 扩展	`ms-azuretools.vscode-bicep`	Bicep 语言支持，IntelliSense
VS Code 扩展	`ms-azuretools.vscode-azure-github-copilot`	Azure Copilot 集成
VS Code 扩展	`ms-vscode.azure-account`	Azure 身份验证
MCP 服务器	`bicep-mcp`	AVM 查找、架构、验证、最佳实践

安装：

# VS Code 扩展 (Bicep 编写必需)
code --install-extension ms-azuretools.vscode-bicep
code --install-extension ms-azuretools.vscode-azure-github-copilot
code --install-extension ms-vscode.azure-account

# MCP 服务器通过 VS Code MCP 画廊启用
# 设置：chat.mcp.gallery.enabled = true

备用模式 (当 MCP 不可用时)

如果 Bicep MCP 工具不可用，请使用以下替代方案：

MCP 工具	备用方案
`list_avm_metadata`	浏览 https://aka.ms/avm/modules
`get_az_resource_type_schema`	使用 `bicep list-api-types` CLI 或 ARM 参考文档
`get_bicep_best_practices`	参考 https://learn.microsoft.com/azure/azure-resource-manager/bicep/best-practices
`get_bicep_file_diagnostics`	VS Code Bicep 扩展会自动显示诊断信息
`format_bicep_file`

手动 AVM 模块发现：

# 在 Bicep 注册表中搜索模块
az bicep registry list --resource-group bicep-registry

# 或直接浏览 AVM
# https://github.com/Azure/bicep-registry-modules

可用的 Bicep MCP 工具

工具	用途
`mcp_bicep_list_avm_metadata`	浏览 328 个 Azure 验证模块
`mcp_bicep_get_az_resource_type_schema`	获取资源类型属性
`mcp_bicep_get_bicep_best_practices`	当前最佳实践
`mcp_bicep_get_bicep_file_diagnostics`	验证 Bicep 文件
`mcp_bicep_format_bicep_file`	自动格式化代码
`mcp_bicep_decompile_arm_template_file`

常见工作流

查找正确的 AVM 模块

用户："我需要部署一个带有私有端点的存储账户"

Alex → mcp_bicep_list_avm_metadata
  筛选：storage
  返回：avm/res/storage/storage-account (v0.14.3)
    - 支持 privateEndpoints 参数
    - 支持 networkAcls
    - 包含 diagnosticSettings

获取资源架构

用户："App Service 支持哪些属性？"

Alex → mcp_bicep_get_az_resource_type_schema
  provider: Microsoft.Web
  resourceType: sites
  返回：包含描述的完整属性架构

部署前验证

用户："检查我的 Bicep 文件是否有错误"

Alex → mcp_bicep_get_bicep_file_diagnostics
  filePath: main.bicep
  返回：BCP036 错误、警告、建议

转换旧版 ARM

用户："将这个 ARM 模板转换为 Bicep"

Alex → mcp_bicep_decompile_arm_template_file
  filePath: azuredeploy.json
  返回：干净的 Bicep 代码

模块 4：项目模式

bicepconfig.json

{
  "analyzers": {
    "core": {
      "rules": {
        "no-hardcoded-location": {
          "level": "error"
        },
        "secure-parameter-default": {
          "level": "error"
        },
        "prefer-interpolation": {
          "level": "warning"
        }
      }
    }
  },
  "moduleAliases": {
    "br": {
      "public": {
        "registry": "mcr.microsoft.com/bicep"
      }
    }
  }
}

环境特定参数

// main.bicepparam (用于开发环境)
using './main.bicep'

param environment = 'dev'
param skuName = 'Standard_LRS'
param instanceCount = 1

// main.bicepparam (用于生产环境)
using './main.bicep'

param environment = 'prod'
param skuName = 'Standard_GRS'
param instanceCount = 3

模块 5：部署模式

Azure CLI

# What-if 预览
az deployment group what-if \
  --resource-group myRG \
  --template-file main.bicep \
  --parameters main.bicepparam

# 部署
az deployment group create \
  --resource-group myRG \
  --template-file main.bicep \
  --parameters main.bicepparam

GitHub Actions

- name: Deploy Bicep
  uses: azure/arm-deploy@v2
  with:
    resourceGroupName: ${{ env.RESOURCE_GROUP }}
    template: ./infrastructure/main.bicep
    parameters: ./infrastructure/main.bicepparam
    deploymentMode: Incremental

Azure DevOps

- task: AzureCLI@2
  inputs:
    azureSubscription: 'AzureConnection'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az deployment group create \
        --resource-group $(resourceGroup) \
        --template-file infrastructure/main.bicep \
        --parameters infrastructure/main.bicepparam

常见诊断代码

代码	含义	修复方法
BCP036	无效属性	检查资源架构
BCP037	无效属性值	验证允许的值
BCP081	虚构的资源/属性	使用架构查找
BCP035	缺少必需属性	添加必需参数
BCP334	期望字面值	直接使用字符串/数字

激活模式

触发词	响应
"Bicep", "infrastructure as code Azure"	完整技能激活
"AVM", "Azure Verified Modules"	模块 2
"Bicep MCP", "validate Bicep"	模块 3
"Bicep project structure"	模块 4
"deploy Bicep", "CI/CD Bicep"	模块 5
"BCP error", "Bicep diagnostic"	常见诊断代码

技能创建日期：2026-02-14 | 类别：云/基础设施 | 状态：活跃 | MCP 增强：是

关联技能

[.github/skills/infrastructure-as-code/SKILL.md] (高, 扩展, 双向) - "Bicep 是这里深入介绍的 IaC 工具"
[.github/skills/azure-architecture-patterns/SKILL.md] (高, 实现, 双向) - "Bicep 部署了使用 WAF 设计的架构"
[.github/skills/azure-devops-automation/SKILL.md] (中, 使用, 向前) - "CI/CD 管道部署 Bicep 代码"

每周安装次数

–

代码仓库

fabioc-aloha/lithium

首次出现

–

安全审计

Gen Agent Trust HubPass SocketPass SnykPass

🇺🇸English

Skill: Bicep AVM Mastery

Azure Verified Modules (AVM), Bicep best practices, and MCP-powered infrastructure as code for Azure.

Metadata

Field	Value
Skill ID	bicep-avm-mastery
Version	1.1.0
Category	Cloud/Infrastructure
Difficulty	Advanced
Prerequisites	Basic Azure, infrastructure-as-code
Related Skills	azure-architecture-patterns, infrastructure-as-code
Last Validated	Feb 2026

⚠️ Staleness Watch : The AVM registry grows monthly — module counts and version numbers change frequently. Always use to enumerate current modules rather than relying on hardcoded counts. Watch for new module categories and vs naming changes.

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

Feature	Bicep	ARM JSON	Terraform
Syntax	Clean, readable	Verbose	HCL
Azure Integration	Native	Native	Provider
State Management	Azure-managed	Azure-managed	External
Learning Curve	Low	High	Medium
Tooling	VS Code, MCP	Limited	Extensive

Module 1: Bicep Best Practices

Avoid settingname for module statements — no longer required
Use user-defined types for grouped param/output values instead of multiple params
Prefer.bicepparam files over JSON parameters files

// ✅ CORRECT: Use parent property
resource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-09-01' = {
  parent: vnet  // Reference parent symbolically
  name: 'default'
  properties: {
    addressPrefix: '10.0.0.0/24'
  }
}

// ❌ AVOID: Slash in name property
resource subnetBad 'Microsoft.Network/virtualNetworks/subnets@2023-09-01' = {
  name: '${vnetName}/default'  // Don't do this
}

// ✅ CORRECT: Typed user-defined type
@export()
type storageAccountConfig = {
  @description('Storage account name')
  name: string
  @description('SKU for the storage account')
  sku: 'Standard_LRS' | 'Standard_GRS' | 'Premium_LRS'
  @description('Enable public access')
  allowPublicAccess: bool
}

// ❌ AVOID: Open types
param config object  // Too broad

// ✅ CORRECT: Use symbolic references
output storageId string = storageAccount.id
output storageName string = storageAccount.name

// ❌ AVOID: resourceId() and reference()
output storageIdBad string = resourceId('Microsoft.Storage/storageAccounts', storageAccountName)

// ✅ ALWAYS use @secure() for sensitive data
@secure()
param adminPassword string

@secure()
param connectionString string

// ✅ CORRECT: Safe dereference with coalesce
var subnetId = vnet.properties.subnets[?0].?id ?? 'default'

// ❌ AVOID: Non-null assertion or verbose ternary
var subnetIdBad = vnet!.properties.subnets[0].id

Module 2: Azure Verified Modules (AVM)

Azure Verified Modules are Microsoft-supported, production-ready Bicep modules covering 328+ Azure resources. They follow best practices, are tested, and receive updates.

Category	Count	Examples
Compute	50+	VMs, AKS, App Service, Functions
Networking	40+	VNets, NSGs, Load Balancers, Front Door
Storage	30+	Storage Accounts, Cosmos DB, SQL
Security	25+	Key Vault, Managed Identities, WAF
Integration	20+	Service Bus, Event Grid, Logic Apps
AI/ML	15+	Cognitive Services, OpenAI, ML Workspaces

// Module from Bicep Registry (AVM)
module storageAccount 'br/public:avm/res/storage/storage-account:0.14.3' = {
  name: 'storageAccountDeployment'
  params: {
    name: 'st${uniqueString(resourceGroup().id)}'
    location: location
    skuName: 'Standard_LRS'
    kind: 'StorageV2'
    managedIdentities: {
      systemAssigned: true
    }
    networkAcls: {
      defaultAction: 'Deny'
      bypass: 'AzureServices'
    }
  }
}

Use the MCP tool to discover available modules:

mcp_bicep_list_avm_metadata → 328 modules with:
  - Module name and description
  - Latest version
  - Required/optional parameters
  - Usage examples

Module 3: MCP Tool Integration

Required Extensions & MCP Servers

Component	ID / Name	Purpose
VS Code Extension	`ms-azuretools.vscode-bicep`	Bicep language support, IntelliSense
VS Code Extension	`ms-azuretools.vscode-azure-github-copilot`	Azure Copilot integration
VS Code Extension	`ms-vscode.azure-account`	Azure authentication
MCP Server	`bicep-mcp`	AVM lookup, schema, validation, best practices

# VS Code Extensions (required for Bicep authoring)
code --install-extension ms-azuretools.vscode-bicep
code --install-extension ms-azuretools.vscode-azure-github-copilot
code --install-extension ms-vscode.azure-account

# MCP Server enabled via VS Code MCP gallery
# Settings: chat.mcp.gallery.enabled = true

Fallback Patterns (When MCP Unavailable)

If Bicep MCP tools are not available, use these alternatives:

MCP Tool	Fallback Approach
`list_avm_metadata`	Browse https://aka.ms/avm/modules
`get_az_resource_type_schema`	Use `bicep list-api-types` CLI or ARM reference docs
`get_bicep_best_practices`	Reference https://learn.microsoft.com/azure/azure-resource-manager/bicep/best-practices
`get_bicep_file_diagnostics`	VS Code Bicep extension shows diagnostics automatically
`format_bicep_file`	Run `bicep format <file>` CLI
`decompile_arm_template_file`	Run `az bicep decompile --file <file>` CLI

Manual AVM Module Discovery :

# Search Bicep Registry for modules
az bicep registry list --resource-group bicep-registry

# Or browse AVM directly
# https://github.com/Azure/bicep-registry-modules

Available Bicep MCP Tools

Tool	Purpose
`mcp_bicep_list_avm_metadata`	Browse 328 Azure Verified Modules
`mcp_bicep_get_az_resource_type_schema`	Get resource type properties
`mcp_bicep_get_bicep_best_practices`	Current best practices
`mcp_bicep_get_bicep_file_diagnostics`	Validate Bicep files
`mcp_bicep_format_bicep_file`	Auto-format code
`mcp_bicep_decompile_arm_template_file`	Convert ARM JSON → Bicep
`mcp_bicep_get_file_references`	Find file dependencies
`mcp_bicep_get_deployment_snapshot`	Preview deployment changes

Find the Right AVM Module

User: "I need to deploy a storage account with private endpoints"

Alex → mcp_bicep_list_avm_metadata 
  Filter: storage
  Returns: avm/res/storage/storage-account (v0.14.3)
    - Supports privateEndpoints parameter
    - Supports networkAcls
    - Includes diagnosticSettings

User: "What properties does App Service support?"

Alex → mcp_bicep_get_az_resource_type_schema
  provider: Microsoft.Web
  resourceType: sites
  Returns: Full property schema with descriptions

Validate Before Deploy

User: "Check my Bicep file for errors"

Alex → mcp_bicep_get_bicep_file_diagnostics
  filePath: main.bicep
  Returns: BCP036 errors, warnings, suggestions

User: "Convert this ARM template to Bicep"

Alex → mcp_bicep_decompile_arm_template_file
  filePath: azuredeploy.json
  Returns: Clean Bicep code

Module 4: Project Patterns

Recommended Structure

infrastructure/
├── main.bicep              # Entry point
├── main.bicepparam         # Parameters (env-specific)
├── modules/
│   ├── networking.bicep    # Custom modules
│   ├── compute.bicep
│   └── data.bicep
├── types/
│   └── shared.bicep        # Shared user-defined types
└── bicepconfig.json        # Bicep configuration

{
  "analyzers": {
    "core": {
      "rules": {
        "no-hardcoded-location": {
          "level": "error"
        },
        "secure-parameter-default": {
          "level": "error"
        },
        "prefer-interpolation": {
          "level": "warning"
        }
      }
    }
  },
  "moduleAliases": {
    "br": {
      "public": {
        "registry": "mcr.microsoft.com/bicep"
      }
    }
  }
}

Environment-Specific Parameters

// main.bicepparam (for dev)
using './main.bicep'

param environment = 'dev'
param skuName = 'Standard_LRS'
param instanceCount = 1



// main.bicepparam (for prod)  
using './main.bicep'

param environment = 'prod'
param skuName = 'Standard_GRS'
param instanceCount = 3

Module 5: Deployment Patterns

# What-if preview
az deployment group what-if \
  --resource-group myRG \
  --template-file main.bicep \
  --parameters main.bicepparam

# Deploy
az deployment group create \
  --resource-group myRG \
  --template-file main.bicep \
  --parameters main.bicepparam

- name: Deploy Bicep
  uses: azure/arm-deploy@v2
  with:
    resourceGroupName: ${{ env.RESOURCE_GROUP }}
    template: ./infrastructure/main.bicep
    parameters: ./infrastructure/main.bicepparam
    deploymentMode: Incremental

- task: AzureCLI@2
  inputs:
    azureSubscription: 'AzureConnection'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az deployment group create \
        --resource-group $(resourceGroup) \
        --template-file infrastructure/main.bicep \
        --parameters infrastructure/main.bicepparam

Common Diagnostic Codes

Code	Meaning	Fix
BCP036	Invalid property	Check resource schema
BCP037	Invalid property value	Verify allowed values
BCP081	Hallucinated resource/property	Use schema lookup
BCP035	Missing required property	Add required params
BCP334	Expected literal value	Use string/number directly

Trigger	Response
"Bicep", "infrastructure as code Azure"	Full skill activation
"AVM", "Azure Verified Modules"	Module 2
"Bicep MCP", "validate Bicep"	Module 3
"Bicep project structure"	Module 4
"deploy Bicep", "CI/CD Bicep"	Module 5
"BCP error", "Bicep diagnostic"	Common Diagnostic Codes

Skill created: 2026-02-14 | Category: Cloud/Infrastructure | Status: Active | MCP-Enhanced: Yes

[.github/skills/infrastructure-as-code/SKILL.md] (High, Extends, Bidirectional) - "Bicep is an IaC tool covered in depth here"
[.github/skills/azure-architecture-patterns/SKILL.md] (High, Implements, Bidirectional) - "Bicep deploys architectures designed with WAF"
[.github/skills/azure-devops-automation/SKILL.md] (Medium, Uses, Forward) - "CI/CD pipelines deploy Bicep code"

Bicep AVM 精通：Azure 验证模块与基础设施即代码最佳实践

🇨🇳中文介绍

技能：Bicep AVM 精通

元数据

概述

为什么选择 Bicep？

模块 1：Bicep 最佳实践

通用规则

资源模式

类型安全

符号引用

安全性

Null 处理

模块 2：Azure 验证模块 (AVM)

什么是 AVM？

AVM 类别

在 Bicep 中使用 AVM

查找 AVM 模块

模块 3：MCP 工具集成

必需的扩展和 MCP 服务器

备用模式 (当 MCP 不可用时)

可用的 Bicep MCP 工具

常见工作流

查找正确的 AVM 模块

获取资源架构

部署前验证

转换旧版 ARM

模块 4：项目模式

推荐结构

bicepconfig.json

环境特定参数

模块 5：部署模式

Azure CLI

GitHub Actions

Azure DevOps

常见诊断代码

激活模式

关联技能

🇺🇸English

Skill: Bicep AVM Mastery

Metadata

相关 Skills

Overview

Why Bicep?

Module 1: Bicep Best Practices

General Rules

Resource Patterns

Type Safety

Symbolic References

Security

Null Handling

Module 2: Azure Verified Modules (AVM)

What is AVM?

AVM Categories

Using AVM in Bicep

Finding AVM Modules

Module 3: MCP Tool Integration

Required Extensions & MCP Servers

Fallback Patterns (When MCP Unavailable)

Available Bicep MCP Tools

Common Workflows

Find the Right AVM Module

Get Resource Schema

Validate Before Deploy

Convert Legacy ARM

Module 4: Project Patterns

Recommended Structure

bicepconfig.json

Environment-Specific Parameters

Module 5: Deployment Patterns

Azure CLI

GitHub Actions

Azure DevOps

Common Diagnostic Codes

Activation Patterns

Synapses

最新 Skills