Azure Verified Modules

Important

The AVM team hosted our last external community call on December 3rd, 2025! 🥳

To watch the recording and download the slides, see the Community Calls page!

Introduction

Value Proposition

Azure Verified Modules (AVM) is an initiative to consolidate and set the standards for what a good Infrastructure-as-Code module looks like.

Modules will then align to these standards, across languages (Bicep, Terraform etc.) and will then be classified as AVMs and available from their respective language specific registries.

AVM is a common code base, a toolkit for our Customers, our Partners, and Microsoft. It’s an official, Microsoft driven initiative, with a devolved ownership approach to develop modules, leveraging internal & external communities.

Azure Verified Modules enable and accelerate consistent solution development and delivery of cloud-native or migrated applications and their supporting infrastructure by codifying Microsoft guidance (WAF), with best practice configurations.

Modules

Azure Verified Modules provides two types of modules: Resource and Pattern modules.

AVM modules are used to deploy Azure resources and their extensions, as well as reusable architectural patterns consistently.

Modules are composable building blocks that encapsulate groups of resources dedicated to one task.

Flexible, generalized, multi-purpose
Integrates child resources
Integrates extension resources

AVM improves code quality and provides a unified customer experience.

Important

AVM is owned, developed & supported by Microsoft, you may raise a GitHub issue on this repository or the module’s repository directly to get support or log feature requests.

You can also log a support ticket and if the issue is not related to the Azure platform, you will be redirected to submit a GitHub issue for the module owner(s) or the AVM team.

See Module Support for more information.

Next Steps

Review Overview
Review the Module Classification Definitions
Review the Specifications
Review the FAQ
Learn how to contribute to AVM

Overview

Summary

This section provides an overview of the Azure Verified Modules (AVM) program.

Introduction

Introduction

What is Azure Verified Modules?

Azure Verified Modules (AVM), as “One Microsoft”, we want to provide and define the single definition of what a good IaC module is;

How they should be constructed and built
- Enforcing consistency and testing where possible
How they are to be consumed
What they deliver for consumers in terms of resources deployed and configured
And where appropriate aligned across IaC languages (e.g. Bicep, Terraform, etc.).

Mission Statement

Our mission is to deliver a comprehensive Azure Verified Modules library in multiple IaC languages, following the principles of the well-architected framework, serving as the trusted Microsoft source of truth. Supported by Microsoft, AVM will accelerate deployment time for Azure resources and architectural patterns, empowering every person and organization on the planet on their IaC journey.

Definition of “Verified” Summary

The modules are supported by Microsoft, across it’s many internal organizations, as described in Module Support
Modules are aligned to clear specifications that enforces consistency between all AVM modules. See the ‘Specifications & Definitions’ section in the menu
Modules will continue to stay up-to-date with product/service roadmaps owned by the module owners and contributors
Modules will align to WAF high priority recommendations. See ‘What does AVM mean by “WAF Aligned”?’
Modules will provide clear documentation alongside examples to promote self-service consumption
Modules will be tested to ensure they comply with the specifications for AVM and their examples deploy as intended

Why Azure Verified Modules?

This effort to create Azure Verified Modules, with a strategy and definition, is required based on the sheer number of existing attempts from all areas across Microsoft to try and address this same area for our customers and partners. Across Microsoft there are many initiatives, projects and repositories that host and provide IaC modules in several languages, for example Bicep and Terraform. Each of these come with differing code styling and standards, consumption methods and approaches, testing frameworks, target personas, contribution guidelines, module definitions and most importantly support statements from their owners and maintainers.

However, none of these existing attempts have ever made it all the way through to becoming a brand and the go to place for IaC modules from Microsoft that consumers can trust (mainly around longevity and support), build upon and contribute back to.

Performing this effort now to create a shared single aligned strategy and definition for IaC modules from Microsoft, as One Microsoft, will allow us to accelerate existing and future projects, such as Application Landing Zone Accelerators (LZAs), as well as providing the building blocks via a library of modules, in the language of the consumers choice, that is consistent, trusted and supported by Microsoft. This all leads to consumers being able to accelerate faster, no matter what stage of their IaC journey they are on.

We also know, from our customers, that well defined support statements from Microsoft are required for initiatives like this to succeed at scale, especially in larger enterprise customers. We have seen over the past FY that this topic alone is important and is one that has led to confusion and frustration to customers who are consuming modules developed by individuals that in the end are not “officially” Microsoft supported and this unfortunately normally occurs at a critical point in time for the project being worked on, which amplifies frustrations.

How will we create, support and enforce Azure Verified Modules?

Azure Verified Modules will achieve this, and its mission statement, by implementing and enforcing the following; driven by the AVM Core Team:

Publishing AVM modules to their respective public registries for consumption
- For Bicep this will be the Bicep Public Module Registry
- For Terraform this will be the HashiCorp Terraform Registry
Creating, publishing and maintaining the Azure Verified Modules specifications (this site)
- Including IaC language specific specifications (today Bicep and Terraform)
Creating easy to follow AVM module contribution and publishing guidance for each IaC language (today Bicep and Terraform)
Enforcing tests for each AVM module is compliant with the AVM specifications, where possible, via Unit and Integration tests
Enforcing End-to-End Deployment tests of each AVM module
Providing, and backing, a long-term support statement, regardless of the AVM module’s ownership status
- Backed by the AVM Core Team, Microsoft CSS and Azure PGs

Module Indexes

Summary

The following table shows the number of all available, orphaned and planned AVM Bicep and Terraform Modules.

Language	Classification	Published 🟢 & 🟡	Proposed ⚪	SUM
Bicep	Resource	168	22	190
	Pattern	40	21	61
	Utility	1	1	2
Terraform	Resource	105	47	152
	Pattern	24	23	47
	Utility	5	8	13

➕ Additional information

Legend

Summary of status icons used on this page

Icon	Status	Description
⚪	Proposed modules	Modules that are proposed and/or being worked on but not published yet.
🟢 & 🟡	Published modules	Available (🟢) and Orphaned (🟡) modules that are active and usable.
🔴	Deprecated modules	Modules that reached the end of their lifecycle.
📇	All modules	Including Published, Proposed and Deprecated ones.

See the Module Lifecycle page for more details.

Want to contribute to AVM modules?

#	Labels	Link and description
1.	Type: New Module Proposal 💡 Needs: Module Owner 📣	To become the owner of a new module, see all new modules looking for owners or check out the “Looking for owners” swimlane here.
2.	Status: Module Orphaned 🟡	To become the owner of an orphaned module, see all orphaned modules or check out the “Orphaned” swimlane here.
3.	Needs: Module Contributor 📣	To become a co-owner or contribute to a module, see all modules looking for contributors.

For more details on “What are the different ways to contribute to AVM?”, see here.

Bicep Modules

Summary

The following table shows the number of all available, orphaned and planned Bicep Modules.

Language	Classification	Published 🟢 & 🟡	Proposed ⚪	SUM
Bicep	Resource	168	22	190
	Pattern	40	21	61
	Utility	1	1	2

➕ Additional information

Legend

Summary of status icons used on this page

Icon	Status	Description
⚪	Proposed modules	Modules that are proposed and/or being worked on but not published yet.
🟢 & 🟡	Published modules	Available (🟢) and Orphaned (🟡) modules that are active and usable.
🔴	Deprecated modules	Modules that reached the end of their lifecycle.
📇	All modules	Including Published, Proposed and Deprecated ones.

See the Module Lifecycle page for more details.

Want to contribute to AVM Bicep modules?

#	Labels	Link and description
1.	Type: New Module Proposal 💡 Needs: Module Owner 📣 Language: Bicep 💪	To become the owner of a new Bicep module, see all new Bicep modules looking for owners or check out the “Looking for owners” swimlane here.
2.	Status: Module Orphaned 🟡 Language: Bicep 💪	To become the owner of an orphaned Bicep module, see all orphaned Bicep modules or check out the “Orphaned” swimlane here.
3.	Needs: Module Contributor 📣 Language: Bicep 💪	To become a co-owner or contribute to a Bicep module, see all Bicep modules looking for contributors.

For more details on “What are the different ways to contribute to AVM?”, see here.

Status Badges

This section gives you an overview of the latest workflow status of each AVM module in the Public Bicep Registry repository.

Note

While some pipelines can momentarily show as red, a new module version cannot be published without a successful test run. A failing test may indicate a recent change to the platform that is causing a break in the module or any intermittent errors, such as a periodic test deployment attempting to create a resource with a name already taken in another Azure region.

#	Module	Status
1	ptn/aca-lza hosting-environment
2	ptn/ai-ml ai-foundry
3	ptn/ai-platform baseline
4	ptn/alz ama
5	ptn/alz empty
6	ptn/app-service-lza hosting-environment
7	ptn/app container-job-toolkit
8	ptn/app iaas-vm-cosmosdb-tier4
9	ptn/app paas-ase-cosmosdb-tier4
10	ptn/authorization pim-role-assignment
11	ptn/authorization policy-assignment
12	ptn/authorization policy-exemption
13	ptn/authorization resource-role-assignment
14	ptn/authorization role-assignment
15	ptn/authorization role-definition
16	ptn/azd acr-container-app
17	ptn/azd aks
18	ptn/azd aks-automatic-cluster
19	ptn/azd apim-api
20	ptn/azd container-app-upsert
21	ptn/azd container-apps-stack
22	ptn/azd insights-dashboard
23	ptn/azd ml-ai-environment	Deprecated
24	ptn/azd ml-hub-dependencies	Deprecated
25	ptn/azd ml-project	Deprecated
26	ptn/azd monitoring
27	ptn/data private-analytical-workspace
28	ptn/deployment-script import-image-to-acr
29	ptn/dev-ops cicd-agents-and-runners
30	ptn/finops-toolkit finops-hub
31	ptn/lz sub-vending
32	ptn/mgmt-groups subscription-placement
33	ptn/network hub-networking
34	ptn/network private-link-private-dns-zones
35	ptn/policy-insights remediation
36	ptn/sa build-your-own-copilot	Deprecated
37	ptn/sa chat-with-your-data
38	ptn/sa content-processing
39	ptn/sa conversation-knowledge-mining
40	ptn/sa document-knowledge-mining
41	ptn/sa modernize-your-code
42	ptn/sa multi-agent-custom-automation-engine
43	ptn/security security-center
44	ptn/subscription service-health-alerts
45	ptn/virtual-machine-images azure-image-builder
46	res/aad domain-service
47	res/alerts-management action-rule
48	res/analysis-services server
49	res/api-management service
50	res/app-configuration configuration-store
51	res/app container-app
52	res/app job
53	res/app managed-environment
54	res/app session-pool
55	res/authorization policy-assignment
56	res/authorization role-assignment
57	res/automation automation-account
58	res/azure-stack-hci cluster
59	res/azure-stack-hci logical-network
60	res/azure-stack-hci marketplace-gallery-image
61	res/azure-stack-hci network-interface
62	res/azure-stack-hci virtual-hard-disk
63	res/azure-stack-hci virtual-machine-instance
64	res/batch batch-account
65	res/cache redis
66	res/cache redis-enterprise
67	res/cdn profile
68	res/cognitive-services account
69	res/communication communication-service
70	res/communication email-service
71	res/compute availability-set
72	res/compute disk
73	res/compute disk-encryption-set
74	res/compute gallery
75	res/compute image
76	res/compute proximity-placement-group
77	res/compute ssh-public-key
78	res/compute virtual-machine
79	res/compute virtual-machine-scale-set
80	res/consumption budget
81	res/container-instance container-group
82	res/container-registry registry
83	res/container-service managed-cluster
84	res/data-factory factory
85	res/data-protection backup-vault
86	res/databricks access-connector
87	res/databricks workspace
88	res/db-for-my-sql flexible-server
89	res/db-for-postgre-sql flexible-server
90	res/desktop-virtualization application-group
91	res/desktop-virtualization host-pool
92	res/desktop-virtualization scaling-plan
93	res/desktop-virtualization workspace
94	res/dev-center devcenter
95	res/dev-center network-connection
96	res/dev-center project
97	res/dev-ops-infrastructure pool
98	res/dev-test-lab lab
99	res/digital-twins digital-twins-instance
100	res/document-db database-account
101	res/document-db mongo-cluster
102	res/elastic-san elastic-san
103	res/event-grid domain
104	res/event-grid namespace
105	res/event-grid system-topic
106	res/event-grid topic
107	res/event-hub namespace
108	res/fabric capacity
109	res/health-bot health-bot
110	res/healthcare-apis workspace
111	res/hybrid-compute gateway
112	res/hybrid-compute license
113	res/hybrid-compute machine
114	res/hybrid-container-service provisioned-cluster-instance
115	res/insights action-group
116	res/insights activity-log-alert
117	res/insights component
118	res/insights data-collection-endpoint
119	res/insights data-collection-rule
120	res/insights diagnostic-setting
121	res/insights metric-alert
122	res/insights private-link-scope
123	res/insights scheduled-query-rule
124	res/insights webtest
125	res/key-vault vault
126	res/kubernetes-configuration extension
127	res/kubernetes-configuration flux-configuration
128	res/kubernetes-runtime load-balancer
129	res/kubernetes connected-cluster
130	res/kusto cluster
131	res/load-test-service load-test
132	res/logic integration-account
133	res/logic workflow
134	res/machine-learning-services registry
135	res/machine-learning-services workspace
136	res/maintenance configuration-assignment
137	res/maintenance maintenance-configuration
138	res/managed-identity user-assigned-identity
139	res/managed-services registration-definition
140	res/management management-group
141	res/management service-group
142	res/maps account
143	res/net-app net-app-account
144	res/network application-gateway
145	res/network application-gateway-web-application-firewall-policy
146	res/network application-security-group
147	res/network azure-firewall
148	res/network bastion-host
149	res/network connection
150	res/network ddos-protection-plan
151	res/network dns-forwarding-ruleset
152	res/network dns-resolver
153	res/network dns-zone
154	res/network express-route-circuit
155	res/network express-route-gateway
156	res/network express-route-port
157	res/network firewall-policy
158	res/network front-door	Deprecated
159	res/network front-door-web-application-firewall-policy
160	res/network ip-group
161	res/network load-balancer
162	res/network local-network-gateway
163	res/network nat-gateway
164	res/network network-interface
165	res/network network-manager
166	res/network network-security-group
167	res/network network-security-perimeter
168	res/network network-watcher
169	res/network p2s-vpn-gateway
170	res/network private-dns-zone
171	res/network private-endpoint
172	res/network private-link-service
173	res/network public-ip-address
174	res/network public-ip-prefix
175	res/network route-table
176	res/network service-endpoint-policy
177	res/network trafficmanagerprofile
178	res/network virtual-hub
179	res/network virtual-network
180	res/network virtual-network-gateway
181	res/network virtual-wan
182	res/network vpn-gateway
183	res/network vpn-server-configuration
184	res/network vpn-site
185	res/operational-insights cluster
186	res/operational-insights workspace
187	res/operations-management solution
188	res/portal dashboard
189	res/power-bi-dedicated capacity
190	res/purview account
191	res/recovery-services vault
192	res/relay namespace
193	res/resource-graph query
194	res/resources deployment-script
195	res/resources resource-group
196	res/search search-service
197	res/security-insights data-connector
198	res/security-insights setting
199	res/service-bus namespace
200	res/service-fabric cluster
201	res/service-networking traffic-controller
202	res/signal-r-service signal-r
203	res/signal-r-service web-pub-sub
204	res/sql instance-pool
205	res/sql managed-instance
206	res/sql server
207	res/storage storage-account
208	res/synapse private-link-hub
209	res/synapse workspace
210	res/virtual-machine-images image-template
211	res/web connection
212	res/web hosting-environment
213	res/web serverfarm
214	res/web site
215	res/web static-site
216	utl/types avm-common-types

Bicep Resource Modules

Module catalog

Language	Classification	Published 🟢 & 🟡	Proposed ⚪	SUM
Bicep	Resource	168	22	190

➕ Additional information

Legend

Summary of status icons used on this page

Icon	Status	Description
⚪	Proposed modules	Modules that are proposed and/or being worked on but not published yet.
🟢 & 🟡	Published modules	Available (🟢) and Orphaned (🟡) modules that are active and usable.
🔴	Deprecated modules	Modules that reached the end of their lifecycle.
📇	All modules	Including Published, Proposed and Deprecated ones.

See the Module Lifecycle page for more details.

Info

This page contains various views of the module index (catalog) for Bicep Resource Modules. To see these views, click on the expandable sections with the “➕” sign below.

To see the full, unfiltered, unformatted module index on GitHub, click here.
To download the source CSV file, click here.

Note

Modules listed below that aren’t shown with the status of Module Available 🟢, are currently in development and are not yet available for use. For proposed modules, see the Proposed modules section below.

Published modules - 🟢 & 🟡

➕ Published Modules - Module names, status and owners

No.	Module Name	Display Name	Owner(s)
01	avm/res/aad/domain-service	Azure Active Directory Domain Service AAD, Entra ID, Microsoft Entra Domain Services, AAD DS, Azure AD DS	ReneHezser Rene Hezser CRYP70N1X Paul Chirila
02	avm/res/alerts-management/action-rule	Action Rules	judyer28 Justin Dyer
03	avm/res/analysis-services/server	Analysis Services Server
04	avm/res/api-management/service api api-version-set api/diagnostics api/policy authorization-server backend cache diagnostics identity-provider logger named-value policy portalsetting private-endpoint-connection product product/api product/group subscription workspace	API Management Service
05	avm/res/app-configuration/configuration-store	App Configuration Store	Jfolberth John Folberth
06	avm/res/app/container-app	Container App	oZakari Zach Trocinski
07	avm/res/app/job	App Job	ReneHezser Rene Hezser
08	avm/res/app/managed-environment	App Managed Environment
09	avm/res/app/session-pool	App Session Pool
10	avm/res/authorization/policy-assignment mg-scope rg-scope sub-scope	Authorization - Policy Assignment	AlexanderSehr Alexander Sehr
11	avm/res/authorization/role-assignment mg-scope rg-scope sub-scope	Authorization - Role Assignment	arnoldna Nate Arnold
12	avm/res/automation/automation-account	Automation Account	gpacetti Giuseppe Pacetti
13	avm/res/azure-stack-hci/cluster arc-setting/extension	Azure Stack HCI Cluster
14	avm/res/azure-stack-hci/logical-network	Azure Stack HCI Logical Network
15	avm/res/azure-stack-hci/marketplace-gallery-image	Azure Stack HCI Marketplace Gallery Image
16	avm/res/azure-stack-hci/network-interface	Azure Stack HCI Network Interface
17	avm/res/azure-stack-hci/virtual-hard-disk	Azure Stack HCI Hard Disk
18	avm/res/azure-stack-hci/virtual-machine-instance	Azure Stack HCI Virtual Machine Instance
19	avm/res/batch/batch-account	Batch Account	didayal-msft Divyadeep Dayal
20	avm/res/cache/redis	Redis Cache
21	avm/res/cache/redis-enterprise	Redis Enterprise Cache	JeffreyCA Jeffrey Chen
22	avm/res/cdn/profile	CDN Profile	gbeaud Guillaume Beaud
23	avm/res/cognitive-services/account	Azure AI Services (Cognitive Services)	jceval Javier Cevallos
24	avm/res/communication/communication-service	Communication Service	donk-msft Don Koning
25	avm/res/communication/email-service	Email Communication Service	donk-msft Don Koning
26	avm/res/compute/availability-set	Availability Set AS	ahmadabdalla Ahmad Abdalla
27	avm/res/compute/disk	Compute Disk	segraef Sebastian Graef
28	avm/res/compute/disk-encryption-set	Disk Encryption Set	segraef Sebastian Graef
29	avm/res/compute/gallery	Azure Compute Gallery	ReneHezser Rene Hezser
30	avm/res/compute/image	Image	tony-box Tony Box
31	avm/res/compute/proximity-placement-group	Proximity Placement Group	jeetgarg Jeet Garg
32	avm/res/compute/ssh-public-key	Public SSH Key	ChrisSidebotham Chris Sidebotham
33	avm/res/compute/virtual-machine	Virtual Machine VM	josunefon Jordi Sune Fontanals
34	avm/res/compute/virtual-machine-scale-set	Virtual Machine Scale Set VMSS	josunefon Jordi Sune Fontanals
35	avm/res/consumption/budget mg-scope rg-scope sub-scope	Consumption Budget	segraef Sebastian Graef
36	avm/res/container-instance/container-group	Container Instance ACI	JPEasier Julian Peißker
37	avm/res/container-registry/registry	Azure Container Registry (ACR)	JPEasier Julian Peißker
38	avm/res/container-service/managed-cluster	Azure Kubernetes Service (AKS) Managed Cluster	JPEasier Julian Peißker
39	avm/res/data-factory/factory	Data Factory
40	avm/res/data-protection/backup-vault	Data Protection Backup Vault
41	avm/res/databricks/access-connector	Azure Databricks Access Connector
42	avm/res/databricks/workspace	Azure Databricks Workspace
43	avm/res/db-for-my-sql/flexible-server	DB for MySQL Flexible Server
44	avm/res/db-for-postgre-sql/flexible-server	DB for Postgre SQL Flexible Server	arnoldna Nate Arnold
45	avm/res/desktop-virtualization/application-group	Azure Virtual Desktop (AVD) Application Group
46	avm/res/desktop-virtualization/host-pool	Azure Virtual Desktop (AVD) Host Pool
47	avm/res/desktop-virtualization/scaling-plan	Azure Virtual Desktop (AVD) Scaling Plan
48	avm/res/desktop-virtualization/workspace	Azure Virtual Desktop (AVD) Workspace
49	avm/res/dev-center/devcenter	Dev Center	ahmadabdalla Ahmad Abdalla
50	avm/res/dev-center/network-connection	Dev Center Network Connection	ahmadabdalla Ahmad Abdalla
51	avm/res/dev-center/project	Dev Center Project	ahmadabdalla Ahmad Abdalla
52	avm/res/dev-ops-infrastructure/pool	DevOps Infrastructure Pool	elizatargithub7 Eliza Tarasila
53	avm/res/dev-test-lab/lab	DevTest Lab	ahmadabdalla Ahmad Abdalla
54	avm/res/digital-twins/digital-twins-instance	Digital Twins Instance	ryanmstephens Ryan Stephens
55	avm/res/document-db/database-account sql-database sql-role-assignment sql-role-definition table	Cosmos DB Database Account	cmaneu Christopher Maneu
56	avm/res/document-db/mongo-cluster	Cosmos DB for MongoDB (vCore)	sinedied Yohan Lasorsa
57	avm/res/elastic-san/elastic-san	Elastic SAN SAN, ESAN, Elastic SAN, Azure Elastic Storage Area Network, iSCSI, internet Small Computer Systems Interface	jbinko Jiri Binko
58	avm/res/event-grid/domain	Event Grid Domain	fabmas Fabio Masciotra
59	avm/res/event-grid/namespace	Event Grid Namespace	fabmas Fabio Masciotra
60	avm/res/event-grid/system-topic	Event Grid System Topic	fabmas Fabio Masciotra
61	avm/res/event-grid/topic	Event Grid Topic	fabmas Fabio Masciotra
62	avm/res/event-hub/namespace eventhub	Event Hub Namespace
63	avm/res/fabric/capacity	Fabric	mswantek68 Mike Swantek cmaneu Christopher Maneu
64	avm/res/health-bot/health-bot	Azure Health Bot
65	avm/res/healthcare-apis/workspace	Healthcare API Workspace
66	avm/res/hybrid-compute/gateway	Hybrid Compute Gateway
67	avm/res/hybrid-compute/license	Hybrid Compute License
68	avm/res/hybrid-compute/machine	Hybrid Compute Machine
69	avm/res/hybrid-container-service/provisioned-cluster-instance	Hybrid Container Service - Provisioned Cluster Instance
70	avm/res/insights/action-group	Action Group	rahalan Rainer Halanek
71	avm/res/insights/activity-log-alert	Activity Log Alert	donk-msft Don Koning
72	avm/res/insights/component	Application Insight	krbar Kris Baranek
73	avm/res/insights/data-collection-endpoint	Data Collection Endpoint	krbar Kris Baranek
74	avm/res/insights/data-collection-rule	Data Collection Rule DCR	krbar Kris Baranek
75	avm/res/insights/diagnostic-setting	Diagnostic Setting	krbar Kris Baranek
76	avm/res/insights/metric-alert	Metric Alert	kijunkang Ki Jun Kang
77	avm/res/insights/private-link-scope	Azure Monitor Private Link Scope	ahmadabdalla Ahmad Abdalla
78	avm/res/insights/scheduled-query-rule	Scheduled Query Rule
79	avm/res/insights/webtest	Web Test	Jfolberth John Folberth
80	avm/res/key-vault/vault access-policy key secret	Key Vault KV	fblix Felix Borst
81	avm/res/kubernetes-configuration/extension	Kubernetes Configuration Extension	JPEasier Julian Peißker
82	avm/res/kubernetes-configuration/flux-configuration	Kubernetes Configuration Flux Configuration	JPEasier Julian Peißker
83	avm/res/kubernetes-runtime/load-balancer	Kubernetes Runtime Load Balancer
84	avm/res/kubernetes/connected-cluster	Kubernetes Connected Cluster
85	avm/res/kusto/cluster	Azure Data Explorer (Kusto) cluster	oZakari Zach Trocinski
86	avm/res/load-test-service/load-test	Load Testing Service	sebassem Seif Bassem
87	avm/res/logic/workflow	Logic Apps Workflow	lsnoddy Luke Snoddy
88	avm/res/machine-learning-services/registry	Machine Learning Services Registry	josunefon Jordi Sune Fontanals
89	avm/res/machine-learning-services/workspace	Machine Learning Services Workspace ML Workspace	cecheta Chinedum Echeta ross-p-smith Ross Smith
90	avm/res/maintenance/configuration-assignment	Maintenance Configuration Assignment	eriqua Erika Gressi
91	avm/res/maintenance/maintenance-configuration	Maintenance Configuration	arievanderwende Arie van der Wende
92	avm/res/managed-identity/user-assigned-identity	User Assigned Identity MSI	gpacetti Giuseppe Pacetti
93	avm/res/managed-services/registration-definition	Registration Definition (Lighthouse)
94	avm/res/management/management-group	Management Group MG	fblix Felix Borst
95	avm/res/management/service-group	Service Group	jtracey93 Jack Tracey
96	avm/res/maps/account	Azure Maps Account	jhueppauff Julian Huppauff
97	avm/res/net-app/net-app-account	Azure NetApp File	fbinotto Felipe Binotto
98	avm/res/network/application-gateway	Application Gateway App GW	toddbeauchemin Todd Beauchemin
99	avm/res/network/application-gateway-web-application-firewall-policy	Application Gateway Web Application Firewall (WAF) Policy	toddbeauchemin Todd Beauchemin
100	avm/res/network/application-security-group	Application Security Group (ASG) ASG	segraef Sebastian Graef
101	avm/res/network/azure-firewall	Azure Firewall Azure FW	jtracey93 Jack Tracey oZakari Zach Trocinski
102	avm/res/network/bastion-host	Bastion Host	krbar Kris Baranek
103	avm/res/network/connection	Virtual Network Gateway Connection	fabmas Fabio Masciotra
104	avm/res/network/ddos-protection-plan	DDoS Protection Plan	segraef Sebastian Graef
105	avm/res/network/dns-forwarding-ruleset	DNS Forwarding Ruleset	ChrisSidebotham Chris Sidebotham
106	avm/res/network/dns-resolver	DNS Resolver	ChrisSidebotham Chris Sidebotham
107	avm/res/network/dns-zone	Public DNS Zone	ChrisSidebotham Chris Sidebotham
108	avm/res/network/express-route-circuit	ExpressRoute Circuit ER Circuit	arnoldna Nate Arnold
109	avm/res/network/express-route-gateway	Express Route Gateway ER GW	arnoldna Nate Arnold
110	avm/res/network/express-route-port	ExpressRoute Port ER Port	arnoldna Nate Arnold
111	avm/res/network/firewall-policy	Firewall Policy	jtracey93 Jack Tracey oZakari Zach Trocinski
112	avm/res/network/front-door-web-application-firewall-policy	Front Door Web Application Firewall (WAF) Policy	PaulJohnston88 Paul Johnston
113	avm/res/network/ip-group	IP Group	ahmadabdalla Ahmad Abdalla
114	avm/res/network/load-balancer	Load Balancer LB, NLB	arnoldna Nate Arnold
115	avm/res/network/local-network-gateway	Local Network Gateway	fabmas Fabio Masciotra
116	avm/res/network/nat-gateway	NAT Gateway NAT GW	fabmas Fabio Masciotra
117	avm/res/network/network-interface	Network Interface NIC	rahalan Rainer Halanek
118	avm/res/network/network-manager	Network Manager	ahmadabdalla Ahmad Abdalla
119	avm/res/network/network-security-group	Network Security Group NSG	ahmadabdalla Ahmad Abdalla
120	avm/res/network/network-security-perimeter	Network Security Perimeter	peterbud Peter Budai
121	avm/res/network/network-watcher	Network Watcher	segraef Sebastian Graef
122	avm/res/network/p2s-vpn-gateway	P2S VPN Gateway	ericscheffler Eric Scheffler
123	avm/res/network/private-dns-zone a aaaa cname mx ptr soa srv txt virtual-network-link	Private DNS Zone	ChrisSidebotham Chris Sidebotham
124	avm/res/network/private-endpoint	Private Endpoint	segraef Sebastian Graef
125	avm/res/network/private-link-service	Private Link Service	ahmadabdalla Ahmad Abdalla
126	avm/res/network/public-ip-address	Public IP Address PIP	ChrisSidebotham Chris Sidebotham krbar Kris Baranek
127	avm/res/network/public-ip-prefix	Public IP Prefix PIP Prefix	krbar Kris Baranek
128	avm/res/network/route-table	Route Table UDR	segraef Sebastian Graef
129	avm/res/network/service-endpoint-policy	Service Endpoint Policy	jeetgarg Jeet Garg
130	avm/res/network/trafficmanagerprofile	Traffic Manager Profile	lsnoddy Luke Snoddy
131	avm/res/network/virtual-hub route-map	Virtual Hub	arnoldna Nate Arnold
132	avm/res/network/virtual-network subnet	Virtual Network VNET	mjrich19 MJ Richardson
133	avm/res/network/virtual-network-gateway	Virtual Network Gateway VNET GW	fabmas Fabio Masciotra
134	avm/res/network/virtual-wan	Virtual WAN vWAN	arnoldna Nate Arnold
135	avm/res/network/vpn-gateway	VPN Gateway VPN GW	fabmas Fabio Masciotra
136	avm/res/network/vpn-server-configuration	VPN Server Configuration	ericscheffler Eric Scheffler
137	avm/res/network/vpn-site	VPN Site	fabmas Fabio Masciotra
138	avm/res/operational-insights/cluster	Log Analytics Dedicated Cluster
139	avm/res/operational-insights/workspace	Log Analytics Workspace	krbar Kris Baranek
140	avm/res/operations-management/solution	Operations Management Solution	krbar Kris Baranek
141	avm/res/portal/dashboard	Portal Dashboard	krbar Kris Baranek
142	avm/res/power-bi-dedicated/capacity	Power BI Dedicated Capacity	ChrisSidebotham Chris Sidebotham
143	avm/res/purview/account	Purview Account
144	avm/res/recovery-services/vault	Recovery Services Vault	alexanderojala Alexander Ojala
145	avm/res/relay/namespace	Relay Namespace
146	avm/res/resource-graph/query	Resource Graph Query	sebassem Seif Bassem
147	avm/res/resources/deployment-script	Deployment Script	sebassem Seif Bassem
148	avm/res/resources/resource-group	Resource Group RG	segraef Sebastian Graef
149	avm/res/search/search-service	Search Service	krbar Kris Baranek
150	avm/res/security-insights/data-connector	Security Insights - Data Connector
151	avm/res/security-insights/setting	Security Insights - Setting
152	avm/res/service-bus/namespace queue topic	Service Bus Namespace	ChrisSidebotham Chris Sidebotham
153	avm/res/service-fabric/cluster	Service Fabric Cluster	lsnoddy Luke Snoddy
154	avm/res/service-networking/traffic-controller	Application Gateway for Containers (Traffic Controller)	krbar Kris Baranek
155	avm/res/signal-r-service/signal-r	SignalR Service SignalR
156	avm/res/signal-r-service/web-pub-sub	SignalR Web PubSub Service
157	avm/res/sql/instance-pool	SQL Instance Pool	gpacetti Giuseppe Pacetti
158	avm/res/sql/managed-instance	SQL Managed Instance SQL MI
159	avm/res/sql/server database	Azure SQL Server	peterbud Peter Budai
160	avm/res/storage/storage-account blob-service/container blob-service/container/immutability-policy file-service/share local-user management-policy queue-service/queue table-service/table	Storage Account	ktremain Karl Tremain fblix Felix Borst
161	avm/res/synapse/private-link-hub	Azure Synapse Analytics Private Link Hub	TomazMlakar Tomaz Mlakar
162	avm/res/synapse/workspace	Azure Synapse Analytics Workspace	TomazMlakar Tomaz Mlakar
163	avm/res/virtual-machine-images/image-template	Virtual Machine Image Template	ahmadabdalla Ahmad Abdalla
164	avm/res/web/connection	API Connection
165	avm/res/web/hosting-environment	App Service Environment ASE	tsc-buddy Buddy Davies pankajagrawal16 Pankaj Agrawal
166	avm/res/web/serverfarm	App Service Plan	tsc-buddy Buddy Davies pankajagrawal16 Pankaj Agrawal
167	avm/res/web/site config slot	Web/Function App App Service, Web Site, Logic App, Function App	tsc-buddy Buddy Davies pankajagrawal16 Pankaj Agrawal
168	avm/res/web/static-site	Static Web App	ChrisSidebotham Chris Sidebotham

Proposed modules - ⚪

➕ Proposed Modules - Module names, status and owners

No.	Module Name	Display Name	Owner(s)
01	avm/res/api-center/service	API Center Service
02	avm/res/avs/private-cloud	AVS Private Cloud
03	avm/res/bot-service/bot-service	Bot Service	AnkitSDesai #REF! asishr Asish R
04	avm/res/chaos/experiment	Chaos Experiment Azure Chaos Studio, Chaos Engineering	jbinko Jiri Binko
05	avm/res/dashboard/grafana	Azure Managed Grafana	vlahane Vishal Lahane
06	avm/res/data-protection/resource-guard	Data Protection Resource Guard
07	avm/res/durable-task/scheduler	Durable Task Scheduler	greenie-msft Nick Greenfield
08	avm/res/edge-order/order-item	Edge Order Item
09	avm/res/edge/configuration	Edge Configuration
10	avm/res/edge/site rg-scope sub-scope	Edge Site
11	avm/res/hybrid-compute/private-link-scope	Hybrid Compute Private Link Scope
12	avm/res/hybrid-compute/setting	Hybrid Compute Setting
13	avm/res/insights/autoscale-setting	Insights - Auto Scale Setting	FallenHoot Zach Olinske
14	avm/res/iot-operations/instance	IoT Operations Instance	agreaves-ms Allen Greaves
15	avm/res/key-vault/managed-hsm	Managed HSM
16	avm/res/kubernetes-runtime/bpg-peer	Kubernetes Runtime BGP Peer
17	avm/res/kubernetes-runtime/service	Kubernetes Runtime Service
18	avm/res/logic/integration-account	Logic Apps Integration Account	lsnoddy Luke Snoddy
19	avm/res/scom/managed-instance	SCOM MI System Center Operations Manager - Managed Instance
20	avm/res/security-insights/onboarding-state	Security Insights - Onboarding State
21	avm/res/sql-virtual-machine/sql-virtual-machine	SQL Virtual Machine SQL VM	peterbud Peter Budai
22	avm/res/stream-analytics/streaming-job	Stream Analytics Job

Deprecated modules - 🔴

➕ Deprecated Modules - Module names, status and owners

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/res/network/front-door	Azure Front Door

All modules - 📇

➕ All Modules - Module names, status and owners

No.	Module Name	Display Name	Owner(s)
01	avm/res/aad/domain-service	Azure Active Directory Domain Service AAD, Entra ID, Microsoft Entra Domain Services, AAD DS, Azure AD DS	ReneHezser Rene Hezser CRYP70N1X Paul Chirila
02	avm/res/alerts-management/action-rule	Action Rules	judyer28 Justin Dyer
03	avm/res/analysis-services/server	Analysis Services Server
04	avm/res/api-center/service	API Center Service
05	avm/res/api-management/service api api-version-set api/diagnostics api/policy authorization-server backend cache diagnostics identity-provider logger named-value policy portalsetting private-endpoint-connection product product/api product/group subscription workspace	API Management Service
06	avm/res/app-configuration/configuration-store	App Configuration Store	Jfolberth John Folberth
07	avm/res/app/container-app	Container App	oZakari Zach Trocinski
08	avm/res/app/job	App Job	ReneHezser Rene Hezser
09	avm/res/app/managed-environment	App Managed Environment
10	avm/res/app/session-pool	App Session Pool
11	avm/res/authorization/policy-assignment mg-scope rg-scope sub-scope	Authorization - Policy Assignment	AlexanderSehr Alexander Sehr
12	avm/res/authorization/role-assignment mg-scope rg-scope sub-scope	Authorization - Role Assignment	arnoldna Nate Arnold
13	avm/res/automation/automation-account	Automation Account	gpacetti Giuseppe Pacetti
14	avm/res/avs/private-cloud	AVS Private Cloud
15	avm/res/azure-stack-hci/cluster arc-setting/extension	Azure Stack HCI Cluster
16	avm/res/azure-stack-hci/logical-network	Azure Stack HCI Logical Network
17	avm/res/azure-stack-hci/marketplace-gallery-image	Azure Stack HCI Marketplace Gallery Image
18	avm/res/azure-stack-hci/network-interface	Azure Stack HCI Network Interface
19	avm/res/azure-stack-hci/virtual-hard-disk	Azure Stack HCI Hard Disk
20	avm/res/azure-stack-hci/virtual-machine-instance	Azure Stack HCI Virtual Machine Instance
21	avm/res/batch/batch-account	Batch Account	didayal-msft Divyadeep Dayal
22	avm/res/bot-service/bot-service	Bot Service	AnkitSDesai #REF! asishr Asish R
23	avm/res/cache/redis	Redis Cache
24	avm/res/cache/redis-enterprise	Redis Enterprise Cache	JeffreyCA Jeffrey Chen
25	avm/res/cdn/profile	CDN Profile	gbeaud Guillaume Beaud
26	avm/res/chaos/experiment	Chaos Experiment Azure Chaos Studio, Chaos Engineering	jbinko Jiri Binko
27	avm/res/cognitive-services/account	Azure AI Services (Cognitive Services)	jceval Javier Cevallos
28	avm/res/communication/communication-service	Communication Service	donk-msft Don Koning
29	avm/res/communication/email-service	Email Communication Service	donk-msft Don Koning
30	avm/res/compute/availability-set	Availability Set AS	ahmadabdalla Ahmad Abdalla
31	avm/res/compute/disk	Compute Disk	segraef Sebastian Graef
32	avm/res/compute/disk-encryption-set	Disk Encryption Set	segraef Sebastian Graef
33	avm/res/compute/gallery	Azure Compute Gallery	ReneHezser Rene Hezser
34	avm/res/compute/image	Image	tony-box Tony Box
35	avm/res/compute/proximity-placement-group	Proximity Placement Group	jeetgarg Jeet Garg
36	avm/res/compute/ssh-public-key	Public SSH Key	ChrisSidebotham Chris Sidebotham
37	avm/res/compute/virtual-machine	Virtual Machine VM	josunefon Jordi Sune Fontanals
38	avm/res/compute/virtual-machine-scale-set	Virtual Machine Scale Set VMSS	josunefon Jordi Sune Fontanals
39	avm/res/consumption/budget mg-scope rg-scope sub-scope	Consumption Budget	segraef Sebastian Graef
40	avm/res/container-instance/container-group	Container Instance ACI	JPEasier Julian Peißker
41	avm/res/container-registry/registry	Azure Container Registry (ACR)	JPEasier Julian Peißker
42	avm/res/container-service/managed-cluster	Azure Kubernetes Service (AKS) Managed Cluster	JPEasier Julian Peißker
43	avm/res/dashboard/grafana	Azure Managed Grafana	vlahane Vishal Lahane
44	avm/res/data-factory/factory	Data Factory
45	avm/res/data-protection/backup-vault	Data Protection Backup Vault
46	avm/res/data-protection/resource-guard	Data Protection Resource Guard
47	avm/res/databricks/access-connector	Azure Databricks Access Connector
48	avm/res/databricks/workspace	Azure Databricks Workspace
49	avm/res/db-for-my-sql/flexible-server	DB for MySQL Flexible Server
50	avm/res/db-for-postgre-sql/flexible-server	DB for Postgre SQL Flexible Server	arnoldna Nate Arnold
51	avm/res/desktop-virtualization/application-group	Azure Virtual Desktop (AVD) Application Group
52	avm/res/desktop-virtualization/host-pool	Azure Virtual Desktop (AVD) Host Pool
53	avm/res/desktop-virtualization/scaling-plan	Azure Virtual Desktop (AVD) Scaling Plan
54	avm/res/desktop-virtualization/workspace	Azure Virtual Desktop (AVD) Workspace
55	avm/res/dev-center/devcenter	Dev Center	ahmadabdalla Ahmad Abdalla
56	avm/res/dev-center/network-connection	Dev Center Network Connection	ahmadabdalla Ahmad Abdalla
57	avm/res/dev-center/project	Dev Center Project	ahmadabdalla Ahmad Abdalla
58	avm/res/dev-ops-infrastructure/pool	DevOps Infrastructure Pool	elizatargithub7 Eliza Tarasila
59	avm/res/dev-test-lab/lab	DevTest Lab	ahmadabdalla Ahmad Abdalla
60	avm/res/digital-twins/digital-twins-instance	Digital Twins Instance	ryanmstephens Ryan Stephens
61	avm/res/document-db/database-account sql-database sql-role-assignment sql-role-definition table	Cosmos DB Database Account	cmaneu Christopher Maneu
62	avm/res/document-db/mongo-cluster	Cosmos DB for MongoDB (vCore)	sinedied Yohan Lasorsa
63	avm/res/durable-task/scheduler	Durable Task Scheduler	greenie-msft Nick Greenfield
64	avm/res/edge-order/order-item	Edge Order Item
65	avm/res/edge/configuration	Edge Configuration
66	avm/res/edge/site rg-scope sub-scope	Edge Site
67	avm/res/elastic-san/elastic-san	Elastic SAN SAN, ESAN, Elastic SAN, Azure Elastic Storage Area Network, iSCSI, internet Small Computer Systems Interface	jbinko Jiri Binko
68	avm/res/event-grid/domain	Event Grid Domain	fabmas Fabio Masciotra
69	avm/res/event-grid/namespace	Event Grid Namespace	fabmas Fabio Masciotra
70	avm/res/event-grid/system-topic	Event Grid System Topic	fabmas Fabio Masciotra
71	avm/res/event-grid/topic	Event Grid Topic	fabmas Fabio Masciotra
72	avm/res/event-hub/namespace eventhub	Event Hub Namespace
73	avm/res/fabric/capacity	Fabric	mswantek68 Mike Swantek cmaneu Christopher Maneu
74	avm/res/health-bot/health-bot	Azure Health Bot
75	avm/res/healthcare-apis/workspace	Healthcare API Workspace
76	avm/res/hybrid-compute/gateway	Hybrid Compute Gateway
77	avm/res/hybrid-compute/license	Hybrid Compute License
78	avm/res/hybrid-compute/machine	Hybrid Compute Machine
79	avm/res/hybrid-compute/private-link-scope	Hybrid Compute Private Link Scope
80	avm/res/hybrid-compute/setting	Hybrid Compute Setting
81	avm/res/hybrid-container-service/provisioned-cluster-instance	Hybrid Container Service - Provisioned Cluster Instance
82	avm/res/insights/action-group	Action Group	rahalan Rainer Halanek
83	avm/res/insights/activity-log-alert	Activity Log Alert	donk-msft Don Koning
84	avm/res/insights/autoscale-setting	Insights - Auto Scale Setting	FallenHoot Zach Olinske
85	avm/res/insights/component	Application Insight	krbar Kris Baranek
86	avm/res/insights/data-collection-endpoint	Data Collection Endpoint	krbar Kris Baranek
87	avm/res/insights/data-collection-rule	Data Collection Rule DCR	krbar Kris Baranek
88	avm/res/insights/diagnostic-setting	Diagnostic Setting	krbar Kris Baranek
89	avm/res/insights/metric-alert	Metric Alert	kijunkang Ki Jun Kang
90	avm/res/insights/private-link-scope	Azure Monitor Private Link Scope	ahmadabdalla Ahmad Abdalla
91	avm/res/insights/scheduled-query-rule	Scheduled Query Rule
92	avm/res/insights/webtest	Web Test	Jfolberth John Folberth
93	avm/res/iot-operations/instance	IoT Operations Instance	agreaves-ms Allen Greaves
94	avm/res/key-vault/managed-hsm	Managed HSM
95	avm/res/key-vault/vault access-policy key secret	Key Vault KV	fblix Felix Borst
96	avm/res/kubernetes-configuration/extension	Kubernetes Configuration Extension	JPEasier Julian Peißker
97	avm/res/kubernetes-configuration/flux-configuration	Kubernetes Configuration Flux Configuration	JPEasier Julian Peißker
98	avm/res/kubernetes-runtime/bpg-peer	Kubernetes Runtime BGP Peer
99	avm/res/kubernetes-runtime/load-balancer	Kubernetes Runtime Load Balancer
100	avm/res/kubernetes-runtime/service	Kubernetes Runtime Service
101	avm/res/kubernetes/connected-cluster	Kubernetes Connected Cluster
102	avm/res/kusto/cluster	Azure Data Explorer (Kusto) cluster	oZakari Zach Trocinski
103	avm/res/load-test-service/load-test	Load Testing Service	sebassem Seif Bassem
104	avm/res/logic/integration-account	Logic Apps Integration Account	lsnoddy Luke Snoddy
105	avm/res/logic/workflow	Logic Apps Workflow	lsnoddy Luke Snoddy
106	avm/res/machine-learning-services/registry	Machine Learning Services Registry	josunefon Jordi Sune Fontanals
107	avm/res/machine-learning-services/workspace	Machine Learning Services Workspace ML Workspace	cecheta Chinedum Echeta ross-p-smith Ross Smith
108	avm/res/maintenance/configuration-assignment	Maintenance Configuration Assignment	eriqua Erika Gressi
109	avm/res/maintenance/maintenance-configuration	Maintenance Configuration	arievanderwende Arie van der Wende
110	avm/res/managed-identity/user-assigned-identity	User Assigned Identity MSI	gpacetti Giuseppe Pacetti
111	avm/res/managed-services/registration-definition	Registration Definition (Lighthouse)
112	avm/res/management/management-group	Management Group MG	fblix Felix Borst
113	avm/res/management/service-group	Service Group	jtracey93 Jack Tracey
114	avm/res/maps/account	Azure Maps Account	jhueppauff Julian Huppauff
115	avm/res/net-app/net-app-account	Azure NetApp File	fbinotto Felipe Binotto
116	avm/res/network/application-gateway	Application Gateway App GW	toddbeauchemin Todd Beauchemin
117	avm/res/network/application-gateway-web-application-firewall-policy	Application Gateway Web Application Firewall (WAF) Policy	toddbeauchemin Todd Beauchemin
118	avm/res/network/application-security-group	Application Security Group (ASG) ASG	segraef Sebastian Graef
119	avm/res/network/azure-firewall	Azure Firewall Azure FW	jtracey93 Jack Tracey oZakari Zach Trocinski
120	avm/res/network/bastion-host	Bastion Host	krbar Kris Baranek
121	avm/res/network/connection	Virtual Network Gateway Connection	fabmas Fabio Masciotra
122	avm/res/network/ddos-protection-plan	DDoS Protection Plan	segraef Sebastian Graef
123	avm/res/network/dns-forwarding-ruleset	DNS Forwarding Ruleset	ChrisSidebotham Chris Sidebotham
124	avm/res/network/dns-resolver	DNS Resolver	ChrisSidebotham Chris Sidebotham
125	avm/res/network/dns-zone	Public DNS Zone	ChrisSidebotham Chris Sidebotham
126	avm/res/network/express-route-circuit	ExpressRoute Circuit ER Circuit	arnoldna Nate Arnold
127	avm/res/network/express-route-gateway	Express Route Gateway ER GW	arnoldna Nate Arnold
128	avm/res/network/express-route-port	ExpressRoute Port ER Port	arnoldna Nate Arnold
129	avm/res/network/firewall-policy	Firewall Policy	jtracey93 Jack Tracey oZakari Zach Trocinski
130	avm/res/network/front-door	Azure Front Door
131	avm/res/network/front-door-web-application-firewall-policy	Front Door Web Application Firewall (WAF) Policy	PaulJohnston88 Paul Johnston
132	avm/res/network/ip-group	IP Group	ahmadabdalla Ahmad Abdalla
133	avm/res/network/load-balancer	Load Balancer LB, NLB	arnoldna Nate Arnold
134	avm/res/network/local-network-gateway	Local Network Gateway	fabmas Fabio Masciotra
135	avm/res/network/nat-gateway	NAT Gateway NAT GW	fabmas Fabio Masciotra
136	avm/res/network/network-interface	Network Interface NIC	rahalan Rainer Halanek
137	avm/res/network/network-manager	Network Manager	ahmadabdalla Ahmad Abdalla
138	avm/res/network/network-security-group	Network Security Group NSG	ahmadabdalla Ahmad Abdalla
139	avm/res/network/network-security-perimeter	Network Security Perimeter	peterbud Peter Budai
140	avm/res/network/network-watcher	Network Watcher	segraef Sebastian Graef
141	avm/res/network/p2s-vpn-gateway	P2S VPN Gateway	ericscheffler Eric Scheffler
142	avm/res/network/private-dns-zone a aaaa cname mx ptr soa srv txt virtual-network-link	Private DNS Zone	ChrisSidebotham Chris Sidebotham
143	avm/res/network/private-endpoint	Private Endpoint	segraef Sebastian Graef
144	avm/res/network/private-link-service	Private Link Service	ahmadabdalla Ahmad Abdalla
145	avm/res/network/public-ip-address	Public IP Address PIP	ChrisSidebotham Chris Sidebotham krbar Kris Baranek
146	avm/res/network/public-ip-prefix	Public IP Prefix PIP Prefix	krbar Kris Baranek
147	avm/res/network/route-table	Route Table UDR	segraef Sebastian Graef
148	avm/res/network/service-endpoint-policy	Service Endpoint Policy	jeetgarg Jeet Garg
149	avm/res/network/trafficmanagerprofile	Traffic Manager Profile	lsnoddy Luke Snoddy
150	avm/res/network/virtual-hub route-map	Virtual Hub	arnoldna Nate Arnold
151	avm/res/network/virtual-network subnet	Virtual Network VNET	mjrich19 MJ Richardson
152	avm/res/network/virtual-network-gateway	Virtual Network Gateway VNET GW	fabmas Fabio Masciotra
153	avm/res/network/virtual-wan	Virtual WAN vWAN	arnoldna Nate Arnold
154	avm/res/network/vpn-gateway	VPN Gateway VPN GW	fabmas Fabio Masciotra
155	avm/res/network/vpn-server-configuration	VPN Server Configuration	ericscheffler Eric Scheffler
156	avm/res/network/vpn-site	VPN Site	fabmas Fabio Masciotra
157	avm/res/operational-insights/cluster	Log Analytics Dedicated Cluster
158	avm/res/operational-insights/workspace	Log Analytics Workspace	krbar Kris Baranek
159	avm/res/operations-management/solution	Operations Management Solution	krbar Kris Baranek
160	avm/res/portal/dashboard	Portal Dashboard	krbar Kris Baranek
161	avm/res/power-bi-dedicated/capacity	Power BI Dedicated Capacity	ChrisSidebotham Chris Sidebotham
162	avm/res/purview/account	Purview Account
163	avm/res/recovery-services/vault	Recovery Services Vault	alexanderojala Alexander Ojala
164	avm/res/relay/namespace	Relay Namespace
165	avm/res/resource-graph/query	Resource Graph Query	sebassem Seif Bassem
166	avm/res/resources/deployment-script	Deployment Script	sebassem Seif Bassem
167	avm/res/resources/resource-group	Resource Group RG	segraef Sebastian Graef
168	avm/res/scom/managed-instance	SCOM MI System Center Operations Manager - Managed Instance
169	avm/res/search/search-service	Search Service	krbar Kris Baranek
170	avm/res/security-insights/data-connector	Security Insights - Data Connector
171	avm/res/security-insights/onboarding-state	Security Insights - Onboarding State
172	avm/res/security-insights/setting	Security Insights - Setting
173	avm/res/service-bus/namespace queue topic	Service Bus Namespace	ChrisSidebotham Chris Sidebotham
174	avm/res/service-fabric/cluster	Service Fabric Cluster	lsnoddy Luke Snoddy
175	avm/res/service-networking/traffic-controller	Application Gateway for Containers (Traffic Controller)	krbar Kris Baranek
176	avm/res/signal-r-service/signal-r	SignalR Service SignalR
177	avm/res/signal-r-service/web-pub-sub	SignalR Web PubSub Service
178	avm/res/sql-virtual-machine/sql-virtual-machine	SQL Virtual Machine SQL VM	peterbud Peter Budai
179	avm/res/sql/instance-pool	SQL Instance Pool	gpacetti Giuseppe Pacetti
180	avm/res/sql/managed-instance	SQL Managed Instance SQL MI
181	avm/res/sql/server database	Azure SQL Server	peterbud Peter Budai
182	avm/res/storage/storage-account blob-service/container blob-service/container/immutability-policy file-service/share local-user management-policy queue-service/queue table-service/table	Storage Account	ktremain Karl Tremain fblix Felix Borst
183	avm/res/stream-analytics/streaming-job	Stream Analytics Job
184	avm/res/synapse/private-link-hub	Azure Synapse Analytics Private Link Hub	TomazMlakar Tomaz Mlakar
185	avm/res/synapse/workspace	Azure Synapse Analytics Workspace	TomazMlakar Tomaz Mlakar
186	avm/res/virtual-machine-images/image-template	Virtual Machine Image Template	ahmadabdalla Ahmad Abdalla
187	avm/res/web/connection	API Connection
188	avm/res/web/hosting-environment	App Service Environment ASE	tsc-buddy Buddy Davies pankajagrawal16 Pankaj Agrawal
189	avm/res/web/serverfarm	App Service Plan	tsc-buddy Buddy Davies pankajagrawal16 Pankaj Agrawal
190	avm/res/web/site config slot	Web/Function App App Service, Web Site, Logic App, Function App	tsc-buddy Buddy Davies pankajagrawal16 Pankaj Agrawal
191	avm/res/web/static-site	Static Web App	ChrisSidebotham Chris Sidebotham

Module Publication History - 📅

➕ Module Publication History - Module names, status and owners

Modules published in November 2025

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/res/operational-insights/cluster	Log Analytics Dedicated Cluster

Modules published in September 2025

No.	Module Name	Display Name	Owner(s)
01	avm/res/api-management/service/api	API Management Service - API (Child of avm/res/api-management/service)	(Inherited):
02	avm/res/api-management/service/api-version-set	API Management Service - API Version Set (Child of avm/res/api-management/service)	(Inherited):
03	avm/res/api-management/service/api/diagnostics	API Management Service - API Diagnostics (Child of avm/res/api-management/service)	(Inherited):
04	avm/res/api-management/service/api/policy	API Management Service - API Policy (Child of avm/res/api-management/service)	(Inherited):
05	avm/res/api-management/service/authorization-server	API Management Service - Authorization Server (Child of avm/res/api-management/service)	(Inherited):
06	avm/res/api-management/service/backend	API Management Service - Backend (Child of avm/res/api-management/service)	(Inherited):
07	avm/res/api-management/service/cache	API Management Service - Cache (Child of avm/res/api-management/service)	(Inherited):
08	avm/res/api-management/service/identity-provider	API Management Service - Identity Provider (Child of avm/res/api-management/service)	(Inherited):
09	avm/res/api-management/service/logger	API Management Service - Logger (Child of avm/res/api-management/service)	(Inherited):
10	avm/res/api-management/service/named-value	API Management Service - Named Value (Child of avm/res/api-management/service)	(Inherited):
11	avm/res/api-management/service/policy	API Management Service - Policy (Child of avm/res/api-management/service)	(Inherited):
12	avm/res/api-management/service/portalsetting	API Management Service - Portal Setting (Child of avm/res/api-management/service)	(Inherited):
13	avm/res/api-management/service/product	API Management Service - Product (Child of avm/res/api-management/service)	(Inherited):
14	avm/res/api-management/service/product/api	API Management Service - Product API (Child of avm/res/api-management/service)	(Inherited):
15	avm/res/api-management/service/product/group	API Management Service - Product Group (Child of avm/res/api-management/service)	(Inherited):
16	avm/res/api-management/service/subscription	API Management Service - Subscription (Child of avm/res/api-management/service)	(Inherited):
17	avm/res/authorization/policy-assignment/mg-scope	Authorization - Policy Assignment - Management Group Scope (Child of avm/res/authorization/policy-assignment)	(Inherited): AlexanderSehr Alexander Sehr
18	avm/res/authorization/policy-assignment/rg-scope	Authorization - Policy Assignment - Resource Group Scope (Child of avm/res/authorization/policy-assignment)	(Inherited): AlexanderSehr Alexander Sehr
19	avm/res/authorization/policy-assignment/sub-scope	Authorization - Policy Assignment - Subscription Scope (Child of avm/res/authorization/policy-assignment)	(Inherited): AlexanderSehr Alexander Sehr
20	avm/res/consumption/budget/mg-scope	Consumption Budget - Management Group Scope (Child of avm/res/consumption/budget)	(Inherited): segraef Sebastian Graef
21	avm/res/consumption/budget/rg-scope	Consumption Budget - Resource Group Scope (Child of avm/res/consumption/budget)	(Inherited): segraef Sebastian Graef
22	avm/res/consumption/budget/sub-scope	Consumption Budget - Subscription Scope (Child of avm/res/consumption/budget)	(Inherited): segraef Sebastian Graef
23	avm/res/document-db/database-account/sql-role-assignment	Cosmos DB - SQL Role Assignment (Child of avm/res/document-db/database-account)	(Inherited): cmaneu Christopher Maneu
24	avm/res/document-db/database-account/sql-role-definition	Cosmos DB - SQL Role Definition (Child of avm/res/document-db/database-account)	(Inherited): cmaneu Christopher Maneu
25	avm/res/event-hub/namespace/eventhub	Event Hub (Child of avm/res/event-hub/namespace)	(Inherited):
26	avm/res/kubernetes-runtime/load-balancer	Kubernetes Runtime Load Balancer
27	avm/res/management/service-group	Service Group	jtracey93 Jack Tracey
28	avm/res/sql/server/database	Azure SQL Database (Child of avm/res/sql/server)	(Inherited): peterbud Peter Budai

Modules published in August 2025

No.	Module Name	Display Name	Owner(s)
01	avm/res/key-vault/vault/access-policy	Key Vault - Access Policy (Child of avm/res/key-vault/vault)	(Inherited): fblix Felix Borst
02	avm/res/key-vault/vault/key	Key Vault - Key (Child of avm/res/key-vault/vault)	(Inherited): fblix Felix Borst
03	avm/res/key-vault/vault/secret	Key Vault - Secret (Child of avm/res/key-vault/vault)	(Inherited): fblix Felix Borst
04	avm/res/network/private-dns-zone/a	Private DNS Zone - A (Child of avm/res/network/private-dns-zone)	(Inherited): ChrisSidebotham Chris Sidebotham
05	avm/res/network/private-dns-zone/aaaa	Private DNS Zone - AAAA (Child of avm/res/network/private-dns-zone)	(Inherited): ChrisSidebotham Chris Sidebotham
06	avm/res/network/private-dns-zone/cname	Private DNS Zone - CNAME (Child of avm/res/network/private-dns-zone)	(Inherited): ChrisSidebotham Chris Sidebotham
07	avm/res/network/private-dns-zone/mx	Private DNS Zone - MX (Child of avm/res/network/private-dns-zone)	(Inherited): ChrisSidebotham Chris Sidebotham
08	avm/res/network/private-dns-zone/ptr	Private DNS Zone - PTR (Child of avm/res/network/private-dns-zone)	(Inherited): ChrisSidebotham Chris Sidebotham
09	avm/res/network/private-dns-zone/soa	Private DNS Zone - SOA (Child of avm/res/network/private-dns-zone)	(Inherited): ChrisSidebotham Chris Sidebotham
10	avm/res/network/private-dns-zone/srv	Private DNS Zone - SRV (Child of avm/res/network/private-dns-zone)	(Inherited): ChrisSidebotham Chris Sidebotham
11	avm/res/network/private-dns-zone/txt	Private DNS Zone - TXT (Child of avm/res/network/private-dns-zone)	(Inherited): ChrisSidebotham Chris Sidebotham
12	avm/res/web/site/config	Web Site Configuration (Child of avm/res/web/site)	(Inherited): tsc-buddy Buddy Davies pankajagrawal16 Pankaj Agrawal
13	avm/res/web/site/slot	Web Site Slot (Child of avm/res/web/site)	(Inherited): tsc-buddy Buddy Davies pankajagrawal16 Pankaj Agrawal

Modules published in July 2025

No.	Module Name	Display Name	Owner(s)
01	avm/res/azure-stack-hci/marketplace-gallery-image	Azure Stack HCI Marketplace Gallery Image
02	avm/res/azure-stack-hci/virtual-machine-instance	Azure Stack HCI Virtual Machine Instance
03	avm/res/storage/storage-account/file-service/share	Storage Account - File Share (Child of avm/res/storage/storage-account)	(Inherited): ktremain Karl Tremain fblix Felix Borst

Modules published in June 2025

No.	Module Name	Display Name	Owner(s)
01	avm/res/authorization/role-assignment/mg-scope	Authorization - Role Assignment - Management Group Scope (Child of avm/res/authorization/role-assignment)	(Inherited): arnoldna Nate Arnold
02	avm/res/authorization/role-assignment/rg-scope	Authorization - Role Assignment - Resource Group Scope (Child of avm/res/authorization/role-assignment)	(Inherited): arnoldna Nate Arnold
03	avm/res/authorization/role-assignment/sub-scope	Authorization - Role Assignment - Subscription Scope (Child of avm/res/authorization/role-assignment)	(Inherited): arnoldna Nate Arnold
04	avm/res/dev-center/devcenter	Dev Center	ahmadabdalla Ahmad Abdalla
05	avm/res/dev-center/project	Dev Center Project	ahmadabdalla Ahmad Abdalla
06	avm/res/machine-learning-services/registry	Machine Learning Services Registry	josunefon Jordi Sune Fontanals
07	avm/res/storage/storage-account/blob-service/container	Storage Account - Blob Container (Child of avm/res/storage/storage-account)	(Inherited): ktremain Karl Tremain fblix Felix Borst

Modules published in May 2025

No.	Module Name	Display Name	Owner(s)
01	avm/res/dev-center/network-connection	Dev Center Network Connection	ahmadabdalla Ahmad Abdalla
02	avm/res/security-insights/data-connector	Security Insights - Data Connector
03	avm/res/security-insights/setting	Security Insights - Setting

Modules published in March 2025

No.	Module Name	Display Name	Owner(s)
01	avm/res/azure-stack-hci/network-interface	Azure Stack HCI Network Interface
02	avm/res/azure-stack-hci/virtual-hard-disk	Azure Stack HCI Hard Disk
03	avm/res/hybrid-container-service/provisioned-cluster-instance	Hybrid Container Service - Provisioned Cluster Instance
04	avm/res/kubernetes/connected-cluster	Kubernetes Connected Cluster
05	avm/res/maintenance/configuration-assignment	Maintenance Configuration Assignment	eriqua Erika Gressi
06	avm/res/maps/account	Azure Maps Account	jhueppauff Julian Huppauff
07	avm/res/network/network-security-perimeter	Network Security Perimeter	peterbud Peter Budai
08	avm/res/network/virtual-network/subnet	Virtual Network - Subnet (Child of avm/res/network/virtual-network)	(Inherited): mjrich19 MJ Richardson

Modules published in February 2025

No.	Module Name	Display Name	Owner(s)
01	avm/res/app/session-pool	App Session Pool
02	avm/res/azure-stack-hci/cluster	Azure Stack HCI Cluster
03	avm/res/azure-stack-hci/logical-network	Azure Stack HCI Logical Network
04	avm/res/cache/redis-enterprise	Redis Enterprise Cache	JeffreyCA Jeffrey Chen
05	avm/res/hybrid-compute/gateway	Hybrid Compute Gateway
06	avm/res/hybrid-compute/license	Hybrid Compute License

Modules published in January 2025

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/res/network/express-route-port	ExpressRoute Port ER Port		arnoldna Nate Arnold

Modules published in December 2024

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/res/elastic-san/elastic-san	Elastic SAN SAN, ESAN, Elastic SAN, Azure Elastic Storage Area Network, iSCSI, internet Small Computer Systems Interface		jbinko Jiri Binko
02	avm/res/network/p2s-vpn-gateway	P2S VPN Gateway		ericscheffler Eric Scheffler

Modules published in October 2024

No.	Module Name	Display Name	Owner(s)
01	avm/res/fabric/capacity	Fabric	mswantek68 Mike Swantek cmaneu Christopher Maneu
02	avm/res/network/vpn-server-configuration	VPN Server Configuration	ericscheffler Eric Scheffler
03	avm/res/service-networking/traffic-controller	Application Gateway for Containers (Traffic Controller)	krbar Kris Baranek

Modules published in September 2024

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/res/dev-ops-infrastructure/pool	DevOps Infrastructure Pool		elizatargithub7 Eliza Tarasila

Modules published in June 2024

No.	Module Name	Display Name	Owner(s)
01	avm/res/alerts-management/action-rule	Action Rules	judyer28 Justin Dyer
02	avm/res/hybrid-compute/machine	Hybrid Compute Machine
03	avm/res/kusto/cluster	Azure Data Explorer (Kusto) cluster	oZakari Zach Trocinski
04	avm/res/portal/dashboard	Portal Dashboard	krbar Kris Baranek

Modules published in May 2024

No.	Module Name	Display Name	Owner(s)
01	avm/res/app/job	App Job	ReneHezser Rene Hezser
02	avm/res/communication/communication-service	Communication Service	donk-msft Don Koning
03	avm/res/communication/email-service	Email Communication Service	donk-msft Don Koning

Modules published in April 2024

No.	Module Name	Display Name	Owner(s)
01	avm/res/aad/domain-service	Azure Active Directory Domain Service AAD, Entra ID, Microsoft Entra Domain Services, AAD DS, Azure AD DS	ReneHezser Rene Hezser CRYP70N1X Paul Chirila
02	avm/res/healthcare-apis/workspace	Healthcare API Workspace
03	avm/res/load-test-service/load-test	Load Testing Service	sebassem Seif Bassem
04	avm/res/managed-services/registration-definition	Registration Definition (Lighthouse)
05	avm/res/network/application-gateway	Application Gateway App GW	toddbeauchemin Todd Beauchemin
06	avm/res/network/application-gateway-web-application-firewall-policy	Application Gateway Web Application Firewall (WAF) Policy	toddbeauchemin Todd Beauchemin
07	avm/res/network/network-watcher	Network Watcher	segraef Sebastian Graef
08	avm/res/service-fabric/cluster	Service Fabric Cluster	lsnoddy Luke Snoddy
09	avm/res/sql/instance-pool	SQL Instance Pool	gpacetti Giuseppe Pacetti
10	avm/res/sql/managed-instance	SQL Managed Instance SQL MI

Modules published in March 2024

No.	Module Name	Display Name	Owner(s)
01	avm/res/app-configuration/configuration-store	App Configuration Store	Jfolberth John Folberth
02	avm/res/cdn/profile	CDN Profile	gbeaud Guillaume Beaud
03	avm/res/compute/virtual-machine-scale-set	Virtual Machine Scale Set VMSS	josunefon Jordi Sune Fontanals
04	avm/res/container-instance/container-group	Container Instance ACI	JPEasier Julian Peißker
05	avm/res/digital-twins/digital-twins-instance	Digital Twins Instance	ryanmstephens Ryan Stephens
06	avm/res/event-grid/namespace	Event Grid Namespace	fabmas Fabio Masciotra
07	avm/res/event-hub/namespace	Event Hub Namespace
08	avm/res/network/azure-firewall	Azure Firewall Azure FW	jtracey93 Jack Tracey oZakari Zach Trocinski
09	avm/res/network/service-endpoint-policy	Service Endpoint Policy	jeetgarg Jeet Garg
10	avm/res/recovery-services/vault	Recovery Services Vault	alexanderojala Alexander Ojala
11	avm/res/relay/namespace	Relay Namespace
12	avm/res/signal-r-service/signal-r	SignalR Service SignalR
13	avm/res/signal-r-service/web-pub-sub	SignalR Web PubSub Service
14	avm/res/web/connection	API Connection
15	avm/res/web/hosting-environment	App Service Environment ASE	tsc-buddy Buddy Davies pankajagrawal16 Pankaj Agrawal

Modules published in February 2024

No.	Module Name	Display Name	Owner(s)
01	avm/res/compute/availability-set	Availability Set AS	ahmadabdalla Ahmad Abdalla
02	avm/res/desktop-virtualization/application-group	Azure Virtual Desktop (AVD) Application Group
03	avm/res/desktop-virtualization/host-pool	Azure Virtual Desktop (AVD) Host Pool
04	avm/res/desktop-virtualization/scaling-plan	Azure Virtual Desktop (AVD) Scaling Plan
05	avm/res/desktop-virtualization/workspace	Azure Virtual Desktop (AVD) Workspace
06	avm/res/dev-test-lab/lab	DevTest Lab	ahmadabdalla Ahmad Abdalla
07	avm/res/insights/private-link-scope	Azure Monitor Private Link Scope	ahmadabdalla Ahmad Abdalla
08	avm/res/machine-learning-services/workspace	Machine Learning Services Workspace ML Workspace	cecheta Chinedum Echeta ross-p-smith Ross Smith
09	avm/res/management/management-group	Management Group MG	fblix Felix Borst
10	avm/res/network/ip-group	IP Group	ahmadabdalla Ahmad Abdalla
11	avm/res/network/network-manager	Network Manager	ahmadabdalla Ahmad Abdalla
12	avm/res/network/private-link-service	Private Link Service	ahmadabdalla Ahmad Abdalla
13	avm/res/network/virtual-hub	Virtual Hub	arnoldna Nate Arnold
14	avm/res/network/virtual-wan	Virtual WAN vWAN	arnoldna Nate Arnold
15	avm/res/purview/account	Purview Account
16	avm/res/synapse/private-link-hub	Azure Synapse Analytics Private Link Hub	TomazMlakar Tomaz Mlakar
17	avm/res/synapse/workspace	Azure Synapse Analytics Workspace	TomazMlakar Tomaz Mlakar
18	avm/res/virtual-machine-images/image-template	Virtual Machine Image Template	ahmadabdalla Ahmad Abdalla

Modules published in January 2024

No.	Module Name	Display Name	Owner(s)
01	avm/res/analysis-services/server	Analysis Services Server
02	avm/res/app/container-app	Container App	oZakari Zach Trocinski
03	avm/res/cache/redis	Redis Cache
04	avm/res/compute/disk	Compute Disk	segraef Sebastian Graef
05	avm/res/compute/disk-encryption-set	Disk Encryption Set	segraef Sebastian Graef
06	avm/res/compute/image	Image	tony-box Tony Box
07	avm/res/compute/proximity-placement-group	Proximity Placement Group	jeetgarg Jeet Garg
08	avm/res/compute/virtual-machine	Virtual Machine VM	josunefon Jordi Sune Fontanals
09	avm/res/consumption/budget	Consumption Budget	segraef Sebastian Graef
10	avm/res/container-registry/registry	Azure Container Registry (ACR)	JPEasier Julian Peißker
11	avm/res/container-service/managed-cluster	Azure Kubernetes Service (AKS) Managed Cluster	JPEasier Julian Peißker
12	avm/res/data-protection/backup-vault	Data Protection Backup Vault
13	avm/res/databricks/access-connector	Azure Databricks Access Connector
14	avm/res/databricks/workspace	Azure Databricks Workspace
15	avm/res/db-for-my-sql/flexible-server	DB for MySQL Flexible Server
16	avm/res/health-bot/health-bot	Azure Health Bot
17	avm/res/net-app/net-app-account	Azure NetApp File	fbinotto Felipe Binotto
18	avm/res/network/ddos-protection-plan	DDoS Protection Plan	segraef Sebastian Graef
19	avm/res/network/firewall-policy	Firewall Policy	jtracey93 Jack Tracey oZakari Zach Trocinski
20	avm/res/network/front-door	Azure Front Door
21	avm/res/network/front-door-web-application-firewall-policy	Front Door Web Application Firewall (WAF) Policy	PaulJohnston88 Paul Johnston
22	avm/res/network/local-network-gateway	Local Network Gateway	fabmas Fabio Masciotra
23	avm/res/network/nat-gateway	NAT Gateway NAT GW	fabmas Fabio Masciotra
24	avm/res/network/virtual-network-gateway	Virtual Network Gateway VNET GW	fabmas Fabio Masciotra
25	avm/res/network/vpn-gateway	VPN Gateway VPN GW	fabmas Fabio Masciotra
26	avm/res/storage/storage-account	Storage Account	ktremain Karl Tremain fblix Felix Borst
27	avm/res/web/site	Web/Function App App Service, Web Site, Logic App, Function App	tsc-buddy Buddy Davies pankajagrawal16 Pankaj Agrawal
28	avm/res/web/static-site	Static Web App	ChrisSidebotham Chris Sidebotham

Modules published in December 2023

No.	Module Name	Display Name	Owner(s)
01	avm/res/api-management/service	API Management Service
02	avm/res/app/managed-environment	App Managed Environment
03	avm/res/automation/automation-account	Automation Account	gpacetti Giuseppe Pacetti
04	avm/res/compute/gallery	Azure Compute Gallery	ReneHezser Rene Hezser
05	avm/res/data-factory/factory	Data Factory
06	avm/res/document-db/database-account	Cosmos DB Database Account	cmaneu Christopher Maneu
07	avm/res/insights/activity-log-alert	Activity Log Alert	donk-msft Don Koning
08	avm/res/insights/data-collection-endpoint	Data Collection Endpoint	krbar Kris Baranek
09	avm/res/insights/data-collection-rule	Data Collection Rule DCR	krbar Kris Baranek
10	avm/res/insights/metric-alert	Metric Alert	kijunkang Ki Jun Kang
11	avm/res/insights/scheduled-query-rule	Scheduled Query Rule
12	avm/res/insights/webtest	Web Test	Jfolberth John Folberth
13	avm/res/maintenance/maintenance-configuration	Maintenance Configuration	arievanderwende Arie van der Wende
14	avm/res/managed-identity/user-assigned-identity	User Assigned Identity MSI	gpacetti Giuseppe Pacetti
15	avm/res/network/application-security-group	Application Security Group (ASG) ASG	segraef Sebastian Graef
16	avm/res/network/bastion-host	Bastion Host	krbar Kris Baranek
17	avm/res/network/connection	Virtual Network Gateway Connection	fabmas Fabio Masciotra
18	avm/res/network/network-security-group	Network Security Group NSG	ahmadabdalla Ahmad Abdalla
19	avm/res/network/public-ip-prefix	Public IP Prefix PIP Prefix	krbar Kris Baranek
20	avm/res/network/trafficmanagerprofile	Traffic Manager Profile	lsnoddy Luke Snoddy
21	avm/res/network/vpn-site	VPN Site	fabmas Fabio Masciotra
22	avm/res/resources/resource-group	Resource Group RG	segraef Sebastian Graef
23	avm/res/service-bus/namespace	Service Bus Namespace	ChrisSidebotham Chris Sidebotham
24	avm/res/web/serverfarm	App Service Plan	tsc-buddy Buddy Davies pankajagrawal16 Pankaj Agrawal

Modules published in November 2023

No.	Module Name	Display Name	Owner(s)
01	avm/res/batch/batch-account	Batch Account	didayal-msft Divyadeep Dayal
02	avm/res/db-for-postgre-sql/flexible-server	DB for Postgre SQL Flexible Server	arnoldna Nate Arnold
03	avm/res/event-grid/domain	Event Grid Domain	fabmas Fabio Masciotra
04	avm/res/event-grid/system-topic	Event Grid System Topic	fabmas Fabio Masciotra
05	avm/res/event-grid/topic	Event Grid Topic	fabmas Fabio Masciotra
06	avm/res/insights/component	Application Insight	krbar Kris Baranek
07	avm/res/insights/diagnostic-setting	Diagnostic Setting	krbar Kris Baranek
08	avm/res/logic/workflow	Logic Apps Workflow	lsnoddy Luke Snoddy
09	avm/res/network/express-route-circuit	ExpressRoute Circuit ER Circuit	arnoldna Nate Arnold
10	avm/res/network/express-route-gateway	Express Route Gateway ER GW	arnoldna Nate Arnold
11	avm/res/network/load-balancer	Load Balancer LB, NLB	arnoldna Nate Arnold
12	avm/res/network/route-table	Route Table UDR	segraef Sebastian Graef
13	avm/res/network/virtual-network	Virtual Network VNET	mjrich19 MJ Richardson
14	avm/res/operational-insights/workspace	Log Analytics Workspace	krbar Kris Baranek
15	avm/res/operations-management/solution	Operations Management Solution	krbar Kris Baranek
16	avm/res/power-bi-dedicated/capacity	Power BI Dedicated Capacity	ChrisSidebotham Chris Sidebotham
17	avm/res/resource-graph/query	Resource Graph Query	sebassem Seif Bassem
18	avm/res/resources/deployment-script	Deployment Script	sebassem Seif Bassem
19	avm/res/search/search-service	Search Service	krbar Kris Baranek
20	avm/res/sql/server	Azure SQL Server	peterbud Peter Budai

Modules published in October 2023

No.	Module Name	Display Name	Owner(s)
01	avm/res/cognitive-services/account	Azure AI Services (Cognitive Services)	jceval Javier Cevallos
02	avm/res/compute/ssh-public-key	Public SSH Key	ChrisSidebotham Chris Sidebotham
03	avm/res/document-db/mongo-cluster	Cosmos DB for MongoDB (vCore)	sinedied Yohan Lasorsa
04	avm/res/insights/action-group	Action Group	rahalan Rainer Halanek
05	avm/res/key-vault/vault	Key Vault KV	fblix Felix Borst
06	avm/res/kubernetes-configuration/extension	Kubernetes Configuration Extension	JPEasier Julian Peißker
07	avm/res/kubernetes-configuration/flux-configuration	Kubernetes Configuration Flux Configuration	JPEasier Julian Peißker
08	avm/res/network/dns-forwarding-ruleset	DNS Forwarding Ruleset	ChrisSidebotham Chris Sidebotham
09	avm/res/network/dns-resolver	DNS Resolver	ChrisSidebotham Chris Sidebotham
10	avm/res/network/dns-zone	Public DNS Zone	ChrisSidebotham Chris Sidebotham
11	avm/res/network/network-interface	Network Interface NIC	rahalan Rainer Halanek
12	avm/res/network/private-dns-zone	Private DNS Zone	ChrisSidebotham Chris Sidebotham
13	avm/res/network/private-endpoint	Private Endpoint	segraef Sebastian Graef
14	avm/res/network/public-ip-address	Public IP Address PIP	ChrisSidebotham Chris Sidebotham krbar Kris Baranek

Consistent Features & Extension Resources (Interfaces)

➕ Consistent Features & Extension Resources (Interfaces)

The following table shows which Bicep resource modules have which consistent features and extension resources (interfaces) implemented as defined in the Bicep Interfaces specification.

#	Module	RBAC	Locks	Tags	Diag	PE	CMK	CMK-mHSM	Identity
1	avm/res/aad/domain-service	✅	✅	✅	✅
2	avm/res/alerts-management/action-rule	✅	✅	✅
3	avm/res/analysis-services/server	✅	✅	✅	✅
4	avm/res/api-management/service	✅	✅	✅	✅	✅			✅
5	avm/res/app-configuration/configuration-store	✅	✅	✅	✅	✅	✅		✅
6	avm/res/app/container-app	✅	✅	✅	✅				✅
7	avm/res/app/job	✅	✅	✅					✅
8	avm/res/app/managed-environment	✅	✅	✅					✅
9	avm/res/app/session-pool	✅	✅	✅					✅
10	avm/res/authorization/policy-assignment
11	avm/res/authorization/role-assignment
12	avm/res/automation/automation-account	✅	✅	✅	✅	✅	✅		✅
13	avm/res/azure-stack-hci/cluster	✅		✅
14	avm/res/azure-stack-hci/logical-network	✅		✅
15	avm/res/azure-stack-hci/marketplace-gallery-image	✅		✅
16	avm/res/azure-stack-hci/network-interface	✅		✅
17	avm/res/azure-stack-hci/virtual-hard-disk	✅		✅
18	avm/res/azure-stack-hci/virtual-machine-instance	✅
19	avm/res/batch/batch-account	✅	✅	✅	✅	✅	✅		✅
20	avm/res/cache/redis	✅	✅	✅	✅	✅			✅
#	Module	RBAC	Locks	Tags	Diag	PE	CMK	CMK-mHSM	Identity
21	avm/res/cache/redis-enterprise	✅	✅	✅	✅	✅	✅	✅	✅
22	avm/res/cdn/profile	✅	✅	✅	✅				✅
23	avm/res/cognitive-services/account	✅	✅	✅	✅	✅	✅	✅	✅
24	avm/res/communication/communication-service	✅	✅	✅	✅				✅
25	avm/res/communication/email-service	✅	✅	✅
26	avm/res/compute/availability-set	✅	✅	✅
27	avm/res/compute/disk	✅	✅	✅
28	avm/res/compute/disk-encryption-set	✅	✅	✅			✅	✅	✅
29	avm/res/compute/gallery	✅	✅	✅
30	avm/res/compute/image	✅		✅
31	avm/res/compute/proximity-placement-group	✅	✅	✅
32	avm/res/compute/ssh-public-key	✅	✅	✅
33	avm/res/compute/virtual-machine	✅	✅	✅					✅
34	avm/res/compute/virtual-machine-scale-set	✅	✅	✅	✅				✅
35	avm/res/consumption/budget
36	avm/res/container-instance/container-group		✅	✅			✅		✅
37	avm/res/container-registry/registry	✅	✅	✅	✅	✅	✅		✅
38	avm/res/container-service/managed-cluster	✅	✅	✅	✅				✅
39	avm/res/data-factory/factory	✅	✅	✅	✅	✅	✅	✅	✅
40	avm/res/data-protection/backup-vault	✅	✅	✅			✅	✅	✅
#	Module	RBAC	Locks	Tags	Diag	PE	CMK	CMK-mHSM	Identity
41	avm/res/databricks/access-connector	✅	✅	✅					✅
42	avm/res/databricks/workspace	✅	✅	✅	✅	✅	✅	✅
43	avm/res/db-for-my-sql/flexible-server	✅	✅	✅	✅	✅	✅	✅	✅
44	avm/res/db-for-postgre-sql/flexible-server	✅	✅	✅	✅	✅	✅	✅	✅
45	avm/res/desktop-virtualization/application-group	✅	✅	✅	✅
46	avm/res/desktop-virtualization/host-pool	✅	✅	✅	✅	✅
47	avm/res/desktop-virtualization/scaling-plan	✅	✅	✅	✅
48	avm/res/desktop-virtualization/workspace	✅	✅	✅	✅	✅
49	avm/res/dev-center/devcenter	✅	✅	✅	✅				✅
50	avm/res/dev-center/network-connection	✅	✅	✅
51	avm/res/dev-center/project	✅	✅	✅					✅
52	avm/res/dev-ops-infrastructure/pool	✅	✅	✅	✅				✅
53	avm/res/dev-test-lab/lab	✅	✅	✅					✅
54	avm/res/digital-twins/digital-twins-instance	✅	✅	✅	✅	✅			✅
55	avm/res/document-db/database-account	✅	✅	✅	✅	✅			✅
56	avm/res/document-db/mongo-cluster	✅	✅	✅	✅	✅
57	avm/res/elastic-san/elastic-san	✅	✅	✅	✅
58	avm/res/event-grid/domain	✅	✅	✅	✅	✅			✅
59	avm/res/event-grid/namespace	✅	✅	✅	✅	✅			✅
60	avm/res/event-grid/system-topic	✅	✅	✅	✅				✅
#	Module	RBAC	Locks	Tags	Diag	PE	CMK	CMK-mHSM	Identity
61	avm/res/event-grid/topic	✅	✅	✅	✅	✅			✅
62	avm/res/event-hub/namespace	✅	✅	✅	✅	✅	✅	✅	✅
63	avm/res/fabric/capacity		✅	✅
64	avm/res/health-bot/health-bot	✅	✅	✅					✅
65	avm/res/healthcare-apis/workspace	✅	✅	✅
66	avm/res/hybrid-compute/gateway		✅	✅
67	avm/res/hybrid-compute/license			✅
68	avm/res/hybrid-compute/machine	✅	✅	✅
69	avm/res/hybrid-container-service/provisioned-cluster-instance			✅
70	avm/res/insights/action-group	✅	✅	✅
71	avm/res/insights/activity-log-alert	✅	✅	✅
72	avm/res/insights/component	✅	✅	✅	✅
73	avm/res/insights/data-collection-endpoint	✅	✅	✅
74	avm/res/insights/data-collection-rule	✅	✅	✅					✅
75	avm/res/insights/diagnostic-setting
76	avm/res/insights/metric-alert	✅	✅	✅
77	avm/res/insights/private-link-scope	✅	✅	✅		✅
78	avm/res/insights/scheduled-query-rule	✅	✅	✅					✅
79	avm/res/insights/webtest	✅	✅	✅
80	avm/res/key-vault/vault	✅	✅	✅	✅	✅
#	Module	RBAC	Locks	Tags	Diag	PE	CMK	CMK-mHSM	Identity
81	avm/res/kubernetes-configuration/extension
82	avm/res/kubernetes-configuration/flux-configuration
83	avm/res/kubernetes-runtime/load-balancer
84	avm/res/kubernetes/connected-cluster	✅		✅
85	avm/res/kusto/cluster	✅	✅	✅	✅	✅	✅		✅
86	avm/res/load-test-service/load-test	✅	✅	✅			✅		✅
87	avm/res/logic/integration-account	✅	✅	✅	✅
88	avm/res/logic/workflow	✅	✅	✅	✅				✅
89	avm/res/machine-learning-services/registry	✅	✅	✅		✅			✅
90	avm/res/machine-learning-services/workspace	✅	✅	✅	✅	✅	✅		✅
91	avm/res/maintenance/configuration-assignment
92	avm/res/maintenance/maintenance-configuration	✅	✅	✅
93	avm/res/managed-identity/user-assigned-identity	✅	✅	✅
94	avm/res/managed-services/registration-definition
95	avm/res/management/management-group
96	avm/res/management/service-group	✅	✅
97	avm/res/maps/account	✅		✅			✅	✅	✅
98	avm/res/net-app/net-app-account	✅	✅	✅			✅	✅	✅
99	avm/res/network/application-gateway	✅	✅	✅	✅	✅			✅
100	avm/res/network/application-gateway-web-application-firewall-policy			✅
#	Module	RBAC	Locks	Tags	Diag	PE	CMK	CMK-mHSM	Identity
101	avm/res/network/application-security-group	✅	✅	✅
102	avm/res/network/azure-firewall	✅	✅	✅	✅
103	avm/res/network/bastion-host	✅	✅	✅	✅
104	avm/res/network/connection		✅	✅
105	avm/res/network/ddos-protection-plan	✅	✅	✅
106	avm/res/network/dns-forwarding-ruleset	✅	✅	✅
107	avm/res/network/dns-resolver	✅	✅	✅
108	avm/res/network/dns-zone	✅	✅	✅
109	avm/res/network/express-route-circuit	✅	✅	✅	✅
110	avm/res/network/express-route-gateway	✅	✅	✅
111	avm/res/network/express-route-port	✅	✅	✅					✅
112	avm/res/network/firewall-policy	✅	✅	✅					✅
113	avm/res/network/front-door	✅	✅	✅	✅
114	avm/res/network/front-door-web-application-firewall-policy	✅	✅	✅
115	avm/res/network/ip-group	✅	✅	✅
116	avm/res/network/load-balancer	✅	✅	✅	✅
117	avm/res/network/local-network-gateway	✅	✅	✅
118	avm/res/network/nat-gateway	✅	✅	✅
119	avm/res/network/network-interface	✅	✅	✅	✅
120	avm/res/network/network-manager	✅	✅	✅
#	Module	RBAC	Locks	Tags	Diag	PE	CMK	CMK-mHSM	Identity
121	avm/res/network/network-security-group	✅	✅	✅	✅
122	avm/res/network/network-security-perimeter	✅	✅	✅	✅
123	avm/res/network/network-watcher	✅	✅	✅
124	avm/res/network/p2s-vpn-gateway		✅	✅
125	avm/res/network/private-dns-zone	✅	✅	✅
126	avm/res/network/private-endpoint	✅	✅	✅
127	avm/res/network/private-link-service	✅	✅	✅
128	avm/res/network/public-ip-address	✅	✅	✅	✅
129	avm/res/network/public-ip-prefix	✅	✅	✅
130	avm/res/network/route-table	✅	✅	✅
131	avm/res/network/service-endpoint-policy	✅	✅	✅
132	avm/res/network/trafficmanagerprofile	✅	✅	✅	✅
133	avm/res/network/virtual-hub		✅	✅
134	avm/res/network/virtual-network	✅	✅	✅	✅
135	avm/res/network/virtual-network-gateway	✅	✅	✅	✅
136	avm/res/network/virtual-wan	✅	✅	✅
137	avm/res/network/vpn-gateway		✅	✅
138	avm/res/network/vpn-server-configuration		✅	✅
139	avm/res/network/vpn-site	✅	✅	✅
140	avm/res/operational-insights/cluster	✅	✅	✅			✅	✅	✅
#	Module	RBAC	Locks	Tags	Diag	PE	CMK	CMK-mHSM	Identity
141	avm/res/operational-insights/workspace	✅	✅	✅	✅				✅
142	avm/res/operations-management/solution
143	avm/res/portal/dashboard	✅	✅	✅
144	avm/res/power-bi-dedicated/capacity	✅	✅	✅
145	avm/res/purview/account	✅	✅	✅	✅				✅
146	avm/res/recovery-services/vault	✅	✅	✅	✅	✅	✅	✅	✅
147	avm/res/relay/namespace	✅	✅	✅	✅	✅
148	avm/res/resource-graph/query	✅	✅	✅
149	avm/res/resources/deployment-script	✅	✅	✅					✅
150	avm/res/resources/resource-group	✅	✅	✅
151	avm/res/search/search-service	✅	✅	✅	✅	✅			✅
152	avm/res/security-insights/data-connector
153	avm/res/security-insights/setting	✅
154	avm/res/service-bus/namespace	✅	✅	✅	✅	✅	✅	✅	✅
155	avm/res/service-fabric/cluster	✅	✅	✅
156	avm/res/service-networking/traffic-controller	✅	✅	✅	✅
157	avm/res/signal-r-service/signal-r	✅	✅	✅	✅	✅			✅
158	avm/res/signal-r-service/web-pub-sub	✅	✅	✅		✅			✅
159	avm/res/sql/instance-pool			✅
160	avm/res/sql/managed-instance	✅	✅	✅	✅				✅
#	Module	RBAC	Locks	Tags	Diag	PE	CMK	CMK-mHSM	Identity
161	avm/res/sql/server	✅	✅	✅		✅	✅	✅	✅
162	avm/res/storage/storage-account	✅	✅	✅	✅	✅	✅	✅	✅
163	avm/res/synapse/private-link-hub	✅	✅	✅		✅
164	avm/res/synapse/workspace	✅	✅	✅	✅	✅	✅		✅
165	avm/res/virtual-machine-images/image-template	✅	✅	✅					✅
166	avm/res/web/connection	✅	✅	✅
167	avm/res/web/hosting-environment	✅	✅	✅	✅				✅
168	avm/res/web/serverfarm	✅	✅	✅	✅
169	avm/res/web/site	✅	✅	✅	✅	✅			✅
170	avm/res/web/static-site	✅	✅	✅		✅			✅
Sum		146	144	155	67	39	25	16	65

For Module Owners & Contributors

Note

This section is mainly intended for module owners and contributors as it contains information important for module development, such as telemetry ID prefix, and GitHub Teams for Owners.

Module name, Telemetry ID prefix, GitHub Teams for Owners

➕ All Modules - Module name, Telemetry ID prefix, GitHub Teams for Owners

No.	Module Name	Telemetry ID prefix	GitHub Teams for Module Owners (`@Azure` org)
01	avm/res/aad/domain-service	`46d3xbcp.res.aad-domainservice`	`avm-res-aad-domainservice-module-owners-bicep`
02	avm/res/alerts-management/action-rule	`46d3xbcp.res.alertsmanagement-actionrule`	`avm-res-alertsmanagement-actionrule-module-owners-bicep`
03	avm/res/analysis-services/server	`46d3xbcp.res.analysisservices-server`	`avm-res-analysisservices-server-module-owners-bicep`
04	avm/res/api-center/service	`46d3xbcp.res.apicenter-service`	`avm-res-apicenter-service-module-owners-bicep`
05	avm/res/api-management/service	`46d3xbcp.res.apimanagement-service`	`avm-res-apimanagement-service-module-owners-bicep`
06	avm/res/api-management/service/api	`46d3xbcp.res.apimgmt-api`	`avm-res-apimanagement-service-module-owners-bicep`
07	avm/res/api-management/service/api-version-set	`46d3xbcp.res.apimgmt-apiversionset`	`avm-res-apimanagement-service-module-owners-bicep`
08	avm/res/api-management/service/api/diagnostics	`46d3xbcp.res.apimgm-apidiagnostics`	`avm-res-apimanagement-service-module-owners-bicep`
09	avm/res/api-management/service/api/policy	`46d3xbcp.res.apimgmt-apipolicy`	`avm-res-apimanagement-service-module-owners-bicep`
10	avm/res/api-management/service/authorization-server	`46d3xbcp.res.apimgmt-authzserver`	`avm-res-apimanagement-service-module-owners-bicep`
11	avm/res/api-management/service/backend	`46d3xbcp.res.apimgmt-backend`	`avm-res-apimanagement-service-module-owners-bicep`
12	avm/res/api-management/service/cache	`46d3xbcp.res.apimgmt-cache`	`avm-res-apimanagement-service-module-owners-bicep`
13	avm/res/api-management/service/diagnostics	`46d3xbcp.res.apimgmt-diagnostics`	`avm-res-apimanagement-service-module-owners-bicep`
14	avm/res/api-management/service/identity-provider	`46d3xbcp.res.apimgmt-identityprovider`	`avm-res-apimanagement-service-module-owners-bicep`
15	avm/res/api-management/service/logger	`46d3xbcp.res.apimgmt-logger`	`avm-res-apimanagement-service-module-owners-bicep`
16	avm/res/api-management/service/named-value	`46d3xbcp.res.apimgmt-namedvalue`	`avm-res-apimanagement-service-module-owners-bicep`
17	avm/res/api-management/service/policy	`46d3xbcp.res.apimgmt-policy`	`avm-res-apimanagement-service-module-owners-bicep`
18	avm/res/api-management/service/portalsetting	`46d3xbcp.res.apimgmt-portalsetting`	`avm-res-apimanagement-service-module-owners-bicep`
19	avm/res/api-management/service/private-endpoint-connection	`46d3xbcp.res.apimgmt-privendpointconn`	`avm-res-apimanagement-service-module-owners-bicep`
20	avm/res/api-management/service/product	`46d3xbcp.res.apimgmt-product`	`avm-res-apimanagement-service-module-owners-bicep`
21	avm/res/api-management/service/product/api	`46d3xbcp.res.apimgmt-productapi`	`avm-res-apimanagement-service-module-owners-bicep`
22	avm/res/api-management/service/product/group	`46d3xbcp.res.apimgmt-productgroup`	`avm-res-apimanagement-service-module-owners-bicep`
23	avm/res/api-management/service/subscription	`46d3xbcp.res.apimgmt-subscription`	`avm-res-apimanagement-service-module-owners-bicep`
24	avm/res/api-management/service/workspace	`46d3xbcp.res.apimgmt-workspace`	`avm-res-apimanagement-service-module-owners-bicep`
25	avm/res/app-configuration/configuration-store	`46d3xbcp.res.appconfiguration-configurationstore`	`avm-res-appconfiguration-configurationstore-module-owners-bicep`
26	avm/res/app/container-app	`46d3xbcp.res.app-containerapp`	`avm-res-app-containerapp-module-owners-bicep`
27	avm/res/app/job	`46d3xbcp.res.app-job`	`avm-res-app-job-module-owners-bicep`
28	avm/res/app/managed-environment	`46d3xbcp.res.app-managedenvironment`	`avm-res-app-managedenvironment-module-owners-bicep`
29	avm/res/app/session-pool	`46d3xbcp.res.app-sessionpool`	`avm-res-app-sessionpool-module-owners-bicep`
30	avm/res/authorization/policy-assignment	`46d3xbcp.res.authz-policyassignment`	`avm-res-authorization-policyassignment-module-owners-bicep`
31	avm/res/authorization/policy-assignment/mg-scope	`46d3xbcp.res.authz-policyassignment_mgscope`	`avm-res-authorization-policyassignment-module-owners-bicep`
32	avm/res/authorization/policy-assignment/rg-scope	`46d3xbcp.res.authz-policyassignment_rgscope`	`avm-res-authorization-policyassignment-module-owners-bicep`
33	avm/res/authorization/policy-assignment/sub-scope	`46d3xbcp.res.authz-policyassignment_subscope`	`avm-res-authorization-policyassignment-module-owners-bicep`
34	avm/res/authorization/role-assignment	`46d3xbcp.res.authz-roleassignment`	`avm-res-authorization-roleassignment-module-owners-bicep`
35	avm/res/authorization/role-assignment/mg-scope	`46d3xbcp.res.authz-roleassignment_mgscope`	`avm-res-authorization-roleassignment-module-owners-bicep`
36	avm/res/authorization/role-assignment/rg-scope	`46d3xbcp.res.authz-roleassignment_rgscope`	`avm-res-authorization-roleassignment-module-owners-bicep`
37	avm/res/authorization/role-assignment/sub-scope	`46d3xbcp.res.authz-roleassignment_subscope`	`avm-res-authorization-roleassignment-module-owners-bicep`
38	avm/res/automation/automation-account	`46d3xbcp.res.automation-automationaccount`	`avm-res-automation-automationaccount-module-owners-bicep`
39	avm/res/avs/private-cloud	`46d3xbcp.res.avs-privatecloud`	`avm-res-avs-privatecloud-module-owners-bicep`
40	avm/res/azure-stack-hci/cluster	`46d3xbcp.res.azurestackhci-cluster`	`avm-res-azurestackhci-cluster-module-owners-bicep`
41	avm/res/azure-stack-hci/cluster/arc-setting/extension	`46d3xbcp.res.azurestackhci-clusterarcsetting`	`avm-res-azurestackhci-cluster-module-owners-bicep`
42	avm/res/azure-stack-hci/logical-network	`46d3xbcp.res.azurestackhci-logicalnetwork`	`avm-res-azurestackhci-logicalnetwork-module-owners-bicep`
43	avm/res/azure-stack-hci/marketplace-gallery-image	`46d3xbcp.res.azurestackhci-markplgalleryimg`	`avm-res-azurestackhci-marketplacegalleryimage-module-owners-bicep`
44	avm/res/azure-stack-hci/network-interface	`46d3xbcp.res.azurestackhci-networkinterface`	`avm-res-azurestackhci-networkinterface-module-owners-bicep`
45	avm/res/azure-stack-hci/virtual-hard-disk	`46d3xbcp.res.azurestackhci-virtualharddisk`	`avm-res-azurestackhci-virtualharddisk-module-owners-bicep`
46	avm/res/azure-stack-hci/virtual-machine-instance	`46d3xbcp.res.azurestackhci-virtualmachineinstance`	`avm-res-azurestackhci-virtualmachineinstance-module-owners-bicep`
47	avm/res/batch/batch-account	`46d3xbcp.res.batch-batchaccount`	`avm-res-batch-batchaccount-module-owners-bicep`
48	avm/res/bot-service/bot-service	`46d3xbcp.res.botservice-botservice`	`avm-res-botservice-botservice-module-owners-bicep`
49	avm/res/cache/redis	`46d3xbcp.res.cache-redis`	`avm-res-cache-redis-module-owners-bicep`
50	avm/res/cache/redis-enterprise	`46d3xbcp.res.cache-redisenterprise`	`avm-res-cache-redisenterprise-module-owners-bicep`
51	avm/res/cdn/profile	`46d3xbcp.res.cdn-profile`	`avm-res-cdn-profile-module-owners-bicep`
52	avm/res/chaos/experiment	`46d3xbcp.res.chaos-experiment`	`avm-res-chaos-experiment-module-owners-bicep`
53	avm/res/cognitive-services/account	`46d3xbcp.res.cognitiveservices-account`	`avm-res-cognitiveservices-account-module-owners-bicep`
54	avm/res/communication/communication-service	`46d3xbcp.res.communication-communicationservice`	`avm-res-communication-communicationservice-module-owners-bicep`
55	avm/res/communication/email-service	`46d3xbcp.res.communication-emailservice`	`avm-res-communication-emailservice-module-owners-bicep`
56	avm/res/compute/availability-set	`46d3xbcp.res.compute-availabilityset`	`avm-res-compute-availabilityset-module-owners-bicep`
57	avm/res/compute/disk	`46d3xbcp.res.compute-disk`	`avm-res-compute-disk-module-owners-bicep`
58	avm/res/compute/disk-encryption-set	`46d3xbcp.res.compute-diskencryptionset`	`avm-res-compute-diskencryptionset-module-owners-bicep`
59	avm/res/compute/gallery	`46d3xbcp.res.compute-gallery`	`avm-res-compute-gallery-module-owners-bicep`
60	avm/res/compute/image	`46d3xbcp.res.compute-image`	`avm-res-compute-image-module-owners-bicep`
61	avm/res/compute/proximity-placement-group	`46d3xbcp.res.compute-proximityplacementgroup`	`avm-res-compute-proximityplacementgroup-module-owners-bicep`
62	avm/res/compute/ssh-public-key	`46d3xbcp.res.compute-sshpublickey`	`avm-res-compute-sshpublickey-module-owners-bicep`
63	avm/res/compute/virtual-machine	`46d3xbcp.res.compute-virtualmachine`	`avm-res-compute-virtualmachine-module-owners-bicep`
64	avm/res/compute/virtual-machine-scale-set	`46d3xbcp.res.compute-virtualmachinescaleset`	`avm-res-compute-virtualmachinescaleset-module-owners-bicep`
65	avm/res/consumption/budget	`46d3xbcp.res.consumption-budget`	`avm-res-consumption-budget-module-owners-bicep`
66	avm/res/consumption/budget/mg-scope	`46d3xbcp.res.consumption-budget_mgscope`	`avm-res-consumption-budget-module-owners-bicep`
67	avm/res/consumption/budget/rg-scope	`46d3xbcp.res.consumption-budget_rgscope`	`avm-res-consumption-budget-module-owners-bicep`
68	avm/res/consumption/budget/sub-scope	`46d3xbcp.res.consumption-budget_subscope`	`avm-res-consumption-budget-module-owners-bicep`
69	avm/res/container-instance/container-group	`46d3xbcp.res.containerinstance-containergroup`	`avm-res-containerinstance-containergroup-module-owners-bicep`
70	avm/res/container-registry/registry	`46d3xbcp.res.containerregistry-registry`	`avm-res-containerregistry-registry-module-owners-bicep`
71	avm/res/container-service/managed-cluster	`46d3xbcp.res.containerservice-managedcluster`	`avm-res-containerservice-managedcluster-module-owners-bicep`
72	avm/res/dashboard/grafana	`46d3xbcp.res.dashboard-grafana`	`avm-res-dashboard-grafana-module-owners-bicep`
73	avm/res/data-factory/factory	`46d3xbcp.res.datafactory-factory`	`avm-res-datafactory-factory-module-owners-bicep`
74	avm/res/data-protection/backup-vault	`46d3xbcp.res.dataprotection-backupvault`	`avm-res-dataprotection-backupvault-module-owners-bicep`
75	avm/res/data-protection/resource-guard	`46d3xbcp.res.dataprotection-resourceguard`	`avm-res-dataprotection-resourceguard-module-owners-bicep`
76	avm/res/databricks/access-connector	`46d3xbcp.res.databricks-accessconnector`	`avm-res-databricks-accessconnector-module-owners-bicep`
77	avm/res/databricks/workspace	`46d3xbcp.res.databricks-workspace`	`avm-res-databricks-workspace-module-owners-bicep`
78	avm/res/db-for-my-sql/flexible-server	`46d3xbcp.res.dbformysql-flexibleserver`	`avm-res-dbformysql-flexibleserver-module-owners-bicep`
79	avm/res/db-for-postgre-sql/flexible-server	`46d3xbcp.res.dbforpostgresql-flexibleserver`	`avm-res-dbforpostgresql-flexibleserver-module-owners-bicep`
80	avm/res/desktop-virtualization/application-group	`46d3xbcp.res.desktopvirtualization-appgroup`	`avm-res-desktopvirtualization-applicationgroup-module-owners-bicep`
81	avm/res/desktop-virtualization/host-pool	`46d3xbcp.res.desktopvirtualization-hostpool`	`avm-res-desktopvirtualization-hostpool-module-owners-bicep`
82	avm/res/desktop-virtualization/scaling-plan	`46d3xbcp.res.desktopvirtualization-scalingplan`	`avm-res-desktopvirtualization-scalingplan-module-owners-bicep`
83	avm/res/desktop-virtualization/workspace	`46d3xbcp.res.desktopvirtualization-workspace`	`avm-res-desktopvirtualization-workspace-module-owners-bicep`
84	avm/res/dev-center/devcenter	`46d3xbcp.res.devcenter-devcenter`	`avm-res-devcenter-devcenter-module-owners-bicep`
85	avm/res/dev-center/network-connection	`46d3xbcp.res.devcenter-networkconnection`	`avm-res-devcenter-networkconnection-module-owners-bicep`
86	avm/res/dev-center/project	`46d3xbcp.res.devcenter-project`	`avm-res-devcenter-project-module-owners-bicep`
87	avm/res/dev-ops-infrastructure/pool	`46d3xbcp.res.devopsinfrastructure-pool`	`avm-res-devopsinfrastructure-pool-module-owners-bicep`
88	avm/res/dev-test-lab/lab	`46d3xbcp.res.devtestlab-lab`	`avm-res-devtestlab-lab-module-owners-bicep`
89	avm/res/digital-twins/digital-twins-instance	`46d3xbcp.res.digitaltwins-digitaltwinsinstance`	`avm-res-digitaltwins-digitaltwinsinstance-module-owners-bicep`
90	avm/res/document-db/database-account	`46d3xbcp.res.documentdb-databaseaccount`	`avm-res-documentdb-databaseaccount-module-owners-bicep`
91	avm/res/document-db/database-account/sql-database	`46d3xbcp.res.documentdb-databaseaccountsqldb`	`avm-res-documentdb-databaseaccount-module-owners-bicep`
92	avm/res/document-db/database-account/sql-role-assignment	`46d3xbcp.res.doctdb-dbacct-sqlroleassignment`	`avm-res-documentdb-databaseaccount-module-owners-bicep`
93	avm/res/document-db/database-account/sql-role-definition	`46d3xbcp.res.doctdb-dbacct-sqlroledefinition`	`avm-res-documentdb-databaseaccount-module-owners-bicep`
94	avm/res/document-db/database-account/table	`46d3xbcp.res.documentdb-databaseaccounttable`	`avm-res-documentdb-databaseaccount-module-owners-bicep`
95	avm/res/document-db/mongo-cluster	`46d3xbcp.res.documentdb-mongocluster`	`avm-res-documentdb-mongocluster-module-owners-bicep`
96	avm/res/durable-task/scheduler	`46d3xbcp.res.durabletask-scheduler`	`avm-res-durabletask-scheduler-module-owners-bicep`
97	avm/res/edge-order/order-item	`46d3xbcp.res.edgeorder-orderitem`	`avm-res-edgeorder-orderitem-module-owners-bicep`
98	avm/res/edge/configuration	`46d3xbcp.res.edge-configuration`	`avm-res-edge-configuration-module-owners-bicep`
99	avm/res/edge/site	`46d3xbcp.res.edge-site`	`avm-res-edge-site-module-owners-bicep`
100	avm/res/edge/site/rg-scope	`46d3xbcp.res.edge-site_rgscope`	`avm-res-edge-site-module-owners-bicep`
101	avm/res/edge/site/sub-scope	`46d3xbcp.res.edge-site_subscope`	`avm-res-edge-site-module-owners-bicep`
102	avm/res/elastic-san/elastic-san	`46d3xbcp.res.elasticsan-elasticsan`	`avm-res-elasticsan-elasticsan-module-owners-bicep`
103	avm/res/event-grid/domain	`46d3xbcp.res.eventgrid-domain`	`avm-res-eventgrid-domain-module-owners-bicep`
104	avm/res/event-grid/namespace	`46d3xbcp.res.eventgrid-namespace`	`avm-res-eventgrid-namespace-module-owners-bicep`
105	avm/res/event-grid/system-topic	`46d3xbcp.res.eventgrid-systemtopic`	`avm-res-eventgrid-systemtopic-module-owners-bicep`
106	avm/res/event-grid/topic	`46d3xbcp.res.eventgrid-topic`	`avm-res-eventgrid-topic-module-owners-bicep`
107	avm/res/event-hub/namespace	`46d3xbcp.res.eventhub-namespace`	`avm-res-eventhub-namespace-module-owners-bicep`
108	avm/res/event-hub/namespace/eventhub	`46d3xbcp.res.eventhub-nseventhub`	`avm-res-eventhub-namespace-module-owners-bicep`
109	avm/res/fabric/capacity	`46d3xbcp.res.fabric-capacity`	`avm-res-fabric-capacity-module-owners-bicep`
110	avm/res/health-bot/health-bot	`46d3xbcp.res.healthbot-healthbot`	`avm-res-healthbot-healthbot-module-owners-bicep`
111	avm/res/healthcare-apis/workspace	`46d3xbcp.res.healthcareapis-workspace`	`avm-res-healthcareapis-workspace-module-owners-bicep`
112	avm/res/hybrid-compute/gateway	`46d3xbcp.res.hybridcompute-gateway`	`avm-res-hybridcompute-gateway-module-owners-bicep`
113	avm/res/hybrid-compute/license	`46d3xbcp.res.hybridcompute-license`	`avm-res-hybridcompute-license-module-owners-bicep`
114	avm/res/hybrid-compute/machine	`46d3xbcp.res.hybridcompute-machine`	`avm-res-hybridcompute-machine-module-owners-bicep`
115	avm/res/hybrid-compute/private-link-scope	`46d3xbcp.res.hybridcompute-privatelinkscope`	`avm-res-hybridcompute-privatelinkscope-module-owners-bicep`
116	avm/res/hybrid-compute/setting	`46d3xbcp.res.hybridcompute-setting`	`avm-res-hybridcompute-setting-module-owners-bicep`
117	avm/res/hybrid-container-service/provisioned-cluster-instance	`46d3xbcp.res.hybcontsvc-provclustinst`	`avm-res-hybridcontainerservice-provisionedclusterinstance-module-owners-bicep`
118	avm/res/insights/action-group	`46d3xbcp.res.insights-actiongroup`	`avm-res-insights-actiongroup-module-owners-bicep`
119	avm/res/insights/activity-log-alert	`46d3xbcp.res.insights-activitylogalert`	`avm-res-insights-activitylogalert-module-owners-bicep`
120	avm/res/insights/autoscale-setting	`46d3xbcp.res.insights-autoscalesetting`	`avm-res-insights-autoscalesetting-module-owners-bicep`
121	avm/res/insights/component	`46d3xbcp.res.insights-component`	`avm-res-insights-component-module-owners-bicep`
122	avm/res/insights/data-collection-endpoint	`46d3xbcp.res.insights-datacollectionendpoint`	`avm-res-insights-datacollectionendpoint-module-owners-bicep`
123	avm/res/insights/data-collection-rule	`46d3xbcp.res.insights-datacollectionrule`	`avm-res-insights-datacollectionrule-module-owners-bicep`
124	avm/res/insights/diagnostic-setting	`46d3xbcp.res.insights-diagnosticsetting`	`avm-res-insights-diagnosticsetting-module-owners-bicep`
125	avm/res/insights/metric-alert	`46d3xbcp.res.insights-metricalert`	`avm-res-insights-metricalert-module-owners-bicep`
126	avm/res/insights/private-link-scope	`46d3xbcp.res.insights-privatelinkscope`	`avm-res-insights-privatelinkscope-module-owners-bicep`
127	avm/res/insights/scheduled-query-rule	`46d3xbcp.res.insights-scheduledqueryrule`	`avm-res-insights-scheduledqueryrule-module-owners-bicep`
128	avm/res/insights/webtest	`46d3xbcp.res.insights-webtest`	`avm-res-insights-webtest-module-owners-bicep`
129	avm/res/iot-operations/instance	`46d3xbcp.res.iotoperations-instance`	`avm-res-iotoperations-instance-module-owners-bicep`
130	avm/res/key-vault/managed-hsm	`46d3xbcp.res.keyvault-managedhsm`	`avm-res-keyvault-managedhsm-module-owners-bicep`
131	avm/res/key-vault/vault	`46d3xbcp.res.keyvault-vault`	`avm-res-keyvault-vault-module-owners-bicep`
132	avm/res/key-vault/vault/access-policy	`46d3xbcp.res.keyvault-accesspolicy`	`avm-res-keyvault-vault-module-owners-bicep`
133	avm/res/key-vault/vault/key	`46d3xbcp.res.keyvault-key`	`avm-res-keyvault-vault-module-owners-bicep`
134	avm/res/key-vault/vault/secret	`46d3xbcp.res.keyvault-secret`	`avm-res-keyvault-vault-module-owners-bicep`
135	avm/res/kubernetes-configuration/extension	`46d3xbcp.res.kubernetesconfiguration-extension`	`avm-res-kubernetesconfiguration-extension-module-owners-bicep`
136	avm/res/kubernetes-configuration/flux-configuration	`46d3xbcp.res.kubernetesconfiguration-fluxconfig`	`avm-res-kubernetesconfiguration-fluxconfiguration-module-owners-bicep`
137	avm/res/kubernetes-runtime/bpg-peer	`46d3xbcp.res.kubernetesruntime-bgppeer`	`avm-res-kubernetesruntime-bpgpeer-module-owners-bicep`
138	avm/res/kubernetes-runtime/load-balancer	`46d3xbcp.res.kubernetesruntime-loadbalancer`	`avm-res-kubernetesruntime-loadbalancer-module-owners-bicep`
139	avm/res/kubernetes-runtime/service	`46d3xbcp.res.kubernetesruntime-service`	`avm-res-kubernetesruntime-service-module-owners-bicep`
140	avm/res/kubernetes/connected-cluster	`46d3xbcp.res.kubernetes-connectedcluster`	`avm-res-kubernetes-connectedcluster-module-owners-bicep`
141	avm/res/kusto/cluster	`46d3xbcp.res.kusto-cluster`	`avm-res-kusto-cluster-module-owners-bicep`
142	avm/res/load-test-service/load-test	`46d3xbcp.res.loadtestservice-loadtest`	`avm-res-loadtestservice-loadtest-module-owners-bicep`
143	avm/res/logic/integration-account	`46d3xbcp.res.logic-integrationaccount`	`avm-res-logic-integrationaccount-module-owners-bicep`
144	avm/res/logic/workflow	`46d3xbcp.res.logic-workflow`	`avm-res-logic-workflow-module-owners-bicep`
145	avm/res/machine-learning-services/registry	`46d3xbcp.res.machinelearningservices-registry`	`avm-res-machinelearningservices-registry-module-owners-bicep`
146	avm/res/machine-learning-services/workspace	`46d3xbcp.res.machinelearningservices-workspace`	`avm-res-machinelearningservices-workspace-module-owners-bicep`
147	avm/res/maintenance/configuration-assignment	`46d3xbcp.res.maintenance-configurationassignment`	`avm-res-maintenance-configurationassignment-module-owners-bicep`
148	avm/res/maintenance/maintenance-configuration	`46d3xbcp.res.maintenance-maintenanceconfiguration`	`avm-res-maintenance-maintenanceconfiguration-module-owners-bicep`
149	avm/res/managed-identity/user-assigned-identity	`46d3xbcp.res.managedidentity-userassignedidentity`	`avm-res-managedidentity-userassignedidentity-module-owners-bicep`
150	avm/res/managed-services/registration-definition	`46d3xbcp.res.managedservices-registrationdef`	`avm-res-managedservices-registrationdefinition-module-owners-bicep`
151	avm/res/management/management-group	`46d3xbcp.res.management-managementgroup`	`avm-res-management-managementgroup-module-owners-bicep`
152	avm/res/management/service-group	`46d3xbcp.res.management-servicegroup`	`avm-res-management-servicegroup-module-owners-bicep`
153	avm/res/maps/account	`46d3xbcp.res.maps-account`	`avm-res-maps-account-module-owners-bicep`
154	avm/res/net-app/net-app-account	`46d3xbcp.res.netapp-netappaccount`	`avm-res-netapp-netappaccount-module-owners-bicep`
155	avm/res/network/application-gateway	`46d3xbcp.res.network-appgw`	`avm-res-network-applicationgateway-module-owners-bicep`
156	avm/res/network/application-gateway-web-application-firewall-policy	`46d3xbcp.res.network-appgwwebappfirewallpolicy`	`avm-res-network-applicationgatewaywebapplicationfirewallpolicy-module-owners-bicep`
157	avm/res/network/application-security-group	`46d3xbcp.res.network-applicationsecuritygroup`	`avm-res-network-applicationsecuritygroup-module-owners-bicep`
158	avm/res/network/azure-firewall	`46d3xbcp.res.network-azurefirewall`	`avm-res-network-azurefirewall-module-owners-bicep`
159	avm/res/network/bastion-host	`46d3xbcp.res.network-bastionhost`	`avm-res-network-bastionhost-module-owners-bicep`
160	avm/res/network/connection	`46d3xbcp.res.network-connection`	`avm-res-network-connection-module-owners-bicep`
161	avm/res/network/ddos-protection-plan	`46d3xbcp.res.network-ddosprotectionplan`	`avm-res-network-ddosprotectionplan-module-owners-bicep`
162	avm/res/network/dns-forwarding-ruleset	`46d3xbcp.res.network-dnsforwardingruleset`	`avm-res-network-dnsforwardingruleset-module-owners-bicep`
163	avm/res/network/dns-resolver	`46d3xbcp.res.network-dnsresolver`	`avm-res-network-dnsresolver-module-owners-bicep`
164	avm/res/network/dns-zone	`46d3xbcp.res.network-dnszone`	`avm-res-network-dnszone-module-owners-bicep`
165	avm/res/network/express-route-circuit	`46d3xbcp.res.network-expressroutecircuit`	`avm-res-network-expressroutecircuit-module-owners-bicep`
166	avm/res/network/express-route-gateway	`46d3xbcp.res.network-expressroutegateway`	`avm-res-network-expressroutegateway-module-owners-bicep`
167	avm/res/network/express-route-port	`46d3xbcp.res.network-expressrouteport`	`avm-res-network-expressrouteport-module-owners-bicep`
168	avm/res/network/firewall-policy	`46d3xbcp.res.network-firewallpolicy`	`avm-res-network-firewallpolicy-module-owners-bicep`
169	avm/res/network/front-door	`46d3xbcp.res.network-frontdoor`	`avm-res-network-frontdoor-module-owners-bicep`
170	avm/res/network/front-door-web-application-firewall-policy	`46d3xbcp.res.network-frontdoorwebappfwpolicy`	`avm-res-network-frontdoorwebapplicationfirewallpolicy-module-owners-bicep`
171	avm/res/network/ip-group	`46d3xbcp.res.network-ipgroup`	`avm-res-network-ipgroup-module-owners-bicep`
172	avm/res/network/load-balancer	`46d3xbcp.res.network-loadbalancer`	`avm-res-network-loadbalancer-module-owners-bicep`
173	avm/res/network/local-network-gateway	`46d3xbcp.res.network-localnetworkgateway`	`avm-res-network-localnetworkgateway-module-owners-bicep`
174	avm/res/network/nat-gateway	`46d3xbcp.res.network-natgateway`	`avm-res-network-natgateway-module-owners-bicep`
175	avm/res/network/network-interface	`46d3xbcp.res.network-networkinterface`	`avm-res-network-networkinterface-module-owners-bicep`
176	avm/res/network/network-manager	`46d3xbcp.res.network-networkmanager`	`avm-res-network-networkmanager-module-owners-bicep`
177	avm/res/network/network-security-group	`46d3xbcp.res.network-networksecuritygroup`	`avm-res-network-networksecuritygroup-module-owners-bicep`
178	avm/res/network/network-security-perimeter	`46d3xbcp.res.network-nwsecurityperimeter`	`avm-res-network-networksecurityperimeter-module-owners-bicep`
179	avm/res/network/network-watcher	`46d3xbcp.res.network-networkwatcher`	`avm-res-network-networkwatcher-module-owners-bicep`
180	avm/res/network/p2s-vpn-gateway	`46d3xbcp.res.network-p2svpngateway`	`avm-res-network-p2svpngateway-module-owners-bicep`
181	avm/res/network/private-dns-zone	`46d3xbcp.res.network-privatednszone`	`avm-res-network-privatednszone-module-owners-bicep`
182	avm/res/network/private-dns-zone/a	`46d3xbcp.res.nw-privdnszonea`	`avm-res-network-privatednszone-module-owners-bicep`
183	avm/res/network/private-dns-zone/aaaa	`46d3xbcp.res.nw-privdnszoneaaaa`	`avm-res-network-privatednszone-module-owners-bicep`
184	avm/res/network/private-dns-zone/cname	`46d3xbcp.res.nw-privdnszonecname`	`avm-res-network-privatednszone-module-owners-bicep`
185	avm/res/network/private-dns-zone/mx	`46d3xbcp.res.nw-privdnszonemx`	`avm-res-network-privatednszone-module-owners-bicep`
186	avm/res/network/private-dns-zone/ptr	`46d3xbcp.res.nw-privdnszoneptr`	`avm-res-network-privatednszone-module-owners-bicep`
187	avm/res/network/private-dns-zone/soa	`46d3xbcp.res.nw-privdnszonesoa`	`avm-res-network-privatednszone-module-owners-bicep`
188	avm/res/network/private-dns-zone/srv	`46d3xbcp.res.nw-privdnszonesrv`	`avm-res-network-privatednszone-module-owners-bicep`
189	avm/res/network/private-dns-zone/txt	`46d3xbcp.res.nw-privdnszonetxt`	`avm-res-network-privatednszone-module-owners-bicep`
190	avm/res/network/private-dns-zone/virtual-network-link	`46d3xbcp.res.nw-privdnszonevnetlink`	`avm-res-network-privatednszone-module-owners-bicep`
191	avm/res/network/private-endpoint	`46d3xbcp.res.network-privateendpoint`	`avm-res-network-privateendpoint-module-owners-bicep`
192	avm/res/network/private-link-service	`46d3xbcp.res.network-privatelinkservice`	`avm-res-network-privatelinkservice-module-owners-bicep`
193	avm/res/network/public-ip-address	`46d3xbcp.res.network-publicipaddress`	`avm-res-network-publicipaddress-module-owners-bicep`
194	avm/res/network/public-ip-prefix	`46d3xbcp.res.network-publicipprefix`	`avm-res-network-publicipprefix-module-owners-bicep`
195	avm/res/network/route-table	`46d3xbcp.res.network-routetable`	`avm-res-network-routetable-module-owners-bicep`
196	avm/res/network/service-endpoint-policy	`46d3xbcp.res.network-serviceendpointpolicy`	`avm-res-network-serviceendpointpolicy-module-owners-bicep`
197	avm/res/network/trafficmanagerprofile	`46d3xbcp.res.network-trafficmanagerprofile`	`avm-res-network-trafficmanagerprofile-module-owners-bicep`
198	avm/res/network/virtual-hub	`46d3xbcp.res.network-virtualhub`	`avm-res-network-virtualhub-module-owners-bicep`
199	avm/res/network/virtual-hub/route-map	`46d3xbcp.res.network-virtualhubroutemap`	`avm-res-network-virtualhub-module-owners-bicep`
200	avm/res/network/virtual-network	`46d3xbcp.res.network-virtualnetwork`	`avm-res-network-virtualnetwork-module-owners-bicep`
201	avm/res/network/virtual-network-gateway	`46d3xbcp.res.network-virtualnetworkgateway`	`avm-res-network-virtualnetworkgateway-module-owners-bicep`
202	avm/res/network/virtual-network/subnet	`46d3xbcp.res.network-virtualnetworksubnet`	`avm-res-network-virtualnetwork-module-owners-bicep`
203	avm/res/network/virtual-wan	`46d3xbcp.res.network-virtualwan`	`avm-res-network-virtualwan-module-owners-bicep`
204	avm/res/network/vpn-gateway	`46d3xbcp.res.network-vpngateway`	`avm-res-network-vpngateway-module-owners-bicep`
205	avm/res/network/vpn-server-configuration	`46d3xbcp.res.network-vpnserverconfiguration`	`avm-res-network-vpnserverconfiguration-module-owners-bicep`
206	avm/res/network/vpn-site	`46d3xbcp.res.network-vpnsite`	`avm-res-network-vpnsite-module-owners-bicep`
207	avm/res/operational-insights/cluster	`46d3xbcp.res.operationalinsights-cluster`	`avm-res-operationalinsights-cluster-module-owners-bicep`
208	avm/res/operational-insights/workspace	`46d3xbcp.res.operationalinsights-workspace`	`avm-res-operationalinsights-workspace-module-owners-bicep`
209	avm/res/operations-management/solution	`46d3xbcp.res.operationsmanagement-solution`	`avm-res-operationsmanagement-solution-module-owners-bicep`
210	avm/res/portal/dashboard	`46d3xbcp.res.portal-dashboard`	`avm-res-portal-dashboard-module-owners-bicep`
211	avm/res/power-bi-dedicated/capacity	`46d3xbcp.res.powerbidedicated-capacity`	`avm-res-powerbidedicated-capacity-module-owners-bicep`
212	avm/res/purview/account	`46d3xbcp.res.purview-account`	`avm-res-purview-account-module-owners-bicep`
213	avm/res/recovery-services/vault	`46d3xbcp.res.recoveryservices-vault`	`avm-res-recoveryservices-vault-module-owners-bicep`
214	avm/res/relay/namespace	`46d3xbcp.res.relay-namespace`	`avm-res-relay-namespace-module-owners-bicep`
215	avm/res/resource-graph/query	`46d3xbcp.resourcegraph-query`	`avm-res-resourcegraph-query-module-owners-bicep`
216	avm/res/resources/deployment-script	`46d3xbcp.res.resources-deploymentscript`	`avm-res-resources-deploymentscript-module-owners-bicep`
217	avm/res/resources/resource-group	`46d3xbcp.res.resources-resourcegroup`	`avm-res-resources-resourcegroup-module-owners-bicep`
218	avm/res/scom/managed-instance	`46d3xbcp.res.scom-managedinstance`	`avm-res-scom-managedinstance-module-owners-bicep`
219	avm/res/search/search-service	`46d3xbcp.res.search-searchservice`	`avm-res-search-searchservice-module-owners-bicep`
220	avm/res/security-insights/data-connector	`46d3xbcp.res.securityinsights-dataconnector`	`avm-res-securityinsights-dataconnector-module-owners-bicep`
221	avm/res/security-insights/onboarding-state	`46d3xbcp.res.securityinsights-onboardingstate`	`avm-res-securityinsights-onboardingstate-module-owners-bicep`
222	avm/res/security-insights/setting	`46d3xbcp.res.securityinsights-setting`	`avm-res-securityinsights-setting-module-owners-bicep`
223	avm/res/service-bus/namespace	`46d3xbcp.res.servicebus-namespace`	`avm-res-servicebus-namespace-module-owners-bicep`
224	avm/res/service-bus/namespace/queue	`46d3xbcp.res.servicebus-namespacequeue`	`avm-res-servicebus-namespace-module-owners-bicep`
225	avm/res/service-bus/namespace/topic	`46d3xbcp.res.servicebus-namespacetopic`	`avm-res-servicebus-namespace-module-owners-bicep`
226	avm/res/service-fabric/cluster	`46d3xbcp.res.servicefabric-cluster`	`avm-res-servicefabric-cluster-module-owners-bicep`
227	avm/res/service-networking/traffic-controller	`46d3xbcp.res.servicenetworking-trafficcontroller`	`avm-res-servicenetworking-trafficcontroller-module-owners-bicep`
228	avm/res/signal-r-service/signal-r	`46d3xbcp.res.signalrservice-signalr`	`avm-res-signalrservice-signalr-module-owners-bicep`
229	avm/res/signal-r-service/web-pub-sub	`46d3xbcp.res.signalrservice-webpubsub`	`avm-res-signalrservice-webpubsub-module-owners-bicep`
230	avm/res/sql-virtual-machine/sql-virtual-machine	`46d3xbcp.res.sqlvm-sqlvm`	`avm-res-sqlvirtualmachine-sqlvirtualmachine-module-owners-bicep`
231	avm/res/sql/instance-pool	`46d3xbcp.res.sql-instancepool`	`avm-res-sql-instancepool-module-owners-bicep`
232	avm/res/sql/managed-instance	`46d3xbcp.res.sql-managedinstance`	`avm-res-sql-managedinstance-module-owners-bicep`
233	avm/res/sql/server	`46d3xbcp.res.sql-server`	`avm-res-sql-server-module-owners-bicep`
234	avm/res/sql/server/database	`46d3xbcp.res.sql-serverdb`	`avm-res-sql-server-module-owners-bicep`
235	avm/res/storage/storage-account	`46d3xbcp.res.storage-storageaccount`	`avm-res-storage-storageaccount-module-owners-bicep`
236	avm/res/storage/storage-account/blob-service/container	`46d3xbcp.res.storage-blobcontainer`	`avm-res-storage-storageaccount-module-owners-bicep`
237	avm/res/storage/storage-account/blob-service/container/immutability-policy	`46d3xbcp.res.storage-containerimmutpolicy`	`avm-res-storage-storageaccount-module-owners-bicep`
238	avm/res/storage/storage-account/file-service/share	`46d3xbcp.res.storage-fileshare`	`avm-res-storage-storageaccount-module-owners-bicep`
239	avm/res/storage/storage-account/local-user	`46d3xbcp.res.storage-localuser`	`avm-res-storage-storageaccount-module-owners-bicep`
240	avm/res/storage/storage-account/management-policy	`46d3xbcp.res.storage-mgmtpolicy`	`avm-res-storage-storageaccount-module-owners-bicep`
241	avm/res/storage/storage-account/queue-service/queue	`46d3xbcp.res.storage-queue`	`avm-res-storage-storageaccount-module-owners-bicep`
242	avm/res/storage/storage-account/table-service/table	`46d3xbcp.res.storage-table`	`avm-res-storage-storageaccount-module-owners-bicep`
243	avm/res/stream-analytics/streaming-job	`46d3xbcp.res.streamanalytics-streamingjob`	`avm-res-streamanalytics-streamingjob-module-owners-bicep`
244	avm/res/synapse/private-link-hub	`46d3xbcp.res.synapse-privatelinkhub`	`avm-res-synapse-privatelinkhub-module-owners-bicep`
245	avm/res/synapse/workspace	`46d3xbcp.res.synapse-workspace`	`avm-res-synapse-workspace-module-owners-bicep`
246	avm/res/virtual-machine-images/image-template	`46d3xbcp.res.virtualmachineimages-imagetemplate`	`avm-res-virtualmachineimages-imagetemplate-module-owners-bicep`
247	avm/res/web/connection	`46d3xbcp.res.web-connection`	`avm-res-web-connection-module-owners-bicep`
248	avm/res/web/hosting-environment	`46d3xbcp.res.web-hostingenvironment`	`avm-res-web-hostingenvironment-module-owners-bicep`
249	avm/res/web/serverfarm	`46d3xbcp.res.web-serverfarm`	`avm-res-web-serverfarm-module-owners-bicep`
250	avm/res/web/site	`46d3xbcp.res.web-site`	`avm-res-web-site-module-owners-bicep`
251	avm/res/web/site/config	`46d3xbcp.res.web-siteconfig`	`avm-res-web-site-module-owners-bicep`
252	avm/res/web/site/slot	`46d3xbcp.res.web-siteslot`	`avm-res-web-site-module-owners-bicep`
253	avm/res/web/static-site	`46d3xbcp.res.web-staticsite`	`avm-res-web-staticsite-module-owners-bicep`

Bicep Pattern Modules

Module catalog

Language	Classification	Published 🟢 & 🟡	Proposed ⚪	SUM
Bicep	Pattern	40	21	61

➕ Additional information

Legend

Summary of status icons used on this page

Icon	Status	Description
⚪	Proposed modules	Modules that are proposed and/or being worked on but not published yet.
🟢 & 🟡	Published modules	Available (🟢) and Orphaned (🟡) modules that are active and usable.
🔴	Deprecated modules	Modules that reached the end of their lifecycle.
📇	All modules	Including Published, Proposed and Deprecated ones.

See the Module Lifecycle page for more details.

Info

This page contains various views of the module index (catalog) for Bicep Pattern Modules. To see these views, click on the expandable sections with the “➕” sign below.

To see the full, unfiltered, unformatted module index on GitHub, click here.
To download the source CSV file, click here.

Note

Published modules - 🟢 & 🟡

➕ Published Modules - Module names, status and owners

No.	Module Name	Display Name	Owner(s)
01	avm/ptn/aca-lza/hosting-environment	Azure Container Apps (ACA) LZA - Hosting Environment	kpantos Konstantinos Pantos
02	avm/ptn/ai-ml/ai-foundry	AI-ML - AI Foundry	mswantek68 Mike Swantek sethsteenken Seth Steenken
03	avm/ptn/ai-platform/baseline	AI Platform - Baseline	cecheta Chinedum Echeta ross-p-smith Ross Smith
04	avm/ptn/alz/ama	Azure Landing Zones (ALZ) - Azure Monitoring Agent (AMA)	oZakari Zach Trocinski
05	avm/ptn/alz/empty	Azure Landing Zones (ALZ) - Empty	jtracey93 Jack Tracey oZakari Zach Trocinski
06	avm/ptn/app-service-lza/hosting-environment	App Service LZA - Hosting Environment	MikeTB-Microsoft Michael Baker
07	avm/ptn/app/container-job-toolkit	Container Job Toolkit	ReneHezser Rene Hezser
08	avm/ptn/app/iaas-vm-cosmosdb-tier4	Workload - IaaS VM Cosmos DB - Tier 4	mikestiers Mike Stiers
09	avm/ptn/authorization/pim-role-assignment	Authorization - PIM Role Assignment	sebassem Seif Bassem
10	avm/ptn/authorization/policy-assignment	Authorization - Policy Assignment	jtracey93 Jack Tracey
11	avm/ptn/authorization/policy-exemption	Authorization - Policy Exemption	oZakari Zach Trocinski
12	avm/ptn/authorization/resource-role-assignment	Authorization - Resource Role Assignment	peterbud Peter Budai
13	avm/ptn/authorization/role-assignment	Authorization - Role Assignment	jtracey93 Jack Tracey
14	avm/ptn/authorization/role-definition	Authorization - Role Definition	jtracey93 Jack Tracey
15	avm/ptn/azd/acr-container-app	AZD - ACR Container App Azure Developer CLI - ACR Container App	JeffreyCA Jeffrey Chen
16	avm/ptn/azd/aks	AZD - AKS Azure Developer CLI - Azure Kubernetes Services	JeffreyCA Jeffrey Chen
17	avm/ptn/azd/aks-automatic-cluster	AZD - AKS Automatic Cluster Azure Developer CLI - Azure Kubernetes Services Automatic Cluster	JeffreyCA Jeffrey Chen
18	avm/ptn/azd/apim-api	AZD - APIM API Azure Developer CLI - API Management	JeffreyCA Jeffrey Chen
19	avm/ptn/azd/container-app-upsert	AZD - Container App Upsert Azure Developer CLI - Container Apps Upsert	JeffreyCA Jeffrey Chen
20	avm/ptn/azd/container-apps-stack	AZD - Container Apps Stack Azure Developer CLI - Container Apps Stack	JeffreyCA Jeffrey Chen
21	avm/ptn/azd/insights-dashboard	AZD - Insights Dashboard Azure Developer CLI - Inishgts Dashboard	JeffreyCA Jeffrey Chen
22	avm/ptn/azd/monitoring	AZD - Monitoring Azure Developer CLI - Monitoring	JeffreyCA Jeffrey Chen
23	avm/ptn/data/private-analytical-workspace	Private Analytical Workspace Data Analytics, Data Lake, Databricks, Database	jbinko Jiri Binko
24	avm/ptn/deployment-script/import-image-to-acr	Deployment Script - Import Container Image to ACR	ReneHezser Rene Hezser
25	avm/ptn/dev-ops/cicd-agents-and-runners	Azure DevOps and GitHub CI/CD Agents and Runners	sebassem Seif Bassem
26	avm/ptn/finops-toolkit/finops-hub	FinOps Toolkit - FinOps Hub	arthurclares Arthur Clares
27	avm/ptn/lz/sub-vending	Landing Zone Subscription Vending	jtracey93 Jack Tracey sebassem Seif Bassem
28	avm/ptn/mgmt-groups/subscription-placement	Management Groups - Subscription Placement	oZakari Zach Trocinski
29	avm/ptn/network/hub-networking	Hub Networking	oZakari Zach Trocinski jtracey93 Jack Tracey
30	avm/ptn/network/private-link-private-dns-zones	Private Link Private DNS Zones	jtracey93 Jack Tracey
31	avm/ptn/policy-insights/remediation	Policy Insights Remediation	donk-msft Don Koning
32	avm/ptn/sa/chat-with-your-data	SA - Chat with your data Solution Accelerator - Chat with your data (CWYD)	aniaroramsft Anish Arora alguadam Alvaro Guadamillas Herranz
33	avm/ptn/sa/content-processing	SA - Content Processing Solution Accelerator - Content Processing	brittneek Brittnee Keller
34	avm/ptn/sa/conversation-knowledge-mining	SA - Conversation knowledge mining Solution Accelerator - Conversation knowledge mining (CKM)	alguadam Alvaro Guadamillas Herranz
35	avm/ptn/sa/document-knowledge-mining	SA - Document knowledge mining Solution Accelerator - Document knowledge mining (DKM)	aniaroramsft Anish Arora alguadam Alvaro Guadamillas Herranz
36	avm/ptn/sa/modernize-your-code	SA - Modernize your code Solution Accelerator - Modernize your code	sethsteenken Seth Steenken
37	avm/ptn/sa/multi-agent-custom-automation-engine	SA - Multi Agent Custom Automation Engine Solution Accelerator - Multi Agent Custom Automation Engine	alguadam Alvaro Guadamillas Herranz
38	avm/ptn/security/security-center	Azure Security Center (Defender for Cloud)	oZakari Zach Trocinski jtracey93 Jack Tracey
39	avm/ptn/subscription/service-health-alerts	Service Health Alerts	sebassem Seif Bassem
40	avm/ptn/virtual-machine-images/azure-image-builder	Custom Images using Azure Image Builder	AlexanderSehr Alexander Sehr

Proposed modules - ⚪

➕ Proposed Modules - Module names, status and owners

No.	Module Name	Display Name	Owner(s)
01	avm/ptn/ai-ml/landing-zone	AI-ML - Landing Zone (LZ)	placerda Paulo Lacerda mbilalamjad Bilal Amjad
02	avm/ptn/app/cosmos-db-account-container-app	Cosmos DB Account - Container App
03	avm/ptn/app/mongodb-cluster-container-app	MongoDB Cluster - Container App
04	avm/ptn/app/paas-ase-cosmosdb-tier4	Workload - PaaS ASE Cosmos DB - Tier 4	mikestiers Mike Stiers
05	avm/ptn/avd-lza/insights	Azure Virtual Desktop (AVD) LZA - Insights
06	avm/ptn/avd-lza/management-plane	Azure Virtual Desktop (AVD) LZA - Management Plane
07	avm/ptn/avd-lza/networking	Azure Virtual Desktop (AVD) LZA - Networking
08	avm/ptn/avd-lza/session-hosts	Azure Virtual Desktop (AVD) LZA - Session Hosts
09	avm/ptn/deployment-script/create-kv-ssh-key-pair	Deployment Script - Create Key Vault SSH Key Pair	vlahane Vishal Lahane
10	avm/ptn/deployment-script/private	Deployment Script - Private Script	sebassem Seif Bassem
11	avm/ptn/dev-center/dev-box	Dev-Box	timfurnival-MSFT Tim Furnival
12	avm/ptn/lza-shared/data-services	LZA Shared - Data Services Landing Zone Accelerators - Shared - Data Services	kpantos Konstantinos Pantos
13	avm/ptn/maintenance/azure-update-manager	Azure Update Manager	akhilthomas011 Akhil Thomas
14	avm/ptn/monitoring/amba	Azure Monitor Baseline Alerts (AMBA)	arjenhuitema Arjen Huitema
15	avm/ptn/monitoring/amba-alz	Azure Monitor Baseline Alerts (AMBA) - ALZ	arjenhuitema Arjen Huitema
16	avm/ptn/network/virtual-wan	Virtual WAN vWAN	ericscheffler Eric Scheffler juancj Juan Jimenez
17	avm/ptn/network/vwan-connected-vnets	VNETs peered to Virtual WAN	juancj Juan Jimenez ericscheffler Eric Scheffler
18	avm/ptn/openai/cognitive-search	Corporate Line of Business (LoB) ChatBot	andbron Andrew Lambert
19	avm/ptn/openai/e2e-baseline	Azure OpenAI End-to-End Baseline Implementation
20	avm/ptn/sa/customer-chatbot	SA - Bring your own Customer Chatbot Solution Accelerator - Bring your own Customer Chatbot (BYOCC)	aniaroramsft Anish Arora alguadam Alvaro Guadamillas Herranz
21	avm/ptn/security/sentinel	Sentinel

Deprecated modules - 🔴

➕ Deprecated Modules - Module names, status and owners

No.	Module Name	Display Name
01	avm/ptn/azd/ml-ai-environment	AZD - ML AI Environment Azure Developer CLI - Machine Learning AI Environment
02	avm/ptn/azd/ml-hub-dependencies	AZD - ML Hub Dependencies Azure Developer CLI - Machine Learning Hub Dependencies
03	avm/ptn/azd/ml-project	AZD - ML Project Azure Developer CLI - Machine Learning Project
04	avm/ptn/sa/build-your-own-copilot	SA - Build your own Copilot Solution Accelerator - Build your own Copilot (BYOC)

All modules - 📇

➕ All Modules - Module names, status and owners

No.	Module Name	Display Name	Owner(s)
01	avm/ptn/aca-lza/hosting-environment	Azure Container Apps (ACA) LZA - Hosting Environment	kpantos Konstantinos Pantos
02	avm/ptn/ai-ml/ai-foundry	AI-ML - AI Foundry	mswantek68 Mike Swantek sethsteenken Seth Steenken
03	avm/ptn/ai-ml/landing-zone	AI-ML - Landing Zone (LZ)	placerda Paulo Lacerda mbilalamjad Bilal Amjad
04	avm/ptn/ai-platform/baseline	AI Platform - Baseline	cecheta Chinedum Echeta ross-p-smith Ross Smith
05	avm/ptn/alz/ama	Azure Landing Zones (ALZ) - Azure Monitoring Agent (AMA)	oZakari Zach Trocinski
06	avm/ptn/alz/empty	Azure Landing Zones (ALZ) - Empty	jtracey93 Jack Tracey oZakari Zach Trocinski
07	avm/ptn/app-service-lza/hosting-environment	App Service LZA - Hosting Environment	MikeTB-Microsoft Michael Baker
08	avm/ptn/app/container-job-toolkit	Container Job Toolkit	ReneHezser Rene Hezser
09	avm/ptn/app/cosmos-db-account-container-app	Cosmos DB Account - Container App
10	avm/ptn/app/iaas-vm-cosmosdb-tier4	Workload - IaaS VM Cosmos DB - Tier 4	mikestiers Mike Stiers
11	avm/ptn/app/mongodb-cluster-container-app	MongoDB Cluster - Container App
12	avm/ptn/app/paas-ase-cosmosdb-tier4	Workload - PaaS ASE Cosmos DB - Tier 4	mikestiers Mike Stiers
13	avm/ptn/authorization/pim-role-assignment	Authorization - PIM Role Assignment	sebassem Seif Bassem
14	avm/ptn/authorization/policy-assignment	Authorization - Policy Assignment	jtracey93 Jack Tracey
15	avm/ptn/authorization/policy-exemption	Authorization - Policy Exemption	oZakari Zach Trocinski
16	avm/ptn/authorization/resource-role-assignment	Authorization - Resource Role Assignment	peterbud Peter Budai
17	avm/ptn/authorization/role-assignment	Authorization - Role Assignment	jtracey93 Jack Tracey
18	avm/ptn/authorization/role-definition	Authorization - Role Definition	jtracey93 Jack Tracey
19	avm/ptn/avd-lza/insights	Azure Virtual Desktop (AVD) LZA - Insights
20	avm/ptn/avd-lza/management-plane	Azure Virtual Desktop (AVD) LZA - Management Plane
21	avm/ptn/avd-lza/networking	Azure Virtual Desktop (AVD) LZA - Networking
22	avm/ptn/avd-lza/session-hosts	Azure Virtual Desktop (AVD) LZA - Session Hosts
23	avm/ptn/azd/acr-container-app	AZD - ACR Container App Azure Developer CLI - ACR Container App	JeffreyCA Jeffrey Chen
24	avm/ptn/azd/aks	AZD - AKS Azure Developer CLI - Azure Kubernetes Services	JeffreyCA Jeffrey Chen
25	avm/ptn/azd/aks-automatic-cluster	AZD - AKS Automatic Cluster Azure Developer CLI - Azure Kubernetes Services Automatic Cluster	JeffreyCA Jeffrey Chen
26	avm/ptn/azd/apim-api	AZD - APIM API Azure Developer CLI - API Management	JeffreyCA Jeffrey Chen
27	avm/ptn/azd/container-app-upsert	AZD - Container App Upsert Azure Developer CLI - Container Apps Upsert	JeffreyCA Jeffrey Chen
28	avm/ptn/azd/container-apps-stack	AZD - Container Apps Stack Azure Developer CLI - Container Apps Stack	JeffreyCA Jeffrey Chen
29	avm/ptn/azd/insights-dashboard	AZD - Insights Dashboard Azure Developer CLI - Inishgts Dashboard	JeffreyCA Jeffrey Chen
30	avm/ptn/azd/ml-ai-environment	AZD - ML AI Environment Azure Developer CLI - Machine Learning AI Environment
31	avm/ptn/azd/ml-hub-dependencies	AZD - ML Hub Dependencies Azure Developer CLI - Machine Learning Hub Dependencies
32	avm/ptn/azd/ml-project	AZD - ML Project Azure Developer CLI - Machine Learning Project
33	avm/ptn/azd/monitoring	AZD - Monitoring Azure Developer CLI - Monitoring	JeffreyCA Jeffrey Chen
34	avm/ptn/data/private-analytical-workspace	Private Analytical Workspace Data Analytics, Data Lake, Databricks, Database	jbinko Jiri Binko
35	avm/ptn/deployment-script/create-kv-ssh-key-pair	Deployment Script - Create Key Vault SSH Key Pair	vlahane Vishal Lahane
36	avm/ptn/deployment-script/import-image-to-acr	Deployment Script - Import Container Image to ACR	ReneHezser Rene Hezser
37	avm/ptn/deployment-script/private	Deployment Script - Private Script	sebassem Seif Bassem
38	avm/ptn/dev-center/dev-box	Dev-Box	timfurnival-MSFT Tim Furnival
39	avm/ptn/dev-ops/cicd-agents-and-runners	Azure DevOps and GitHub CI/CD Agents and Runners	sebassem Seif Bassem
40	avm/ptn/finops-toolkit/finops-hub	FinOps Toolkit - FinOps Hub	arthurclares Arthur Clares
41	avm/ptn/lz/sub-vending	Landing Zone Subscription Vending	jtracey93 Jack Tracey sebassem Seif Bassem
42	avm/ptn/lza-shared/data-services	LZA Shared - Data Services Landing Zone Accelerators - Shared - Data Services	kpantos Konstantinos Pantos
43	avm/ptn/maintenance/azure-update-manager	Azure Update Manager	akhilthomas011 Akhil Thomas
44	avm/ptn/mgmt-groups/subscription-placement	Management Groups - Subscription Placement	oZakari Zach Trocinski
45	avm/ptn/monitoring/amba	Azure Monitor Baseline Alerts (AMBA)	arjenhuitema Arjen Huitema
46	avm/ptn/monitoring/amba-alz	Azure Monitor Baseline Alerts (AMBA) - ALZ	arjenhuitema Arjen Huitema
47	avm/ptn/network/hub-networking	Hub Networking	oZakari Zach Trocinski jtracey93 Jack Tracey
48	avm/ptn/network/private-link-private-dns-zones	Private Link Private DNS Zones	jtracey93 Jack Tracey
49	avm/ptn/network/virtual-wan	Virtual WAN vWAN	ericscheffler Eric Scheffler juancj Juan Jimenez
50	avm/ptn/network/vwan-connected-vnets	VNETs peered to Virtual WAN	juancj Juan Jimenez ericscheffler Eric Scheffler
51	avm/ptn/openai/cognitive-search	Corporate Line of Business (LoB) ChatBot	andbron Andrew Lambert
52	avm/ptn/openai/e2e-baseline	Azure OpenAI End-to-End Baseline Implementation
53	avm/ptn/policy-insights/remediation	Policy Insights Remediation	donk-msft Don Koning
54	avm/ptn/sa/build-your-own-copilot	SA - Build your own Copilot Solution Accelerator - Build your own Copilot (BYOC)
55	avm/ptn/sa/chat-with-your-data	SA - Chat with your data Solution Accelerator - Chat with your data (CWYD)	aniaroramsft Anish Arora alguadam Alvaro Guadamillas Herranz
56	avm/ptn/sa/content-processing	SA - Content Processing Solution Accelerator - Content Processing	brittneek Brittnee Keller
57	avm/ptn/sa/conversation-knowledge-mining	SA - Conversation knowledge mining Solution Accelerator - Conversation knowledge mining (CKM)	alguadam Alvaro Guadamillas Herranz
58	avm/ptn/sa/customer-chatbot	SA - Bring your own Customer Chatbot Solution Accelerator - Bring your own Customer Chatbot (BYOCC)	aniaroramsft Anish Arora alguadam Alvaro Guadamillas Herranz
59	avm/ptn/sa/document-knowledge-mining	SA - Document knowledge mining Solution Accelerator - Document knowledge mining (DKM)	aniaroramsft Anish Arora alguadam Alvaro Guadamillas Herranz
60	avm/ptn/sa/modernize-your-code	SA - Modernize your code Solution Accelerator - Modernize your code	sethsteenken Seth Steenken
61	avm/ptn/sa/multi-agent-custom-automation-engine	SA - Multi Agent Custom Automation Engine Solution Accelerator - Multi Agent Custom Automation Engine	alguadam Alvaro Guadamillas Herranz
62	avm/ptn/security/security-center	Azure Security Center (Defender for Cloud)	oZakari Zach Trocinski jtracey93 Jack Tracey
63	avm/ptn/security/sentinel	Sentinel
64	avm/ptn/subscription/service-health-alerts	Service Health Alerts	sebassem Seif Bassem
65	avm/ptn/virtual-machine-images/azure-image-builder	Custom Images using Azure Image Builder	AlexanderSehr Alexander Sehr

Module Publication History - 📅

➕ Module Publication History - Module names, status and owners

Modules published in September 2025

No.	Module Name	Display Name	Owner(s)
01	avm/ptn/sa/build-your-own-copilot	SA - Build your own Copilot Solution Accelerator - Build your own Copilot (BYOC)
02	avm/ptn/sa/chat-with-your-data	SA - Chat with your data Solution Accelerator - Chat with your data (CWYD)	aniaroramsft Anish Arora alguadam Alvaro Guadamillas Herranz
03	avm/ptn/sa/document-knowledge-mining	SA - Document knowledge mining Solution Accelerator - Document knowledge mining (DKM)	aniaroramsft Anish Arora alguadam Alvaro Guadamillas Herranz

Modules published in August 2025

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/ptn/alz/ama	Azure Landing Zones (ALZ) - Azure Monitoring Agent (AMA)		oZakari Zach Trocinski

Modules published in July 2025

No.	Module Name	Display Name	Owner(s)
01	avm/ptn/ai-ml/ai-foundry	AI-ML - AI Foundry	mswantek68 Mike Swantek sethsteenken Seth Steenken
02	avm/ptn/app/iaas-vm-cosmosdb-tier4	Workload - IaaS VM Cosmos DB - Tier 4	mikestiers Mike Stiers
03	avm/ptn/sa/content-processing	SA - Content Processing Solution Accelerator - Content Processing	brittneek Brittnee Keller
04	avm/ptn/sa/modernize-your-code	SA - Modernize your code Solution Accelerator - Modernize your code	sethsteenken Seth Steenken

Modules published in June 2025

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/ptn/sa/multi-agent-custom-automation-engine	SA - Multi Agent Custom Automation Engine Solution Accelerator - Multi Agent Custom Automation Engine		alguadam Alvaro Guadamillas Herranz
02	avm/ptn/subscription/service-health-alerts	Service Health Alerts		sebassem Seif Bassem

Modules published in April 2025

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/ptn/alz/empty	Azure Landing Zones (ALZ) - Empty		jtracey93 Jack Tracey oZakari Zach Trocinski
02	avm/ptn/app-service-lza/hosting-environment	App Service LZA - Hosting Environment		MikeTB-Microsoft Michael Baker

Modules published in March 2025

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/ptn/sa/conversation-knowledge-mining	SA - Conversation knowledge mining Solution Accelerator - Conversation knowledge mining (CKM)		alguadam Alvaro Guadamillas Herranz

Modules published in February 2025

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/ptn/authorization/pim-role-assignment	Authorization - PIM Role Assignment		sebassem Seif Bassem
02	avm/ptn/mgmt-groups/subscription-placement	Management Groups - Subscription Placement		oZakari Zach Trocinski

Modules published in December 2024

No.	Module Name	Display Name	Owner(s)
01	avm/ptn/app/container-job-toolkit	Container Job Toolkit	ReneHezser Rene Hezser
02	avm/ptn/authorization/policy-exemption	Authorization - Policy Exemption	oZakari Zach Trocinski
03	avm/ptn/authorization/role-definition	Authorization - Role Definition	jtracey93 Jack Tracey
04	avm/ptn/azd/aks-automatic-cluster	AZD - AKS Automatic Cluster Azure Developer CLI - Azure Kubernetes Services Automatic Cluster	JeffreyCA Jeffrey Chen

Modules published in October 2024

No.	Module Name	Display Name	Owner(s)
01	avm/ptn/azd/acr-container-app	AZD - ACR Container App Azure Developer CLI - ACR Container App	JeffreyCA Jeffrey Chen
02	avm/ptn/azd/aks	AZD - AKS Azure Developer CLI - Azure Kubernetes Services	JeffreyCA Jeffrey Chen
03	avm/ptn/azd/container-app-upsert	AZD - Container App Upsert Azure Developer CLI - Container Apps Upsert	JeffreyCA Jeffrey Chen
04	avm/ptn/azd/container-apps-stack	AZD - Container Apps Stack Azure Developer CLI - Container Apps Stack	JeffreyCA Jeffrey Chen
05	avm/ptn/azd/ml-ai-environment	AZD - ML AI Environment Azure Developer CLI - Machine Learning AI Environment
06	avm/ptn/azd/ml-hub-dependencies	AZD - ML Hub Dependencies Azure Developer CLI - Machine Learning Hub Dependencies
07	avm/ptn/azd/ml-project	AZD - ML Project Azure Developer CLI - Machine Learning Project
08	avm/ptn/azd/monitoring	AZD - Monitoring Azure Developer CLI - Monitoring	JeffreyCA Jeffrey Chen
09	avm/ptn/data/private-analytical-workspace	Private Analytical Workspace Data Analytics, Data Lake, Databricks, Database	jbinko Jiri Binko

Modules published in September 2024

No.	Module Name	Display Name	Owner(s)
01	avm/ptn/azd/apim-api	AZD - APIM API Azure Developer CLI - API Management	JeffreyCA Jeffrey Chen
02	avm/ptn/azd/insights-dashboard	AZD - Insights Dashboard Azure Developer CLI - Inishgts Dashboard	JeffreyCA Jeffrey Chen
03	avm/ptn/dev-ops/cicd-agents-and-runners	Azure DevOps and GitHub CI/CD Agents and Runners	sebassem Seif Bassem
04	avm/ptn/network/hub-networking	Hub Networking	oZakari Zach Trocinski jtracey93 Jack Tracey
05	avm/ptn/virtual-machine-images/azure-image-builder	Custom Images using Azure Image Builder	AlexanderSehr Alexander Sehr

Modules published in August 2024

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/ptn/aca-lza/hosting-environment	Azure Container Apps (ACA) LZA - Hosting Environment		kpantos Konstantinos Pantos

Modules published in July 2024

No.	Module Name	Display Name	Owner(s)
01	avm/ptn/ai-platform/baseline	AI Platform - Baseline	cecheta Chinedum Echeta ross-p-smith Ross Smith
02	avm/ptn/deployment-script/import-image-to-acr	Deployment Script - Import Container Image to ACR	ReneHezser Rene Hezser
03	avm/ptn/network/private-link-private-dns-zones	Private Link Private DNS Zones	jtracey93 Jack Tracey

Modules published in June 2024

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/ptn/lz/sub-vending	Landing Zone Subscription Vending		jtracey93 Jack Tracey sebassem Seif Bassem

Modules published in May 2024

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/ptn/authorization/resource-role-assignment	Authorization - Resource Role Assignment		peterbud Peter Budai
02	avm/ptn/finops-toolkit/finops-hub	FinOps Toolkit - FinOps Hub		arthurclares Arthur Clares

Modules published in April 2024

No.	Module Name	Display Name	Owner(s)
01	avm/ptn/authorization/policy-assignment	Authorization - Policy Assignment	jtracey93 Jack Tracey
02	avm/ptn/authorization/role-assignment	Authorization - Role Assignment	jtracey93 Jack Tracey
03	avm/ptn/policy-insights/remediation	Policy Insights Remediation	donk-msft Don Koning
04	avm/ptn/security/security-center	Azure Security Center (Defender for Cloud)	oZakari Zach Trocinski jtracey93 Jack Tracey

For Module Owners & Contributors

Note

This section is mainly intended for module owners and contributors as it contains information important for module development, such as telemetry ID prefix, and GitHub Teams for Owners.

Module name, Telemetry ID prefix, GitHub Teams for Owners

➕ All Modules - Module name, Telemetry ID prefix, GitHub Teams for Owners

No.	Module Name	Telemetry ID prefix	GitHub Teams for Module Owners (`@Azure` org)
01	avm/ptn/aca-lza/hosting-environment	`46d3xbcp.ptn.acalza-hostingenvironment`	`avm-ptn-acalza-hostingenvironment-module-owners-bicep`
02	avm/ptn/ai-ml/ai-foundry	`46d3xbcp.ptn.aiml-aifoundry`	`avm-ptn-aiml-aifoundry-module-owners-bicep`
03	avm/ptn/ai-ml/landing-zone	`46d3xbcp.ptn.aiml-lz`	`avm-ptn-aiml-landingzone-module-owners-bicep`
04	avm/ptn/ai-platform/baseline	`46d3xbcp.ptn.aiplatform-baseline`	`avm-ptn-aiplatform-baseline-module-owners-bicep`
05	avm/ptn/alz/ama	`46d3xbcp.ptn.alz-ama`	`avm-ptn-alz-ama-module-owners-bicep`
06	avm/ptn/alz/empty	`46d3xbcp.ptn.alz-empty`	`avm-ptn-alz-empty-module-owners-bicep`
07	avm/ptn/app-service-lza/hosting-environment	`46d3xbcp.ptn.appsvclza-hostingenvironment`	`avm-ptn-appservicelza-hostingenvironment-module-owners-bicep`
08	avm/ptn/app/container-job-toolkit	`46d3xbcp.ptn.app-containerjobtoolkit`	`avm-ptn-app-containerjobtoolkit-module-owners-bicep`
09	avm/ptn/app/cosmos-db-account-container-app	`46d3xbcp.ptn.app-cosmosdbacctcontapp`	`avm-ptn-app-cosmosdbaccountcontainerapp-module-owners-bicep`
10	avm/ptn/app/iaas-vm-cosmosdb-tier4	`46d3xbcp.ptn.app-iaasvmcosmosdbt4`	`avm-ptn-app-iaasvmcosmosdbtier4-module-owners-bicep`
11	avm/ptn/app/mongodb-cluster-container-app	`46d3xbcp.ptn.app-mongodbclustcontapp`	`avm-ptn-app-mongodbclustercontainerapp-module-owners-bicep`
12	avm/ptn/app/paas-ase-cosmosdb-tier4	`46d3xbcp.ptn.app-paasasecosmosdbt4`	`avm-ptn-app-paasasecosmosdbtier4-module-owners-bicep`
13	avm/ptn/authorization/pim-role-assignment	`46d3xbcp.ptn.authorization-pimroleassignment`	`avm-ptn-authorization-pimroleassignment-module-owners-bicep`
14	avm/ptn/authorization/policy-assignment	`46d3xbcp.ptn.authorization-policyassignment`	`avm-ptn-authorization-policyassignment-module-owners-bicep`
15	avm/ptn/authorization/policy-exemption	`46d3xbcp.ptn.authorization-policyexemption`	`avm-ptn-authorization-policyexemption-module-owners-bicep`
16	avm/ptn/authorization/resource-role-assignment	`46d3xbcp.ptn.authorization-resourceroleassignment`	`avm-ptn-authorization-resourceroleassignment-module-owners-bicep`
17	avm/ptn/authorization/role-assignment	`46d3xbcp.ptn.authorization-roleassignment`	`avm-ptn-authorization-roleassignment-module-owners-bicep`
18	avm/ptn/authorization/role-definition	`46d3xbcp.ptn.authorization-roledefinition`	`avm-ptn-authorization-roledefinition-module-owners-bicep`
19	avm/ptn/avd-lza/insights	`46d3xbcp.ptn.avdlza-insights`	`avm-ptn-avdlza-insights-module-owners-bicep`
20	avm/ptn/avd-lza/management-plane	`46d3xbcp.ptn.avdlza-managementplane`	`avm-ptn-avdlza-managementplane-module-owners-bicep`
21	avm/ptn/avd-lza/networking	`46d3xbcp.ptn.avdlza-networking`	`avm-ptn-avdlza-networking-module-owners-bicep`
22	avm/ptn/avd-lza/session-hosts	`46d3xbcp.ptn.avdlza-sessionhosts`	`avm-ptn-avdlza-sessionhosts-module-owners-bicep`
23	avm/ptn/azd/acr-container-app	`46d3xbcp.ptn.azd-acrcontainerapp`	`avm-ptn-azd-acrcontainerapp-module-owners-bicep`
24	avm/ptn/azd/aks	`46d3xbcp.ptn.azd-aks`	`avm-ptn-azd-aks-module-owners-bicep`
25	avm/ptn/azd/aks-automatic-cluster	`46d3xbcp.ptn.azd-aksautomaticcluster`	`avm-ptn-azd-aksautomaticcluster-module-owners-bicep`
26	avm/ptn/azd/apim-api	`46d3xbcp.ptn.azd-apimapi`	`avm-ptn-azd-apimapi-module-owners-bicep`
27	avm/ptn/azd/container-app-upsert	`46d3xbcp.ptn.azd-containerappupsert`	`avm-ptn-azd-containerappupsert-module-owners-bicep`
28	avm/ptn/azd/container-apps-stack	`46d3xbcp.ptn.azd-containerappsstack`	`avm-ptn-azd-containerappsstack-module-owners-bicep`
29	avm/ptn/azd/insights-dashboard	`46d3xbcp.ptn.azd-insightsdashboard`	`avm-ptn-azd-insightsdashboard-module-owners-bicep`
30	avm/ptn/azd/ml-ai-environment	`46d3xbcp.ptn.azd-mlaienvironment`	`avm-ptn-azd-mlaienvironment-module-owners-bicep`
31	avm/ptn/azd/ml-hub-dependencies	`46d3xbcp.ptn.azd-mlhubdependencies`	`avm-ptn-azd-mlhubdependencies-module-owners-bicep`
32	avm/ptn/azd/ml-project	`46d3xbcp.ptn.azd-mlproject`	`avm-ptn-azd-mlproject-module-owners-bicep`
33	avm/ptn/azd/monitoring	`46d3xbcp.ptn.azd-monitoring`	`avm-ptn-azd-monitoring-module-owners-bicep`
34	avm/ptn/data/private-analytical-workspace	`46d3xbcp.ptn.data-privateanalyticalworkspace`	`avm-ptn-data-privateanalyticalworkspace-module-owners-bicep`
35	avm/ptn/deployment-script/create-kv-ssh-key-pair	`46d3xbcp.ptn.deploymentscript-createkvsshkeypair`	`avm-ptn-deploymentscript-createkvsshkeypair-module-owners-bicep`
36	avm/ptn/deployment-script/import-image-to-acr	`46d3xbcp.ptn.deploymentscript-importimagetoacr`	`avm-ptn-deploymentscript-importimagetoacr-module-owners-bicep`
37	avm/ptn/deployment-script/private	`46d3xbcp.ptn.deploymentscript-private`	`avm-ptn-deploymentscript-private-module-owners-bicep`
38	avm/ptn/dev-center/dev-box	`46d3xbcp.ptn.devcenter-devbox`	`avm-ptn-devcenter-devbox-module-owners-bicep`
39	avm/ptn/dev-ops/cicd-agents-and-runners	`46d3xbcp.ptn.devops-cicdagentsandrunners`	`avm-ptn-devops-cicdagentsandrunners-module-owners-bicep`
40	avm/ptn/finops-toolkit/finops-hub	`46d3xbcp.ptn.finopstoolkit-finopshub`	`avm-ptn-finopstoolkit-finopshub-module-owners-bicep`
41	avm/ptn/lz/sub-vending	`46d3xbcp.ptn.lz-subvending`	`avm-ptn-lz-subvending-module-owners-bicep`
42	avm/ptn/lza-shared/data-services	`46d3xbcp.ptn.lzashared-dataservices`	`avm-ptn-lzashared-dataservices-module-owners-bicep`
43	avm/ptn/maintenance/azure-update-manager	`46d3xbcp.ptn.maintenance-azureupdatemanager`	`avm-ptn-maintenance-azureupdatemanager-module-owners-bicep`
44	avm/ptn/mgmt-groups/subscription-placement	`46d3xbcp.ptn.mgmtgroup-subplacement`	`avm-ptn-mgmtgroups-subscriptionplacement-module-owners-bicep`
45	avm/ptn/monitoring/amba	`46d3xbcp.ptn.monitoring-amba`	`avm-ptn-monitoring-amba-module-owners-bicep`
46	avm/ptn/monitoring/amba-alz	`46d3xbcp.ptn.monitoring-ambaalz`	`avm-ptn-monitoring-ambaalz-module-owners-bicep`
47	avm/ptn/network/hub-networking	`46d3xbcp.ptn.network-hubnetworking`	`avm-ptn-network-hubnetworking-module-owners-bicep`
48	avm/ptn/network/private-link-private-dns-zones	`46d3xbcp.ptn.network-privatelinkprivatednszones`	`avm-ptn-network-privatelinkprivatednszones-module-owners-bicep`
49	avm/ptn/network/virtual-wan	`46d3xbcp.ptn.network-virtualwan`	`avm-ptn-network-virtualwan-module-owners-bicep`
50	avm/ptn/network/vwan-connected-vnets	`46d3xbcp.ptn.network-vwanconnectedvnets`	`avm-ptn-network-vwanconnectedvnets-module-owners-bicep`
51	avm/ptn/openai/cognitive-search	`46d3xbcp.ptn.openai-cognitivesearch`	`avm-ptn-openai-cognitivesearch-module-owners-bicep`
52	avm/ptn/openai/e2e-baseline	`46d3xbcp.ptn.openai-e2ebaseline`	`avm-ptn-openai-e2ebaseline-module-owners-bicep`
53	avm/ptn/policy-insights/remediation	`46d3xbcp.ptn.policyinsights-remediation`	`avm-ptn-policyinsights-remediation-module-owners-bicep`
54	avm/ptn/sa/build-your-own-copilot	`46d3xbcp.ptn.sa-buildyourowncopilot`	`avm-ptn-sa-buildyourowncopilot-module-owners-bicep`
55	avm/ptn/sa/chat-with-your-data	`46d3xbcp.ptn.sa-chatwithyourdata`	`avm-ptn-sa-chatwithyourdata-module-owners-bicep`
56	avm/ptn/sa/content-processing	`46d3xbcp.ptn.sa-contentprocessing`	`avm-ptn-sa-contentprocessing-module-owners-bicep`
57	avm/ptn/sa/conversation-knowledge-mining	`46d3xbcp.ptn.sa-convknowledgemining`	`avm-ptn-sa-conversationknowledgemining-module-owners-bicep`
58	avm/ptn/sa/customer-chatbot	`46d3xbcp.ptn.sa-customerchatbot`	`avm-ptn-sa-customerchatbot-module-owners-bicep`
59	avm/ptn/sa/document-knowledge-mining	`46d3xbcp.ptn.sa-documentknowledgemining`	`avm-ptn-sa-documentknowledgemining-module-owners-bicep`
60	avm/ptn/sa/modernize-your-code	`46d3xbcp.ptn.sa-modernizeyourcode`	`avm-ptn-sa-modernizeyourcode-module-owners-bicep`
61	avm/ptn/sa/multi-agent-custom-automation-engine	`46d3xbcp.ptn.sa-multiagentcustauteng`	`avm-ptn-sa-multiagentcustomautomationengine-module-owners-bicep`
62	avm/ptn/security/security-center	`46d3xbcp.ptn.security-securitycenter`	`avm-ptn-security-securitycenter-module-owners-bicep`
63	avm/ptn/security/sentinel	`46d3xbcp.ptn.security-sentinel`	`avm-ptn-security-sentinel-module-owners-bicep`
64	avm/ptn/subscription/service-health-alerts	`46d3xbcp.ptn.subscription-svchealthalerts`	`avm-ptn-subscription-servicehealthalerts-module-owners-bicep`
65	avm/ptn/virtual-machine-images/azure-image-builder	`46d3xbcp.ptn.vmimages-azureimagebuilder`	`avm-ptn-virtualmachineimages-azureimagebuilder-module-owners-bicep`

Bicep Utility Modules

Module catalog

Language	Classification	Published 🟢 & 🟡	Proposed ⚪	SUM
Bicep	Utility	1	1	2

➕ Additional information

Legend

Summary of status icons used on this page

Icon	Status	Description
⚪	Proposed modules	Modules that are proposed and/or being worked on but not published yet.
🟢 & 🟡	Published modules	Available (🟢) and Orphaned (🟡) modules that are active and usable.
🔴	Deprecated modules	Modules that reached the end of their lifecycle.
📇	All modules	Including Published, Proposed and Deprecated ones.

See the Module Lifecycle page for more details.

Info

This page contains various views of the module index (catalog) for Bicep Utility Modules. To see these views, click on the expandable sections with the “➕” sign below.

To see the full, unfiltered, unformatted module index on GitHub, click here.
To download the source CSV file, click here.

Note

Published modules - 🟢 & 🟡

➕ Published Modules - Module names, status and owners

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/utl/types/avm-common-types	AVM Common Types		AlexanderSehr Alexander Sehr

Proposed modules - ⚪

➕ Proposed Modules - Module names, status and owners

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/utl/general/get-environment	Get-Environment		alex-frankel Alex Frankel

Deprecated modules - 🔴

➕ Deprecated Modules - Module names, status and owners

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	❌ None listed	❌ None listed	❌ None listed	❌ None listed

All modules - 📇

➕ All Modules - Module names, status and owners

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/utl/general/get-environment	Get-Environment		alex-frankel Alex Frankel
02	avm/utl/types/avm-common-types	AVM Common Types		AlexanderSehr Alexander Sehr

Module Publication History - 📅

➕ Module Publication History - Module names, status and owners

Modules published in October 2024

No.	Module Name	Display Name	Status & Versions	Owner(s)
01	avm/utl/types/avm-common-types	AVM Common Types		AlexanderSehr Alexander Sehr

For Module Owners & Contributors

Note

This section is mainly intended for module owners and contributors as it contains information important for module development, such as telemetry ID prefix, and GitHub Teams for Owners.

Module name, Telemetry ID prefix, GitHub Teams for Owners

➕ All Modules - Module name, Telemetry ID prefix, GitHub Teams for Owners

No.	Module Name	Telemetry ID prefix	GitHub Teams for Module Owners (`@Azure` org)
01	avm/utl/general/get-environment	`46d3xbcp.utl.general-getenvironment`	`avm-utl-general-getenvironment-module-owners-bicep`
02	avm/utl/types/avm-common-types	`46d3xbcp.utl.types-avmcommontypes`	`avm-utl-types-avmcommontypes-module-owners-bicep`

Terraform Modules

Summary

The following table shows the number of all available, orphaned and planned Terraform Modules.

Language	Classification	Published 🟢 & 🟡	Proposed ⚪	SUM
Terraform	Resource	105	47	152
	Pattern	24	23	47
	Utility	5	8	13

➕ Additional information

Legend

Summary of status icons used on this page

Icon	Status	Description
⚪	Proposed modules	Modules that are proposed and/or being worked on but not published yet.
🟢 & 🟡	Published modules	Available (🟢) and Orphaned (🟡) modules that are active and usable.
🔴	Deprecated modules	Modules that reached the end of their lifecycle.
📇	All modules	Including Published, Proposed and Deprecated ones.

See the Module Lifecycle page for more details.

Want to contribute to AVM Terraform modules?

#	Labels	Link and description
1.	Type: New Module Proposal 💡 Needs: Module Owner 📣 Language: Terraform 🌐	To become the owner of a new Terraform module, see all new Terraform modules looking for owners or check out the “Looking for owners” swimlane here.
2.	Status: Module Orphaned 🟡 Language: Terraform 🌐	To become the owner of an orphaned Terraform module, see all orphaned Terraform modules or check out the “Orphaned” swimlane here.
3.	Needs: Module Contributor 📣 Language: Terraform 🌐	To become a co-owner or contribute to a Terraform module, see all Terraform modules looking for contributors.

For more details on “What are the different ways to contribute to AVM?”, see here.

Terraform Resource Modules

Module catalog

Language	Classification	Published 🟢 & 🟡	Proposed ⚪	SUM
Terraform	Resource	105	47	152

➕ Additional information

Legend

Summary of status icons used on this page

Icon	Status	Description
⚪	Proposed modules	Modules that are proposed and/or being worked on but not published yet.
🟢 & 🟡	Published modules	Available (🟢) and Orphaned (🟡) modules that are active and usable.
🔴	Deprecated modules	Modules that reached the end of their lifecycle.
📇	All modules	Including Published, Proposed and Deprecated ones.

See the Module Lifecycle page for more details.

Info

This page contains various views of the module index (catalog) for Terraform Resource Modules. To see these views, click on the expandable sections with the “➕” sign below.

To see the full, unfiltered, unformatted module index on GitHub, click here.
To download the source CSV file, click here.

Note

Published modules - 🟢 & 🟡

➕ Published Modules - Module names, status and owners

No.	Module Name	Source Code	Display Name	Primary Owner
01	avm-res-apimanagement-service	📄	API Management Service	swatilekhapaul Swatilekha Paul
02	avm-res-app-containerapp	📄	Container App	lonegunmanb Zijie He
03	avm-res-app-job	📄	App Job	sujaypillai Sujay Pillai
04	avm-res-app-managedenvironment	📄	App Managed Environment	segraef Sebastian Graef
05	avm-res-appconfiguration-configurationstore	📄	App Configuration Store	matt-FFFFFF Matt White
06	avm-res-authorization-roleassignment	📄	Role Assignment	jaredfholgate Jared Holgate
07	avm-res-automation-automationaccount	📄	Automation Account	didayal-msft Divyadeep Dayal Poven795909 Poornima Venkataramanan
08	avm-res-avs-privatecloud	📄	AVS Private Cloud	jchancellor-ms Jon Chancellor
09	avm-res-azurestackhci-cluster	📄	Azure Stack HCI Cluster
10	avm-res-azurestackhci-logicalnetwork	📄	AzureStackHCI logical network
11	avm-res-azurestackhci-virtualmachineinstance	📄	Stack HCI Virtual Machine Instance
12	avm-res-batch-batchaccount	📄	Batch Account	ethanjenkins1 Ethan Jenkins
13	avm-res-cache-redis	📄	Redis Cache	jchancellor-ms Jon Chancellor
14	avm-res-cdn-profile	📄	CDN Profile	Poven795909 Poornima Venkataramanan didayal-msft Divyadeep Dayal
15	avm-res-certificateregistration-certificateorder	📄	Certificate Orders	lonegunmanb Zijie He
16	avm-res-cognitiveservices-account	📄	Cognitive Service	lonegunmanb Zijie He
17	avm-res-communication-emailservice	📄	Email Communication Service	lonegunmanb Zijie He
18	avm-res-compute-capacityreservationgroup	📄	Capacity Reservation Group	chianw Chian Wong
19	avm-res-compute-disk	📄	Compute Disk	terrymandin Terry Mandin
20	avm-res-compute-diskencryptionset	📄	Disk Encryption Set	Akashc0807 Akash Choudhary
21	avm-res-compute-gallery	📄	Azure Compute Gallery	Akashc0807 Akash Choudhary
22	avm-res-compute-hostgroup	📄	Host Groups	chianw Chian Wong
23	avm-res-compute-proximityplacementgroup	📄	Proximity Placement Group	fafriha Farouk Friha
24	avm-res-compute-sshpublickey	📄	Public SSH Key	ChrisSidebotham Chris Sidebotham
25	avm-res-compute-virtualmachine	📄	Virtual Machine VM	jchancellor-ms Jon Chancellor
26	avm-res-compute-virtualmachinescaleset	📄	Virtual Machine Scale Set VMSS	terrymandin Terry Mandin marcelkmfst Marcel Keller
27	avm-res-containerinstance-containergroup	📄	Container Instance	sharmilamusunuru Sharmila Musunuru
28	avm-res-containerregistry-registry	📄	Azure Container Registry (ACR)	Akashc0807 Akash Choudhary
29	avm-res-containerservice-managedcluster	📄	AKS Managed Cluster	ibersanoMS Isabelle Bersano
30	avm-res-databricks-workspace	📄	Azure Databricks Workspace	segraef Sebastian Graef
31	avm-res-datafactory-factory	📄	Data Factory	asishr Asish R
32	avm-res-dataprotection-backupvault	📄	Data Protection Backup Vault	ethanjenkins1 Ethan Jenkins
33	avm-res-dataprotection-resourceguard	📄	Data Protection Resource Guard	WenAI2020 Wen Tian
34	avm-res-dbformysql-flexibleserver	📄	DB for MySQL Flexible Server	elsalvos Cesar Abrego
35	avm-res-dbforpostgresql-flexibleserver	📄	DB for Postgre SQL Flexible Server	zaidmohd Zaid Mohammad
36	avm-res-desktopvirtualization-applicationgroup	📄	Azure Virtual Desktop (AVD) Application Group	jensheerin Jen Sheerin sihbher Gerardo Reyes
37	avm-res-desktopvirtualization-hostpool	📄	Azure Virtual Desktop (AVD) Host Pool	jensheerin Jen Sheerin sihbher Gerardo Reyes
38	avm-res-desktopvirtualization-scalingplan	📄	Azure Virtual Desktop (AVD) Scaling Plan	jensheerin Jen Sheerin sihbher Gerardo Reyes
39	avm-res-desktopvirtualization-workspace	📄	Azure Virtual Desktop (AVD) Workspace	jensheerin Jen Sheerin sihbher Gerardo Reyes
40	avm-res-devcenter-devcenter	📄	Dev Center
41	avm-res-devopsinfrastructure-pool	📄	DevOps Pools	jaredfholgate Jared Holgate
42	avm-res-documentdb-databaseaccount	📄	CosmosDB Database Account	cmaneu Christopher Maneu
43	avm-res-documentdb-mongocluster	📄	Cosmos DB for MongoDB (vCore)	sujaypillai Sujay Pillai
44	avm-res-edge-site	📄	Azure Arc Site manager
45	avm-res-eventgrid-domain	📄	Event Grid Domain	sujaypillai Sujay Pillai
46	avm-res-eventgrid-topic	📄	Event Grid Topic	sujaypillai Sujay Pillai
47	avm-res-eventhub-namespace	📄	Event Hub Namespace	rcavaturu Raja Kalyan Ram Cavaturu
48	avm-res-features-feature	📄	Azure Feature Exposure Control (AFEC)	lonegunmanb Zijie He
49	avm-res-hybridcontainerservice-provisionedclusterinstance	📄	AKS Arc
50	avm-res-insights-autoscalesetting	📄	Auto scale settings	chianw Chian Wong
51	avm-res-insights-component	📄	Application Insight	Jfolberth John Folberth
52	avm-res-insights-datacollectionendpoint	📄	Data Collection Endpoint	sharmilamusunuru Sharmila Musunuru
53	avm-res-keyvault-vault	📄	Key Vault KV	matt-FFFFFF Matt White
54	avm-res-kusto-cluster	📄	Kusto Clusters	LaurentLesle Laurent Lesle
55	avm-res-logic-workflow	📄	Logic Apps (Workflow)	bakrish Bala Krishnamoorthy
56	avm-res-machinelearningservices-workspace	📄	Machine Learning Services Workspace ML Workspace	Nepomuceno Gabriel Monteiro Nepomuceno
57	avm-res-maintenance-maintenanceconfiguration	📄	Maintenance Configuration	ASHR4 Rhys Ash
58	avm-res-managedidentity-userassignedidentity	📄	User Assigned Identity MSI	Jfolberth John Folberth
59	avm-res-management-servicegroup	📄	Management Service Groups	haflidif Haflidi Fridthjofsson
60	avm-res-netapp-netappaccount	📄	Azure NetApp File	jtracey93 Jack Tracey
61	avm-res-network-applicationgateway	📄	Application Gateway App GW	mofaizal Mohamed Faizal
62	avm-res-network-applicationgatewaywebapplicationfirewallpolicy	📄	Application Gateway Web Application Firewall (WAF) Policy	mofaizal Mohamed Faizal
63	avm-res-network-applicationsecuritygroup	📄	Application Security Group (ASG) ASG	MinHeinA Min Hein Aung
64	avm-res-network-azurefirewall	📄	Azure Firewall Azure FW	vmisson Vincent Misson
65	avm-res-network-bastionhost	📄	Bastion Host	humanascode Itamar Hirosh
66	avm-res-network-connection	📄	Virtual Network Gateway Connection	jchancellor-ms Jon Chancellor
67	avm-res-network-ddosprotectionplan	📄	DDoS Protection	sitarant Simona Tarantola jtracey93 Jack Tracey
68	avm-res-network-dnsresolver	📄	DNS Resolver	humanascode Itamar Hirosh
69	avm-res-network-dnszone	📄	Public DNS Zone	sharmilamusunuru Sharmila Musunuru
70	avm-res-network-expressroutecircuit	📄	ExpressRoute Circuit ER	khushal08 Khush Kaviraj adammontlake Adam Montlake
71	avm-res-network-firewallpolicy	📄	Azure Firewall Policy	MinHeinA Min Hein Aung
72	avm-res-network-frontdoorwebapplicationfirewallpolicy	📄	Front Door Web Application Firewall (WAF) Policy	sihbher Gerardo Reyes
73	avm-res-network-ipgroup	📄	IP Group	mathewsg Mathews George
74	avm-res-network-loadbalancer	📄	Loadbalancer	donovm4 Donovan McCoy
75	avm-res-network-localnetworkgateway	📄	Local Network Gateway	Bhavyasree08 Bhavyasree Damarla
76	avm-res-network-natgateway	📄	NAT Gateway	iarik0440 Yarik Simineans
77	avm-res-network-networkinterface	📄	Network Interface NIC	fafriha Farouk Friha
78	avm-res-network-networkmanager	📄	Azure Virtual Network Manager
79	avm-res-network-networksecuritygroup	📄	Network Security Group	maheshbenke Mahesh Benke
80	avm-res-network-networkwatcher	📄	Azure Network Watcher	terrymandin Terry Mandin
81	avm-res-network-privatednszone	📄	Private DNS Zone	chianw Chian Wong
82	avm-res-network-privateendpoint	📄	Private Endpoint	jaredfholgate Jared Holgate
83	avm-res-network-publicipaddress	📄	Public IP Address PIP	vmisson Vincent Misson
84	avm-res-network-publicipprefix	📄	Public IP Prefix	PmeshramPM Pankaj Meshram
85	avm-res-network-routetable	📄	Route Table UDR	adammontlake Adam Montlake
86	avm-res-network-virtualnetwork	📄	Virtual Network VNET	jaredfholgate Jared Holgate
87	avm-res-operationalinsights-workspace	📄	Log Analytics workspace	iarik0440 Yarik Simineans
88	avm-res-oracledatabase-cloudexadatainfrastructure	📄	Oracle Exadata Infrastructure	sihbher Gerardo Reyes terrymandin Terry Mandin
89	avm-res-oracledatabase-cloudvmcluster	📄	Oracle VM cluster	sihbher Gerardo Reyes terrymandin Terry Mandin
90	avm-res-portal-dashboard	📄	Azure Portal Dashboard	VeronicaSea Veronica Xu
91	avm-res-recoveryservices-vault	📄	Recovery Services Vault	elsalvos Cesar Abrego
92	avm-res-redhatopenshift-openshiftcluster	📄	OpenShift Cluster	ethanjenkins1 Ethan Jenkins puneetdevadiga Puneet Devadiga
93	avm-res-relay-namespace	📄	Relay Namespace	sujaypillai Sujay Pillai
94	avm-res-resourcegraph-query	📄	Resource Graph Query	SJAYAP S Jayaprakash
95	avm-res-resources-resourcegroup	📄	Resource Group RG	Jfolberth John Folberth
96	avm-res-search-searchservice	📄	Search Service
97	avm-res-servicebus-namespace	📄	Service Bus Namespace
98	avm-res-sql-managedinstance	📄	SQL Managed Instance SQL MI
99	avm-res-sql-server	📄	Azure SQL Server	abhishekaryams Abhishek Arya
100	avm-res-storage-storageaccount	📄	Storage Account	chinthakaru Chinthaka Rupasinghe
101	avm-res-web-connection	📄	API Connection	donovm4 Donovan McCoy
102	avm-res-web-hostingenvironment	📄	App Service Environment ASE	ibersanoMS Isabelle Bersano
103	avm-res-web-serverfarm	📄	App Service Plan	ibersanoMS Isabelle Bersano
104	avm-res-web-site	📄	Web/Function App App Service, Web Site, Logic App, Function App	donovm4 Donovan McCoy
105	avm-res-web-staticsite	📄	Static Web App	donovm4 Donovan McCoy

Proposed modules - ⚪

➕ Proposed Modules - Module names, status and owners

No.	Module Name	Source Code	Display Name	Primary Owner
01	avm-res-aad-domainservice	n/a	Azure Active Directory Domain Service	humanascode Itamar Hirosh
02	avm-res-alertsmanagement-actionrule	n/a	Action Rules	joeybarnes Joseph Barnes
03	avm-res-analysisservices-server	n/a	Analysis Services Server	Bhavyasree08 Bhavyasree Damarla
04	avm-res-botservice-botservice	n/a	Bot Service	ethanjenkins1 Ethan Jenkins
05	avm-res-cache-redisenterprise	n/a	Azure Managed Redis	Ankur1106 Ankur Sharma
06	avm-res-compute-image	n/a	Image
07	avm-res-consumption-budget	n/a	Consumption Budget	Akashc0807 Akash Choudhary
08	avm-res-containerservice-fleet	n/a	AKS Fleet	didayal-msft Divyadeep Dayal amruta53 Amruta Kulkarni
09	avm-res-dashboard-grafana	n/a	Azure Managed Grafana	khajour Abdelaziz Khajour
10	avm-res-databricks-accessconnector	n/a	Azure Databricks Access Connector
11	avm-res-deviceregistry-assetendpointprofile	n/a	Device Registry Asset Endpoint Profile	lonegunmanb Zijie He
12	avm-res-devtestlab-lab	n/a	DevTest Lab	sharmilamusunuru Sharmila Musunuru
13	avm-res-digitaltwins-digitaltwinsinstance	n/a	Digital Twins Instance
14	avm-res-eventgrid-namespace	n/a	Event Grid Namespace	dassbernd Berna Sandalli
15	avm-res-eventgrid-systemtopic	n/a	Event Grid System Topic	sujaypillai Sujay Pillai
16	avm-res-healthbot-healthbot	n/a	Azure Health Bot
17	avm-res-hybridcompute-machine	n/a	Hybrid Compute Machine
18	avm-res-insights-actiongroup	n/a	Action Group	arjenhuitema Arjen Huitema Brunoga-MS Bruno Gabrielli
19	avm-res-insights-activitylogalert	n/a	Activity log alerts	tagolovina Tanya Golovina
20	avm-res-insights-alertrule	n/a	Alert Rules	joeybarnes Joseph Barnes
21	avm-res-insights-datacollectionrule	n/a	Data Collection Rule	sharmilamusunuru Sharmila Musunuru
22	avm-res-insights-logprofile	n/a	Log profile	sharmilamusunuru Sharmila Musunuru
23	avm-res-insights-metricalert	n/a	Metric Alert	arjenhuitema Arjen Huitema
24	avm-res-insights-privatelinkscope	n/a	Azure Monitor Private Link Scope	sharmilamusunuru Sharmila Musunuru
25	avm-res-insights-scheduledqueryrule	n/a	Scheduled Query Rule
26	avm-res-iotoperations-instance	n/a	Azure IoT Operations	agreaves-ms Allen Greaves WilliamBerryiii Bill Berry
27	avm-res-loadtestservice-loadtest	n/a	Load Testing Service	pfayika1 Philippe Fayika
28	avm-res-managedservices-registrationdefinition	n/a	Registration Definition (Lighthouse)
29	avm-res-management-managementgroup	n/a	Management Group MG	herms14 Hermes Miraflor II
30	avm-res-network-dnsforwardingruleset	n/a	DNS Forwarding Ruleset	sharmilamusunuru Sharmila Musunuru
31	avm-res-network-frontdoor	n/a	Azure Front Door
32	avm-res-network-privatelinkservice	n/a	Private Link Service	avivshrem Aviv Shrem
33	avm-res-network-serviceendpointpolicy	n/a	Service Endpoint Policy	ASHR4 Rhys Ash
34	avm-res-network-trafficmanagerprofile	n/a	Traffic Manager Profile	AnubhaR94 Anubha Rana
35	avm-res-network-virtualnetworkgateway	n/a	Virtual Network Gateway VNET GW
36	avm-res-network-virtualrouter	n/a	Route Server
37	avm-res-operationsmanagement-solution	n/a	Operations Management Solution
38	avm-res-powerbidedicated-capacity	n/a	Power BI Dedicated Capacity
39	avm-res-purview-account	n/a	Purview Account
40	avm-res-resources-feature	n/a	Resource Features	lonegunmanb Zijie He
41	avm-res-servicefabric-cluster	n/a	Service Fabric Cluster
42	avm-res-servicenetworking-trafficcontroller	n/a	Application Gateway for Containers (Traffic Controller)	mofaizal Mohamed Faizal
43	avm-res-signalrservice-signalr	n/a	SignalR Service SignalR
44	avm-res-sql-instancepool	n/a	Instance Pools	sujaypillai Sujay Pillai
45	avm-res-sqlvirtualmachine-sqlvirtualmachine	n/a	Sql Virtual Machine SQL VM	sujaypillai Sujay Pillai
46	avm-res-synapse-workspace	n/a	Synapse Workspace	Karni-G Karni Gupta
47	avm-res-virtualmachineimages-imagetemplate	n/a	Virtual Machine Image Template	travishankins Travis Hankins

Deprecated modules - 🔴

➕ Deprecated Modules - Module names, status and owners

No.	Module Name	Source Code	Display Name	Status & Versions	Primary Owner
01	❌ None listed	❌ None listed	❌ None listed	❌ None listed	❌ None listed

All modules - 📇

➕ All Modules - Module names, status and owners

No.	Module Name	Source Code	Display Name	Primary Owner
01	avm-res-aad-domainservice	n/a	Azure Active Directory Domain Service	humanascode Itamar Hirosh
02	avm-res-alertsmanagement-actionrule	n/a	Action Rules	joeybarnes Joseph Barnes
03	avm-res-analysisservices-server	n/a	Analysis Services Server	Bhavyasree08 Bhavyasree Damarla
04	avm-res-apimanagement-service	📄	API Management Service	swatilekhapaul Swatilekha Paul
05	avm-res-app-containerapp	📄	Container App	lonegunmanb Zijie He
06	avm-res-app-job	📄	App Job	sujaypillai Sujay Pillai
07	avm-res-app-managedenvironment	📄	App Managed Environment	segraef Sebastian Graef
08	avm-res-appconfiguration-configurationstore	📄	App Configuration Store	matt-FFFFFF Matt White
09	avm-res-authorization-roleassignment	📄	Role Assignment	jaredfholgate Jared Holgate
10	avm-res-automation-automationaccount	📄	Automation Account	didayal-msft Divyadeep Dayal Poven795909 Poornima Venkataramanan
11	avm-res-avs-privatecloud	📄	AVS Private Cloud	jchancellor-ms Jon Chancellor
12	avm-res-azurestackhci-cluster	📄	Azure Stack HCI Cluster
13	avm-res-azurestackhci-logicalnetwork	📄	AzureStackHCI logical network
14	avm-res-azurestackhci-virtualmachineinstance	📄	Stack HCI Virtual Machine Instance
15	avm-res-batch-batchaccount	📄	Batch Account	ethanjenkins1 Ethan Jenkins
16	avm-res-botservice-botservice	n/a	Bot Service	ethanjenkins1 Ethan Jenkins
17	avm-res-cache-redis	📄	Redis Cache	jchancellor-ms Jon Chancellor
18	avm-res-cache-redisenterprise	n/a	Azure Managed Redis	Ankur1106 Ankur Sharma
19	avm-res-cdn-profile	📄	CDN Profile	Poven795909 Poornima Venkataramanan didayal-msft Divyadeep Dayal
20	avm-res-certificateregistration-certificateorder	📄	Certificate Orders	lonegunmanb Zijie He
21	avm-res-cognitiveservices-account	📄	Cognitive Service	lonegunmanb Zijie He
22	avm-res-communication-emailservice	📄	Email Communication Service	lonegunmanb Zijie He
23	avm-res-compute-capacityreservationgroup	📄	Capacity Reservation Group	chianw Chian Wong
24	avm-res-compute-disk	📄	Compute Disk	terrymandin Terry Mandin
25	avm-res-compute-diskencryptionset	📄	Disk Encryption Set	Akashc0807 Akash Choudhary
26	avm-res-compute-gallery	📄	Azure Compute Gallery	Akashc0807 Akash Choudhary
27	avm-res-compute-hostgroup	📄	Host Groups	chianw Chian Wong
28	avm-res-compute-image	n/a	Image
29	avm-res-compute-proximityplacementgroup	📄	Proximity Placement Group	fafriha Farouk Friha
30	avm-res-compute-sshpublickey	📄	Public SSH Key	ChrisSidebotham Chris Sidebotham
31	avm-res-compute-virtualmachine	📄	Virtual Machine VM	jchancellor-ms Jon Chancellor
32	avm-res-compute-virtualmachinescaleset	📄	Virtual Machine Scale Set VMSS	terrymandin Terry Mandin marcelkmfst Marcel Keller
33	avm-res-consumption-budget	n/a	Consumption Budget	Akashc0807 Akash Choudhary
34	avm-res-containerinstance-containergroup	📄	Container Instance	sharmilamusunuru Sharmila Musunuru
35	avm-res-containerregistry-registry	📄	Azure Container Registry (ACR)	Akashc0807 Akash Choudhary
36	avm-res-containerservice-fleet	n/a	AKS Fleet	didayal-msft Divyadeep Dayal amruta53 Amruta Kulkarni
37	avm-res-containerservice-managedcluster	📄	AKS Managed Cluster	ibersanoMS Isabelle Bersano
38	avm-res-dashboard-grafana	n/a	Azure Managed Grafana	khajour Abdelaziz Khajour
39	avm-res-databricks-accessconnector	n/a	Azure Databricks Access Connector
40	avm-res-databricks-workspace	📄	Azure Databricks Workspace	segraef Sebastian Graef
41	avm-res-datafactory-factory	📄	Data Factory	asishr Asish R
42	avm-res-dataprotection-backupvault	📄	Data Protection Backup Vault	ethanjenkins1 Ethan Jenkins
43	avm-res-dataprotection-resourceguard	📄	Data Protection Resource Guard	WenAI2020 Wen Tian
44	avm-res-dbformysql-flexibleserver	📄	DB for MySQL Flexible Server	elsalvos Cesar Abrego
45	avm-res-dbforpostgresql-flexibleserver	📄	DB for Postgre SQL Flexible Server	zaidmohd Zaid Mohammad
46	avm-res-desktopvirtualization-applicationgroup	📄	Azure Virtual Desktop (AVD) Application Group	jensheerin Jen Sheerin sihbher Gerardo Reyes
47	avm-res-desktopvirtualization-hostpool	📄	Azure Virtual Desktop (AVD) Host Pool	jensheerin Jen Sheerin sihbher Gerardo Reyes
48	avm-res-desktopvirtualization-scalingplan	📄	Azure Virtual Desktop (AVD) Scaling Plan	jensheerin Jen Sheerin sihbher Gerardo Reyes
49	avm-res-desktopvirtualization-workspace	📄	Azure Virtual Desktop (AVD) Workspace	jensheerin Jen Sheerin sihbher Gerardo Reyes
50	avm-res-devcenter-devcenter	📄	Dev Center
51	avm-res-deviceregistry-assetendpointprofile	n/a	Device Registry Asset Endpoint Profile	lonegunmanb Zijie He
52	avm-res-devopsinfrastructure-pool	📄	DevOps Pools	jaredfholgate Jared Holgate
53	avm-res-devtestlab-lab	n/a	DevTest Lab	sharmilamusunuru Sharmila Musunuru
54	avm-res-digitaltwins-digitaltwinsinstance	n/a	Digital Twins Instance
55	avm-res-documentdb-databaseaccount	📄	CosmosDB Database Account	cmaneu Christopher Maneu
56	avm-res-documentdb-mongocluster	📄	Cosmos DB for MongoDB (vCore)	sujaypillai Sujay Pillai
57	avm-res-edge-site	📄	Azure Arc Site manager
58	avm-res-eventgrid-domain	📄	Event Grid Domain	sujaypillai Sujay Pillai
59	avm-res-eventgrid-namespace	n/a	Event Grid Namespace	dassbernd Berna Sandalli
60	avm-res-eventgrid-systemtopic	n/a	Event Grid System Topic	sujaypillai Sujay Pillai
61	avm-res-eventgrid-topic	📄	Event Grid Topic	sujaypillai Sujay Pillai
62	avm-res-eventhub-namespace	📄	Event Hub Namespace	rcavaturu Raja Kalyan Ram Cavaturu
63	avm-res-features-feature	📄	Azure Feature Exposure Control (AFEC)	lonegunmanb Zijie He
64	avm-res-healthbot-healthbot	n/a	Azure Health Bot
65	avm-res-hybridcompute-machine	n/a	Hybrid Compute Machine
66	avm-res-hybridcontainerservice-provisionedclusterinstance	📄	AKS Arc
67	avm-res-insights-actiongroup	n/a	Action Group	arjenhuitema Arjen Huitema Brunoga-MS Bruno Gabrielli
68	avm-res-insights-activitylogalert	n/a	Activity log alerts	tagolovina Tanya Golovina
69	avm-res-insights-alertrule	n/a	Alert Rules	joeybarnes Joseph Barnes
70	avm-res-insights-autoscalesetting	📄	Auto scale settings	chianw Chian Wong
71	avm-res-insights-component	📄	Application Insight	Jfolberth John Folberth
72	avm-res-insights-datacollectionendpoint	📄	Data Collection Endpoint	sharmilamusunuru Sharmila Musunuru
73	avm-res-insights-datacollectionrule	n/a	Data Collection Rule	sharmilamusunuru Sharmila Musunuru
74	avm-res-insights-logprofile	n/a	Log profile	sharmilamusunuru Sharmila Musunuru
75	avm-res-insights-metricalert	n/a	Metric Alert	arjenhuitema Arjen Huitema
76	avm-res-insights-privatelinkscope	n/a	Azure Monitor Private Link Scope	sharmilamusunuru Sharmila Musunuru
77	avm-res-insights-scheduledqueryrule	n/a	Scheduled Query Rule
78	avm-res-iotoperations-instance	n/a	Azure IoT Operations	agreaves-ms Allen Greaves WilliamBerryiii Bill Berry
79	avm-res-keyvault-vault	📄	Key Vault KV	matt-FFFFFF Matt White
80	avm-res-kusto-cluster	📄	Kusto Clusters	LaurentLesle Laurent Lesle
81	avm-res-loadtestservice-loadtest	n/a	Load Testing Service	pfayika1 Philippe Fayika
82	avm-res-logic-workflow	📄	Logic Apps (Workflow)	bakrish Bala Krishnamoorthy
83	avm-res-machinelearningservices-workspace	📄	Machine Learning Services Workspace ML Workspace	Nepomuceno Gabriel Monteiro Nepomuceno
84	avm-res-maintenance-maintenanceconfiguration	📄	Maintenance Configuration	ASHR4 Rhys Ash
85	avm-res-managedidentity-userassignedidentity	📄	User Assigned Identity MSI	Jfolberth John Folberth
86	avm-res-managedservices-registrationdefinition	n/a	Registration Definition (Lighthouse)
87	avm-res-management-managementgroup	n/a	Management Group MG	herms14 Hermes Miraflor II
88	avm-res-management-servicegroup	📄	Management Service Groups	haflidif Haflidi Fridthjofsson
89	avm-res-netapp-netappaccount	📄	Azure NetApp File	jtracey93 Jack Tracey
90	avm-res-network-applicationgateway	📄	Application Gateway App GW	mofaizal Mohamed Faizal
91	avm-res-network-applicationgatewaywebapplicationfirewallpolicy	📄	Application Gateway Web Application Firewall (WAF) Policy	mofaizal Mohamed Faizal
92	avm-res-network-applicationsecuritygroup	📄	Application Security Group (ASG) ASG	MinHeinA Min Hein Aung
93	avm-res-network-azurefirewall	📄	Azure Firewall Azure FW	vmisson Vincent Misson
94	avm-res-network-bastionhost	📄	Bastion Host	humanascode Itamar Hirosh
95	avm-res-network-connection	📄	Virtual Network Gateway Connection	jchancellor-ms Jon Chancellor
96	avm-res-network-ddosprotectionplan	📄	DDoS Protection	sitarant Simona Tarantola jtracey93 Jack Tracey
97	avm-res-network-dnsforwardingruleset	n/a	DNS Forwarding Ruleset	sharmilamusunuru Sharmila Musunuru
98	avm-res-network-dnsresolver	📄	DNS Resolver	humanascode Itamar Hirosh
99	avm-res-network-dnszone	📄	Public DNS Zone	sharmilamusunuru Sharmila Musunuru
100	avm-res-network-expressroutecircuit	📄	ExpressRoute Circuit ER	khushal08 Khush Kaviraj adammontlake Adam Montlake
101	avm-res-network-firewallpolicy	📄	Azure Firewall Policy	MinHeinA Min Hein Aung
102	avm-res-network-frontdoor	n/a	Azure Front Door
103	avm-res-network-frontdoorwebapplicationfirewallpolicy	📄	Front Door Web Application Firewall (WAF) Policy	sihbher Gerardo Reyes
104	avm-res-network-ipgroup	📄	IP Group	mathewsg Mathews George
105	avm-res-network-loadbalancer	📄	Loadbalancer	donovm4 Donovan McCoy
106	avm-res-network-localnetworkgateway	📄	Local Network Gateway	Bhavyasree08 Bhavyasree Damarla
107	avm-res-network-natgateway	📄	NAT Gateway	iarik0440 Yarik Simineans
108	avm-res-network-networkinterface	📄	Network Interface NIC	fafriha Farouk Friha
109	avm-res-network-networkmanager	📄	Azure Virtual Network Manager
110	avm-res-network-networksecuritygroup	📄	Network Security Group	maheshbenke Mahesh Benke
111	avm-res-network-networkwatcher	📄	Azure Network Watcher	terrymandin Terry Mandin
112	avm-res-network-privatednszone	📄	Private DNS Zone	chianw Chian Wong
113	avm-res-network-privateendpoint	📄	Private Endpoint	jaredfholgate Jared Holgate
114	avm-res-network-privatelinkservice	n/a	Private Link Service	avivshrem Aviv Shrem
115	avm-res-network-publicipaddress	📄	Public IP Address PIP	vmisson Vincent Misson
116	avm-res-network-publicipprefix	📄	Public IP Prefix	PmeshramPM Pankaj Meshram
117	avm-res-network-routetable	📄	Route Table UDR	adammontlake Adam Montlake
118	avm-res-network-serviceendpointpolicy	n/a	Service Endpoint Policy	ASHR4 Rhys Ash
119	avm-res-network-trafficmanagerprofile	n/a	Traffic Manager Profile	AnubhaR94 Anubha Rana
120	avm-res-network-virtualnetwork	📄	Virtual Network VNET	jaredfholgate Jared Holgate
121	avm-res-network-virtualnetworkgateway	n/a	Virtual Network Gateway VNET GW
122	avm-res-network-virtualrouter	n/a	Route Server
123	avm-res-operationalinsights-workspace	📄	Log Analytics workspace	iarik0440 Yarik Simineans
124	avm-res-operationsmanagement-solution	n/a	Operations Management Solution
125	avm-res-oracledatabase-cloudexadatainfrastructure	📄	Oracle Exadata Infrastructure	sihbher Gerardo Reyes terrymandin Terry Mandin
126	avm-res-oracledatabase-cloudvmcluster	📄	Oracle VM cluster	sihbher Gerardo Reyes terrymandin Terry Mandin
127	avm-res-portal-dashboard	📄	Azure Portal Dashboard	VeronicaSea Veronica Xu
128	avm-res-powerbidedicated-capacity	n/a	Power BI Dedicated Capacity
129	avm-res-purview-account	n/a	Purview Account
130	avm-res-recoveryservices-vault	📄	Recovery Services Vault	elsalvos Cesar Abrego
131	avm-res-redhatopenshift-openshiftcluster	📄	OpenShift Cluster	ethanjenkins1 Ethan Jenkins puneetdevadiga Puneet Devadiga
132	avm-res-relay-namespace	📄	Relay Namespace	sujaypillai Sujay Pillai
133	avm-res-resourcegraph-query	📄	Resource Graph Query	SJAYAP S Jayaprakash
134	avm-res-resources-feature	n/a	Resource Features	lonegunmanb Zijie He
135	avm-res-resources-resourcegroup	📄	Resource Group RG	Jfolberth John Folberth
136	avm-res-search-searchservice	📄	Search Service
137	avm-res-servicebus-namespace	📄	Service Bus Namespace
138	avm-res-servicefabric-cluster	n/a	Service Fabric Cluster
139	avm-res-servicenetworking-trafficcontroller	n/a	Application Gateway for Containers (Traffic Controller)	mofaizal Mohamed Faizal
140	avm-res-signalrservice-signalr	n/a	SignalR Service SignalR
141	avm-res-sql-instancepool	n/a	Instance Pools	sujaypillai Sujay Pillai
142	avm-res-sql-managedinstance	📄	SQL Managed Instance SQL MI
143	avm-res-sql-server	📄	Azure SQL Server	abhishekaryams Abhishek Arya
144	avm-res-sqlvirtualmachine-sqlvirtualmachine	n/a	Sql Virtual Machine SQL VM	sujaypillai Sujay Pillai
145	avm-res-storage-storageaccount	📄	Storage Account	chinthakaru Chinthaka Rupasinghe
146	avm-res-synapse-workspace	n/a	Synapse Workspace	Karni-G Karni Gupta
147	avm-res-virtualmachineimages-imagetemplate	n/a	Virtual Machine Image Template	travishankins Travis Hankins
148	avm-res-web-connection	📄	API Connection	donovm4 Donovan McCoy
149	avm-res-web-hostingenvironment	📄	App Service Environment ASE	ibersanoMS Isabelle Bersano
150	avm-res-web-serverfarm	📄	App Service Plan	ibersanoMS Isabelle Bersano
151	avm-res-web-site	📄	Web/Function App App Service, Web Site, Logic App, Function App	donovm4 Donovan McCoy
152	avm-res-web-staticsite	📄	Static Web App	donovm4 Donovan McCoy

Module Publication History - 📅

➕ Module Publication History - Module names, status and owners

Modules published in January 2026

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-eventgrid-domain	📄	Event Grid Domain	sujaypillai Sujay Pillai
02	avm-res-eventgrid-topic	📄	Event Grid Topic	sujaypillai Sujay Pillai
03	avm-res-relay-namespace	📄	Relay Namespace	sujaypillai Sujay Pillai

Modules published in November 2025

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-res-features-feature	📄	Azure Feature Exposure Control (AFEC)		lonegunmanb Zijie He
02	avm-res-web-connection	📄	API Connection		donovm4 Donovan McCoy

Modules published in October 2025

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-res-management-servicegroup	📄	Management Service Groups		haflidif Haflidi Fridthjofsson
02	avm-res-redhatopenshift-openshiftcluster	📄	OpenShift Cluster		ethanjenkins1 Ethan Jenkins puneetdevadiga Puneet Devadiga

Modules published in August 2025

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-res-compute-capacityreservationgroup	📄	Capacity Reservation Group		chianw Chian Wong
02	avm-res-documentdb-mongocluster	📄	Cosmos DB for MongoDB (vCore)		sujaypillai Sujay Pillai

Modules published in July 2025

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-res-certificateregistration-certificateorder	📄	Certificate Orders		lonegunmanb Zijie He
02	avm-res-dataprotection-resourceguard	📄	Data Protection Resource Guard		WenAI2020 Wen Tian

Modules published in June 2025

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-res-communication-emailservice	📄	Email Communication Service		lonegunmanb Zijie He

Modules published in May 2025

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-app-job	📄	App Job	sujaypillai Sujay Pillai
02	avm-res-batch-batchaccount	📄	Batch Account	ethanjenkins1 Ethan Jenkins
03	avm-res-dataprotection-backupvault	📄	Data Protection Backup Vault	ethanjenkins1 Ethan Jenkins

Modules published in April 2025

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-apimanagement-service	📄	API Management Service	swatilekhapaul Swatilekha Paul
02	avm-res-automation-automationaccount	📄	Automation Account	didayal-msft Divyadeep Dayal Poven795909 Poornima Venkataramanan
03	avm-res-datafactory-factory	📄	Data Factory	asishr Asish R
04	avm-res-eventhub-namespace	📄	Event Hub Namespace	rcavaturu Raja Kalyan Ram Cavaturu
05	avm-res-maintenance-maintenanceconfiguration	📄	Maintenance Configuration	ASHR4 Rhys Ash
06	avm-res-network-ipgroup	📄	IP Group	mathewsg Mathews George
07	avm-res-network-publicipprefix	📄	Public IP Prefix	PmeshramPM Pankaj Meshram
08	avm-res-resourcegraph-query	📄	Resource Graph Query	SJAYAP S Jayaprakash

Modules published in March 2025

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-res-appconfiguration-configurationstore	📄	App Configuration Store		matt-FFFFFF Matt White

Modules published in February 2025

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-res-network-applicationgatewaywebapplicationfirewallpolicy	📄	Application Gateway Web Application Firewall (WAF) Policy		mofaizal Mohamed Faizal

Modules published in January 2025

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-netapp-netappaccount	📄	Azure NetApp File	jtracey93 Jack Tracey
02	avm-res-network-applicationsecuritygroup	📄	Application Security Group (ASG) ASG	MinHeinA Min Hein Aung
03	avm-res-network-connection	📄	Virtual Network Gateway Connection	jchancellor-ms Jon Chancellor
04	avm-res-recoveryservices-vault	📄	Recovery Services Vault	elsalvos Cesar Abrego

Modules published in December 2024

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-res-compute-gallery	📄	Azure Compute Gallery		Akashc0807 Akash Choudhary

Modules published in November 2024

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-compute-proximityplacementgroup	📄	Proximity Placement Group	fafriha Farouk Friha
02	avm-res-containerservice-managedcluster	📄	AKS Managed Cluster	ibersanoMS Isabelle Bersano
03	avm-res-insights-autoscalesetting	📄	Auto scale settings	chianw Chian Wong
04	avm-res-network-localnetworkgateway	📄	Local Network Gateway	Bhavyasree08 Bhavyasree Damarla
05	avm-res-network-networkinterface	📄	Network Interface NIC	fafriha Farouk Friha

Modules published in October 2024

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-compute-diskencryptionset	📄	Disk Encryption Set	Akashc0807 Akash Choudhary
02	avm-res-devcenter-devcenter	📄	Dev Center
03	avm-res-network-expressroutecircuit	📄	ExpressRoute Circuit ER	khushal08 Khush Kaviraj adammontlake Adam Montlake
04	avm-res-network-frontdoorwebapplicationfirewallpolicy	📄	Front Door Web Application Firewall (WAF) Policy	sihbher Gerardo Reyes

Modules published in September 2024

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-dbformysql-flexibleserver	📄	DB for MySQL Flexible Server	elsalvos Cesar Abrego
02	avm-res-dbforpostgresql-flexibleserver	📄	DB for Postgre SQL Flexible Server	zaidmohd Zaid Mohammad
03	avm-res-network-privateendpoint	📄	Private Endpoint	jaredfholgate Jared Holgate
04	avm-res-oracledatabase-cloudexadatainfrastructure	📄	Oracle Exadata Infrastructure	sihbher Gerardo Reyes terrymandin Terry Mandin
05	avm-res-oracledatabase-cloudvmcluster	📄	Oracle VM cluster	sihbher Gerardo Reyes terrymandin Terry Mandin
06	avm-res-portal-dashboard	📄	Azure Portal Dashboard	VeronicaSea Veronica Xu
07	avm-res-sql-managedinstance	📄	SQL Managed Instance SQL MI
08	avm-res-sql-server	📄	Azure SQL Server	abhishekaryams Abhishek Arya

Modules published in August 2024

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-azurestackhci-cluster	📄	Azure Stack HCI Cluster
02	avm-res-azurestackhci-logicalnetwork	📄	AzureStackHCI logical network
03	avm-res-azurestackhci-virtualmachineinstance	📄	Stack HCI Virtual Machine Instance
04	avm-res-compute-hostgroup	📄	Host Groups	chianw Chian Wong
05	avm-res-devopsinfrastructure-pool	📄	DevOps Pools	jaredfholgate Jared Holgate
06	avm-res-documentdb-databaseaccount	📄	CosmosDB Database Account	cmaneu Christopher Maneu
07	avm-res-edge-site	📄	Azure Arc Site manager
08	avm-res-hybridcontainerservice-provisionedclusterinstance	📄	AKS Arc
09	avm-res-insights-component	📄	Application Insight	Jfolberth John Folberth
10	avm-res-insights-datacollectionendpoint	📄	Data Collection Endpoint	sharmilamusunuru Sharmila Musunuru
11	avm-res-network-applicationgateway	📄	Application Gateway App GW	mofaizal Mohamed Faizal
12	avm-res-network-dnszone	📄	Public DNS Zone	sharmilamusunuru Sharmila Musunuru
13	avm-res-resources-resourcegroup	📄	Resource Group RG	Jfolberth John Folberth
14	avm-res-search-searchservice	📄	Search Service
15	avm-res-web-serverfarm	📄	App Service Plan	ibersanoMS Isabelle Bersano

Modules published in July 2024

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-app-containerapp	📄	Container App	lonegunmanb Zijie He
02	avm-res-containerinstance-containergroup	📄	Container Instance	sharmilamusunuru Sharmila Musunuru
03	avm-res-machinelearningservices-workspace	📄	Machine Learning Services Workspace ML Workspace	Nepomuceno Gabriel Monteiro Nepomuceno
04	avm-res-network-networkwatcher	📄	Azure Network Watcher	terrymandin Terry Mandin

Modules published in June 2024

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-cache-redis	📄	Redis Cache	jchancellor-ms Jon Chancellor
02	avm-res-logic-workflow	📄	Logic Apps (Workflow)	bakrish Bala Krishnamoorthy
03	avm-res-web-hostingenvironment	📄	App Service Environment ASE	ibersanoMS Isabelle Bersano

Modules published in May 2024

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-cdn-profile	📄	CDN Profile	Poven795909 Poornima Venkataramanan didayal-msft Divyadeep Dayal
02	avm-res-compute-disk	📄	Compute Disk	terrymandin Terry Mandin
03	avm-res-compute-sshpublickey	📄	Public SSH Key	ChrisSidebotham Chris Sidebotham
04	avm-res-network-dnsresolver	📄	DNS Resolver	humanascode Itamar Hirosh
05	avm-res-network-routetable	📄	Route Table UDR	adammontlake Adam Montlake

Modules published in April 2024

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-res-kusto-cluster	📄	Kusto Clusters		LaurentLesle Laurent Lesle
02	avm-res-servicebus-namespace	📄	Service Bus Namespace

Modules published in March 2024

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-databricks-workspace	📄	Azure Databricks Workspace	segraef Sebastian Graef
02	avm-res-managedidentity-userassignedidentity	📄	User Assigned Identity MSI	Jfolberth John Folberth
03	avm-res-network-privatednszone	📄	Private DNS Zone	chianw Chian Wong

Modules published in February 2024

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-app-managedenvironment	📄	App Managed Environment	segraef Sebastian Graef
02	avm-res-avs-privatecloud	📄	AVS Private Cloud	jchancellor-ms Jon Chancellor
03	avm-res-cognitiveservices-account	📄	Cognitive Service	lonegunmanb Zijie He
04	avm-res-compute-virtualmachinescaleset	📄	Virtual Machine Scale Set VMSS	terrymandin Terry Mandin marcelkmfst Marcel Keller
05	avm-res-containerregistry-registry	📄	Azure Container Registry (ACR)	Akashc0807 Akash Choudhary
06	avm-res-network-bastionhost	📄	Bastion Host	humanascode Itamar Hirosh
07	avm-res-network-networksecuritygroup	📄	Network Security Group	maheshbenke Mahesh Benke
08	avm-res-network-publicipaddress	📄	Public IP Address PIP	vmisson Vincent Misson
09	avm-res-storage-storageaccount	📄	Storage Account	chinthakaru Chinthaka Rupasinghe
10	avm-res-web-site	📄	Web/Function App App Service, Web Site, Logic App, Function App	donovm4 Donovan McCoy
11	avm-res-web-staticsite	📄	Static Web App	donovm4 Donovan McCoy

Modules published in January 2024

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-authorization-roleassignment	📄	Role Assignment	jaredfholgate Jared Holgate
02	avm-res-network-azurefirewall	📄	Azure Firewall Azure FW	vmisson Vincent Misson
03	avm-res-network-firewallpolicy	📄	Azure Firewall Policy	MinHeinA Min Hein Aung
04	avm-res-network-networkmanager	📄	Azure Virtual Network Manager
05	avm-res-operationalinsights-workspace	📄	Log Analytics workspace	iarik0440 Yarik Simineans

Modules published in December 2023

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-desktopvirtualization-applicationgroup	📄	Azure Virtual Desktop (AVD) Application Group	jensheerin Jen Sheerin sihbher Gerardo Reyes
02	avm-res-desktopvirtualization-scalingplan	📄	Azure Virtual Desktop (AVD) Scaling Plan	jensheerin Jen Sheerin sihbher Gerardo Reyes
03	avm-res-desktopvirtualization-workspace	📄	Azure Virtual Desktop (AVD) Workspace	jensheerin Jen Sheerin sihbher Gerardo Reyes
04	avm-res-network-natgateway	📄	NAT Gateway	iarik0440 Yarik Simineans

Modules published in November 2023

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-res-compute-virtualmachine	📄	Virtual Machine VM	jchancellor-ms Jon Chancellor
02	avm-res-network-ddosprotectionplan	📄	DDoS Protection	sitarant Simona Tarantola jtracey93 Jack Tracey
03	avm-res-network-loadbalancer	📄	Loadbalancer	donovm4 Donovan McCoy

Modules published in October 2023

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-res-desktopvirtualization-hostpool	📄	Azure Virtual Desktop (AVD) Host Pool		jensheerin Jen Sheerin sihbher Gerardo Reyes
02	avm-res-network-virtualnetwork	📄	Virtual Network VNET		jaredfholgate Jared Holgate

Modules published in September 2023

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-res-keyvault-vault	📄	Key Vault KV		matt-FFFFFF Matt White

Terraform Pattern Modules

Module catalog

Language	Classification	Published 🟢 & 🟡	Proposed ⚪	SUM
Terraform	Pattern	24	23	47

➕ Additional information

Legend

Summary of status icons used on this page

Icon	Status	Description
⚪	Proposed modules	Modules that are proposed and/or being worked on but not published yet.
🟢 & 🟡	Published modules	Available (🟢) and Orphaned (🟡) modules that are active and usable.
🔴	Deprecated modules	Modules that reached the end of their lifecycle.
📇	All modules	Including Published, Proposed and Deprecated ones.

See the Module Lifecycle page for more details.

Info

This page contains various views of the module index (catalog) for Terraform Pattern Modules. To see these views, click on the expandable sections with the “➕” sign below.

To see the full, unfiltered, unformatted module index on GitHub, click here.
To download the source CSV file, click here.

Note

Published modules - 🟢 & 🟡

➕ Published Modules - Module names, status and owners

No.	Module Name	Source Code	Display Name	Primary Owner
01	avm-ptn-aiml-ai-foundry	📄	AI-ML - AI Foundry	segraef Sebastian Graef mbilalamjad Bilal Amjad
02	avm-ptn-aiml-landing-zone	📄	AI-ML - Landing Zone (LZ)	jchancellor-ms Jon Chancellor mbilalamjad Bilal Amjad
03	avm-ptn-aks-dev	📄	AKS dev	ms-henglu Heng Lu
04	avm-ptn-aks-economy	📄	AKS economy	ms-henglu Heng Lu
05	avm-ptn-aks-enterprise	📄	AKS Enterprise	ms-henglu Heng Lu
06	avm-ptn-aks-production	📄	Azure Kubernetes Service
07	avm-ptn-alz	📄	Azure Landing Zone	matt-FFFFFF Matt White
08	avm-ptn-alz-connectivity-hub-and-spoke-vnet	📄	ALZ Connectivity Hub and Spoke Azure Landing Zones - Hub and Spoke	jaredfholgate Jared Holgate
09	avm-ptn-alz-connectivity-virtual-wan	📄	ALZ Connectivity vWAN Azure Landing Zones - vWAN	jaredfholgate Jared Holgate
10	avm-ptn-alz-management	📄	ALZ Management Azure Landing Zones - Management	matt-FFFFFF Matt White
11	avm-ptn-avd-lza-insights	📄	AVD Insights Azure Virtual Desktop Insights	jensheerin Jen Sheerin sihbher Gerardo Reyes
12	avm-ptn-avd-lza-managementplane	📄	AVD Management Plane Azure Virtual Desktop Management Plane	jensheerin Jen Sheerin sihbher Gerardo Reyes
13	avm-ptn-azuremonitorwindowsagent	📄	Azure Monitor Windows Agent
14	avm-ptn-cicd-agents-and-runners	📄	CI CD Agents and Runners	jaredfholgate Jared Holgate
15	avm-ptn-ephemeral-credential	📄	Ephemeral Credentials Generator	lonegunmanb Zijie He
16	avm-ptn-function-app-storage-private-endpoints	📄	Function App and private endpoint-secured Storage	donovm4 Donovan McCoy
17	avm-ptn-hci-ad-provisioner	📄	Arc for AD registration
18	avm-ptn-hci-server-provisioner	📄	Arc for Server registration
19	avm-ptn-monitoring-amba-alz	📄	AMBA ALZ Pattern Azure Monitor Baseline Alerts - Azure Landing Zones Pattern	arjenhuitema Arjen Huitema Brunoga-MS Bruno Gabrielli
20	avm-ptn-network-private-link-private-dns-zones	📄	Private Link Private DNS Zones	jtracey93 Jack Tracey
21	avm-ptn-network-routeserver	📄	Azure Route Server	jchancellor-ms Jon Chancellor
22	avm-ptn-odaa	📄	Oracle Exedata Workload	terrymandin Terry Mandin
23	avm-ptn-policyassignment	📄	Policy assignment	bjornhofer Bjorn Hofer
24	avm-ptn-virtualwan	📄	Virtual WAN vWAN	khushal08 Khush Kaviraj

Proposed modules - ⚪

➕ Proposed Modules - Module names, status and owners

No.	Module Name	Source Code	Display Name	Primary Owner
01	avm-ptn-aca-lza-hosting-environment	n/a	Azure Container Apps Landing Zone Accelerator	sam-cogan Sam Cogan
02	avm-ptn-ai-platform-baseline	n/a	AI platform baseline	Nepomuceno Gabriel Monteiro Nepomuceno
03	avm-ptn-alz-application-landing-zone-identity-and-access	n/a	ALZ Identity and Access Management	jaredfholgate Jared Holgate matt-FFFFFF Matt White
04	avm-ptn-alz-identity	n/a	ALZ Identity Azure Landing Zones - Identity
05	avm-ptn-alz-sub-vending	n/a	ALZ Subscription vending Azure Landing Zones - Sub vending	matt-FFFFFF Matt White jaredfholgate Jared Holgate
06	avm-ptn-app-iaas-vm-cosmosdb-tier-four	n/a	Workload - IaaS VM Cosmos DB - Tier 4	mikestiers Mike Stiers andbron Andrew Lambert
07	avm-ptn-avd-lza-sessionhosts	n/a	AVD Session Hosts Azure Virtual Desktop Session Hosts
08	avm-ptn-azure-ipam	n/a	IPAM IP Address Management
09	avm-ptn-bcdr-vm-replication	n/a	Azure Site Recovery VM Replication
10	avm-ptn-cicd-bootstrap	n/a	CI CD bootstrap
11	avm-ptn-cloudshell-vnet	n/a	Azure Cloud Shell in a Virtual Network	travishankins Travis Hankins
12	avm-ptn-confidential-compute	n/a	Azure Confidential Compute
13	avm-ptn-dev-center-dev-box	n/a	Microsoft Dev Center Dev Box	autocloudarc Preston Parsard
14	avm-ptn-lbvmss	n/a	Virtual Machine Scale Set	terrymandin Terry Mandin
15	avm-ptn-mongodb-atlas-lza	n/a	MongoDB Atlas on Azure - Landing Zone (LZ)	cloud-architect-dev Deven Wagle
16	avm-ptn-odaa-identity	n/a	Oracle Identity	terrymandin Terry Mandin kohei3110 Kohei Saito
17	avm-ptn-openai-cognitivesearch	n/a	Corporate Line of Business (LoB) ChatBot	mikestiers Mike Stiers
18	avm-ptn-openai-e2e-baseline	n/a	Baseline OpenAI end-to-end chat
19	avm-ptn-oracle-iaas	n/a	Oracle Database on Azure	sihbher Gerardo Reyes
20	avm-ptn-purestorage-cbs-array	n/a	Pure Storage Cloud Block Store on Azure	sundarb19 Sundar Balaji Anantharamakrishnan
21	avm-ptn-sentinel-solutions	n/a	Sentinel Solutions	LaurentLesle Laurent Lesle
22	avm-ptn-subnets-nsgs-routes	n/a	Network Security Groups NSG	swathialuganti Swathi Aluganti Narasimhulu
23	avm-ptn-subscription-service-health-alerts	n/a	Subscriptions Service Health Alerts	ASHR4 Rhys Ash

Deprecated modules - 🔴

➕ Deprecated Modules - Module names, status and owners

No.	Module Name	Source Code	Display Name	Status & Versions	Primary Owner
01	avm-ptn-hubnetworking	📄	Hub Networking		jaredfholgate Jared Holgate
02	avm-ptn-vnetgateway	📄	Virtual Network Gateway VNET GW		matt-FFFFFF Matt White

All modules - 📇

➕ All Modules - Module names, status and owners

No.	Module Name	Source Code	Display Name	Primary Owner
01	avm-ptn-aca-lza-hosting-environment	n/a	Azure Container Apps Landing Zone Accelerator	sam-cogan Sam Cogan
02	avm-ptn-ai-platform-baseline	n/a	AI platform baseline	Nepomuceno Gabriel Monteiro Nepomuceno
03	avm-ptn-aiml-ai-foundry	📄	AI-ML - AI Foundry	segraef Sebastian Graef mbilalamjad Bilal Amjad
04	avm-ptn-aiml-landing-zone	📄	AI-ML - Landing Zone (LZ)	jchancellor-ms Jon Chancellor mbilalamjad Bilal Amjad
05	avm-ptn-aks-dev	📄	AKS dev	ms-henglu Heng Lu
06	avm-ptn-aks-economy	📄	AKS economy	ms-henglu Heng Lu
07	avm-ptn-aks-enterprise	📄	AKS Enterprise	ms-henglu Heng Lu
08	avm-ptn-aks-production	📄	Azure Kubernetes Service
09	avm-ptn-alz	📄	Azure Landing Zone	matt-FFFFFF Matt White
10	avm-ptn-alz-application-landing-zone-identity-and-access	n/a	ALZ Identity and Access Management	jaredfholgate Jared Holgate matt-FFFFFF Matt White
11	avm-ptn-alz-connectivity-hub-and-spoke-vnet	📄	ALZ Connectivity Hub and Spoke Azure Landing Zones - Hub and Spoke	jaredfholgate Jared Holgate
12	avm-ptn-alz-connectivity-virtual-wan	📄	ALZ Connectivity vWAN Azure Landing Zones - vWAN	jaredfholgate Jared Holgate
13	avm-ptn-alz-identity	n/a	ALZ Identity Azure Landing Zones - Identity
14	avm-ptn-alz-management	📄	ALZ Management Azure Landing Zones - Management	matt-FFFFFF Matt White
15	avm-ptn-alz-sub-vending	n/a	ALZ Subscription vending Azure Landing Zones - Sub vending	matt-FFFFFF Matt White jaredfholgate Jared Holgate
16	avm-ptn-app-iaas-vm-cosmosdb-tier-four	n/a	Workload - IaaS VM Cosmos DB - Tier 4	mikestiers Mike Stiers andbron Andrew Lambert
17	avm-ptn-avd-lza-insights	📄	AVD Insights Azure Virtual Desktop Insights	jensheerin Jen Sheerin sihbher Gerardo Reyes
18	avm-ptn-avd-lza-managementplane	📄	AVD Management Plane Azure Virtual Desktop Management Plane	jensheerin Jen Sheerin sihbher Gerardo Reyes
19	avm-ptn-avd-lza-sessionhosts	n/a	AVD Session Hosts Azure Virtual Desktop Session Hosts
20	avm-ptn-azure-ipam	n/a	IPAM IP Address Management
21	avm-ptn-azuremonitorwindowsagent	📄	Azure Monitor Windows Agent
22	avm-ptn-bcdr-vm-replication	n/a	Azure Site Recovery VM Replication
23	avm-ptn-cicd-agents-and-runners	📄	CI CD Agents and Runners	jaredfholgate Jared Holgate
24	avm-ptn-cicd-bootstrap	n/a	CI CD bootstrap
25	avm-ptn-cloudshell-vnet	n/a	Azure Cloud Shell in a Virtual Network	travishankins Travis Hankins
26	avm-ptn-confidential-compute	n/a	Azure Confidential Compute
27	avm-ptn-dev-center-dev-box	n/a	Microsoft Dev Center Dev Box	autocloudarc Preston Parsard
28	avm-ptn-ephemeral-credential	📄	Ephemeral Credentials Generator	lonegunmanb Zijie He
29	avm-ptn-function-app-storage-private-endpoints	📄	Function App and private endpoint-secured Storage	donovm4 Donovan McCoy
30	avm-ptn-hci-ad-provisioner	📄	Arc for AD registration
31	avm-ptn-hci-server-provisioner	📄	Arc for Server registration
32	avm-ptn-hubnetworking	📄	Hub Networking	jaredfholgate Jared Holgate
33	avm-ptn-lbvmss	n/a	Virtual Machine Scale Set	terrymandin Terry Mandin
34	avm-ptn-mongodb-atlas-lza	n/a	MongoDB Atlas on Azure - Landing Zone (LZ)	cloud-architect-dev Deven Wagle
35	avm-ptn-monitoring-amba-alz	📄	AMBA ALZ Pattern Azure Monitor Baseline Alerts - Azure Landing Zones Pattern	arjenhuitema Arjen Huitema Brunoga-MS Bruno Gabrielli
36	avm-ptn-network-private-link-private-dns-zones	📄	Private Link Private DNS Zones	jtracey93 Jack Tracey
37	avm-ptn-network-routeserver	📄	Azure Route Server	jchancellor-ms Jon Chancellor
38	avm-ptn-odaa	📄	Oracle Exedata Workload	terrymandin Terry Mandin
39	avm-ptn-odaa-identity	n/a	Oracle Identity	terrymandin Terry Mandin kohei3110 Kohei Saito
40	avm-ptn-openai-cognitivesearch	n/a	Corporate Line of Business (LoB) ChatBot	mikestiers Mike Stiers
41	avm-ptn-openai-e2e-baseline	n/a	Baseline OpenAI end-to-end chat
42	avm-ptn-oracle-iaas	n/a	Oracle Database on Azure	sihbher Gerardo Reyes
43	avm-ptn-policyassignment	📄	Policy assignment	bjornhofer Bjorn Hofer
44	avm-ptn-purestorage-cbs-array	n/a	Pure Storage Cloud Block Store on Azure	sundarb19 Sundar Balaji Anantharamakrishnan
45	avm-ptn-sentinel-solutions	n/a	Sentinel Solutions	LaurentLesle Laurent Lesle
46	avm-ptn-subnets-nsgs-routes	n/a	Network Security Groups NSG	swathialuganti Swathi Aluganti Narasimhulu
47	avm-ptn-subscription-service-health-alerts	n/a	Subscriptions Service Health Alerts	ASHR4 Rhys Ash
48	avm-ptn-virtualwan	📄	Virtual WAN vWAN	khushal08 Khush Kaviraj
49	avm-ptn-vnetgateway	📄	Virtual Network Gateway VNET GW	matt-FFFFFF Matt White

Module Publication History - 📅

➕ Module Publication History - Module names, status and owners

Modules published in November 2025

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-ptn-ephemeral-credential	📄	Ephemeral Credentials Generator		lonegunmanb Zijie He

Modules published in September 2025

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-ptn-aiml-landing-zone	📄	AI-ML - Landing Zone (LZ)		jchancellor-ms Jon Chancellor mbilalamjad Bilal Amjad

Modules published in July 2025

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-ptn-aiml-ai-foundry	📄	AI-ML - AI Foundry		segraef Sebastian Graef mbilalamjad Bilal Amjad

Modules published in April 2025

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-ptn-alz-connectivity-virtual-wan	📄	ALZ Connectivity vWAN Azure Landing Zones - vWAN	jaredfholgate Jared Holgate
02	avm-ptn-function-app-storage-private-endpoints	📄	Function App and private endpoint-secured Storage	donovm4 Donovan McCoy
03	avm-ptn-monitoring-amba-alz	📄	AMBA ALZ Pattern Azure Monitor Baseline Alerts - Azure Landing Zones Pattern	arjenhuitema Arjen Huitema Brunoga-MS Bruno Gabrielli

Modules published in March 2025

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-ptn-alz-connectivity-hub-and-spoke-vnet	📄	ALZ Connectivity Hub and Spoke Azure Landing Zones - Hub and Spoke		jaredfholgate Jared Holgate

Modules published in November 2024

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-ptn-aks-economy	📄	AKS economy		ms-henglu Heng Lu
02	avm-ptn-aks-enterprise	📄	AKS Enterprise		ms-henglu Heng Lu

Modules published in October 2024

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-ptn-aks-dev	📄	AKS dev	ms-henglu Heng Lu
02	avm-ptn-odaa	📄	Oracle Exedata Workload	terrymandin Terry Mandin
03	avm-ptn-policyassignment	📄	Policy assignment	bjornhofer Bjorn Hofer

Modules published in September 2024

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-ptn-hubnetworking	n/a	Hub Networking		jaredfholgate Jared Holgate

Modules published in August 2024

No.	Module Name	Source Code	Display Name	Owner(s)
01	avm-ptn-azuremonitorwindowsagent	📄	Azure Monitor Windows Agent
02	avm-ptn-cicd-agents-and-runners	📄	CI CD Agents and Runners	jaredfholgate Jared Holgate
03	avm-ptn-hci-ad-provisioner	📄	Arc for AD registration
04	avm-ptn-hci-server-provisioner	📄	Arc for Server registration

Modules published in June 2024

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-ptn-network-private-link-private-dns-zones	📄	Private Link Private DNS Zones		jtracey93 Jack Tracey
02	avm-ptn-network-routeserver	📄	Azure Route Server		jchancellor-ms Jon Chancellor

Modules published in May 2024

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-ptn-avd-lza-insights	📄	AVD Insights Azure Virtual Desktop Insights		jensheerin Jen Sheerin sihbher Gerardo Reyes
02	avm-ptn-avd-lza-managementplane	📄	AVD Management Plane Azure Virtual Desktop Management Plane		jensheerin Jen Sheerin sihbher Gerardo Reyes

Modules published in April 2024

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-ptn-aks-production	📄	Azure Kubernetes Service

Modules published in December 2023

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-ptn-alz-management	📄	ALZ Management Azure Landing Zones - Management		matt-FFFFFF Matt White

Modules published in November 2023

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-ptn-alz	📄	Azure Landing Zone		matt-FFFFFF Matt White
02	avm-ptn-vnetgateway	n/a	Virtual Network Gateway VNET GW		matt-FFFFFF Matt White

Modules published in October 2023

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-ptn-virtualwan	📄	Virtual WAN vWAN		khushal08 Khush Kaviraj

Terraform Utility Modules

Module catalog

Language	Classification	Published 🟢 & 🟡	Proposed ⚪	SUM
Terraform	Utility	5	8	13

➕ Additional information

Legend

Summary of status icons used on this page

Icon	Status	Description
⚪	Proposed modules	Modules that are proposed and/or being worked on but not published yet.
🟢 & 🟡	Published modules	Available (🟢) and Orphaned (🟡) modules that are active and usable.
🔴	Deprecated modules	Modules that reached the end of their lifecycle.
📇	All modules	Including Published, Proposed and Deprecated ones.

See the Module Lifecycle page for more details.

Info

This page contains various views of the module index (catalog) for Terraform Utility Modules. To see these views, click on the expandable sections with the “➕” sign below.

To see the full, unfiltered, unformatted module index on GitHub, click here.
To download the source CSV file, click here.

Note

Published modules - 🟢 & 🟡

➕ Published Modules - Module names, status and owners

No.	Module Name	Source Code	Display Name	Primary Owner
01	avm-utl-interfaces	📄	AVM Interfaces	matt-FFFFFF Matt White
02	avm-utl-network-ip-addresses	📄	AVM Network IP Addresses IPv4 CIDR	jaredfholgate Jared Holgate
03	avm-utl-regions	📄	Azure Regions Data	matt-FFFFFF Matt White
04	avm-utl-roledefinitions	📄	Azure Role Definitions	matt-FFFFFF Matt White
05	avm-utl-sku-finder	📄	AVM SKU Finder Sku	jchancellor-ms Jon Chancellor

Proposed modules - ⚪

➕ Proposed Modules - Module names, status and owners

No.	Module Name	Source Code	Display Name	Primary Owner
01	avm-utl-compute-linuxvirtualmachine-azapi-replicator	n/a	Linux VM AzRM to AzAPI Replicator	lonegunmanb Zijie He
02	avm-utl-compute-orchestratedvirtualmachinescaleset-azapi-replicator	n/a	VMSS AzRM to AzAPI Replicator	lonegunmanb Zijie He
03	avm-utl-compute-windowsvirtualmachine-azapi-replicator	n/a	Windows VM AzRM to AzAPI Replicator	lonegunmanb Zijie He
04	avm-utl-naming	n/a	Module Naming	Nepomuceno Gabriel Monteiro Nepomuceno matt-FFFFFF Matt White
05	avm-utl-network-subnet-azapi-replicator	n/a	Subnet AzRM to AzAPI Replicator	lonegunmanb Zijie He
06	avm-utl-network-virtualnetwork-azapi-replicator	n/a	Virtual Network AzRM to AzAPI Replicator	lonegunmanb Zijie He
07	avm-utl-privatedns-privatednszone-azapi-replicator	n/a	Private DNS Zone AzRM to AzAPI Replicator	lonegunmanb Zijie He
08	avm-utl-resources-resourcegroup-azapi-replicator	n/a	Resource Group AzRM to AzAPI Replicator	lonegunmanb Zijie He

Deprecated modules - 🔴

➕ Deprecated Modules - Module names, status and owners

No.	Module Name	Source Code	Display Name	Status & Versions	Primary Owner
01	❌ None listed	❌ None listed	❌ None listed	❌ None listed	❌ None listed

All modules - 📇

➕ All Modules - Module names, status and owners

No.	Module Name	Source Code	Display Name	Primary Owner
01	avm-utl-compute-linuxvirtualmachine-azapi-replicator	n/a	Linux VM AzRM to AzAPI Replicator	lonegunmanb Zijie He
02	avm-utl-compute-orchestratedvirtualmachinescaleset-azapi-replicator	n/a	VMSS AzRM to AzAPI Replicator	lonegunmanb Zijie He
03	avm-utl-compute-windowsvirtualmachine-azapi-replicator	n/a	Windows VM AzRM to AzAPI Replicator	lonegunmanb Zijie He
04	avm-utl-interfaces	📄	AVM Interfaces	matt-FFFFFF Matt White
05	avm-utl-naming	n/a	Module Naming	Nepomuceno Gabriel Monteiro Nepomuceno matt-FFFFFF Matt White
06	avm-utl-network-ip-addresses	📄	AVM Network IP Addresses IPv4 CIDR	jaredfholgate Jared Holgate
07	avm-utl-network-subnet-azapi-replicator	n/a	Subnet AzRM to AzAPI Replicator	lonegunmanb Zijie He
08	avm-utl-network-virtualnetwork-azapi-replicator	n/a	Virtual Network AzRM to AzAPI Replicator	lonegunmanb Zijie He
09	avm-utl-privatedns-privatednszone-azapi-replicator	n/a	Private DNS Zone AzRM to AzAPI Replicator	lonegunmanb Zijie He
10	avm-utl-regions	📄	Azure Regions Data	matt-FFFFFF Matt White
11	avm-utl-resources-resourcegroup-azapi-replicator	n/a	Resource Group AzRM to AzAPI Replicator	lonegunmanb Zijie He
12	avm-utl-roledefinitions	📄	Azure Role Definitions	matt-FFFFFF Matt White
13	avm-utl-sku-finder	📄	AVM SKU Finder Sku	jchancellor-ms Jon Chancellor

Module Publication History - 📅

➕ Module Publication History - Module names, status and owners

Modules published in September 2025

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-utl-roledefinitions	📄	Azure Role Definitions		matt-FFFFFF Matt White

Modules published in March 2025

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-utl-network-ip-addresses	📄	AVM Network IP Addresses IPv4 CIDR		jaredfholgate Jared Holgate

Modules published in January 2025

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-utl-interfaces	📄	AVM Interfaces		matt-FFFFFF Matt White

Modules published in December 2024

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-utl-sku-finder	📄	AVM SKU Finder Sku		jchancellor-ms Jon Chancellor

Modules published in August 2024

No.	Module Name	Source Code	Display Name	Status & Versions	Owner(s)
01	avm-utl-regions	📄	Azure Regions Data		matt-FFFFFF Matt White

Usage Guide

Summary

This section describes usage guidance.

Concepts

Note

This page is a work in progress and will be updated as we improve & finalize the content. Please check back regularly for updates.

When developing an Azure solution using AVM modules, there are several aspects to consider. This page covers important concepts and provides guidance the technical decisions. Each concept/topic referenced here will be further detailed in the corresponding Bicep or Terraform specific guidance.

Language-agnostic concepts

Topics/concepts that are relevant and applicable for both Bicep and Terraform.

Module Sourcing

Public Registry

Leveraging the public registries (i.e., the Bicep Public Registry or the Terraform Public Registry) is the most common and recommended approach.

This allows you to leverage the latest and greatest features of the AVM modules, as well as the latest security updates. While there aren’t any prerequisites for using the public registry - no extra software component or service needs to be installed and no configuration is needed - the client machine the deployment is initiated from will need to have access to the public registry.

Private Registry (synced)

A private registry - that is hosted in your own environment - can store modules originating from the public registry. Using a private registry still grants you the latest version of AVM modules while allowing you to review each version of each module before admitting them to your private registry. You also have control over who can access your own private registry. Note that using a private registry means that you’re still using each module as is, without making any changes.

Inner-sourcing

Inner-sourcing AVM means maintaining your own, synchronized copy of AVM modules in your own internal private registry, repositories or other storage option. Customers normally look to inner-source AVM modules when they have strict security and compliance requirements, or when they want to publish their own lightly wrapped versions of the modules to meet their specific needs; for example changing some allowed or default values for parameter or variable inputs.

This is a more complex approach and requires more effort to maintain, but it can be beneficial in certain scenarios, however, it should not be the default approach as it can lead to a lot of overhead and maintenance and requires significant skills and resources to set up and maintain.

There are many ways to approach inner-sourcing AVM modules for both Bicep and Terraform. The AVM team will be publishing guidance on this topic, based on customer experience and learnings.

Tip

You can see the AVM team talking about inner-sourcing on the AVM February 2025 community call on YouTube.

Solution Development

This section provides advanced guidance for developing solutions using Azure Verified Modules (AVM). It covers technical decisions and concepts that are important for building and deploying Azure solutions using AVM modules.

Planning your solution

When implementing infrastructure in Azure leveraging IaaS and PaaS services, there are multiple options for Azure deployments. In this article we assume that a decision has been made to implement your solution, using Infrastructure-as-Code (IaC). This is best suited to allow programmatic declarative control of the target infrastructure and is ideal for projects that require repeatability and idempotency.

Choosing an Infrastructure-as-Code language

There are multiple language choices when implementing your solution using IaC in Azure. The Azure Verified Modules project currently supports Bicep and Terraform. The following guidance summarizes considerations that can help choose the option that best suits your requirements.

Reasons to choose Bicep

Bicep is the Microsoft 1st party offering for IaC deployments. It supports Generally Available (GA) and preview features for all Azure resources and allows for modular composition of resources and solution templates. The use of simplified syntax makes IaC development intuitive and the use of the Bicep extension for VSCode provides IntelliSense and syntax validation to assist with coding. Finally, Bicep is well suited for infrastructure projects and teams that don’t require management of other cloud platforms or services outside of Azure. For a more detailed read on reasons to choose Bicep, read this article from the Bicep documentation.

Reasons to choose Terraform

HashiCorp’s Terraform is an extensible 3rd party platform that can be used across multiple cloud and on-premises platforms using multiple provider plugins. It has widespread adoption due to its simplified human-readable configuration files, common functionality, and the ability to allow a project to span multiple provider spaces.

In Azure, support is provided through two primary providers called AzureRM and AzAPI respectively. The default provider for many Azure use cases is AzureRM which is co-developed between Microsoft and HashiCorp. It includes support for generally available (GA) features, while support for new and preview features might be slightly delayed following their initial release. AzAPI is developed exclusively by Microsoft and supports all preview and GA features while being more complex to use due to the more direct interaction with Azure’s APIs. While it is possible to use both providers in a single project as needed, the best practice is to standardize on a single provider as much as is reasonable.

Projects typically choose Terraform when they bridge multiple cloud infrastructure platforms or when the development team has previous experience coding in Terraform. Modern Integrated Development Environments (IDE) - such as Visual Studio Code - include extension support for Terraform features as well as additional Azure specific extensions. These extensions enable syntax validation and highlighting as well as code formatting and HashiCorp Cloud Platform (HCP) integration for HashiCorp Cloud customers. For a more detailed read on reasons to choose Terraform, read this article from the Terraform on Azure documentation.

Architecture design

Before starting the process of codifying infrastructure, it is important to develop a detailed architecture of what will be created. This should include details for:

Organizational elements such as management groups, subscriptions, and resource groups as well as any tagging and Role Based Access (RBAC) configurations for each.
Infrastructure services that will be created along with key configuration details like sku values, network CIDR range sizes, or other solution specific configuration.
Any relationship between services that will be codified as part of the deployment.
Identify inputs to your solution for designs that are intended to be used as templates.

Note

For a production grade solution, you need to

follow the recommendations of the Cloud Adoption Framework (CAF) and have your platform and application landing zones defined, as per Azure Landing Zones (ALZ);
follow the recommendations of the Azure Well-Architected Framework (WAF) to ensure that your solution is compliant with and integrates into your organization’s policies and standards. This includes considerations for security, identity, networking, monitoring, cost management, and governance.

Sourcing content for deployment

Once the architecture is agreed upon, it is time to plan the development of your IaC code. There are several key decision points that should be considered during this phase.

Content creation methods

The two primary methods used to create your solutions module are:

Using base resources (“vanilla resources”) from scratch or
Leveraging pre-created modules from the AVM library to minimize the time to value during development.

The trade-off between the two options is primarily around control vs. speed. AVM works to provide the best of both options by providing modules with opinionated and recommended practice defaults while allowing for more detailed configuration as needed. In our sample exercise we’ll be using AVM modules to demonstrate building the example solution.

AVM module type considerations

When using AVM modules for your solution, there is an additional choice that should be considered. The AVM library includes both pattern and resource module types. If your architecture includes or follows a well-known pattern then a pattern module may be the right option for you. If you determine this is the case, then search the module index for pattern modules in your chosen language to see if an option exists for your scenario. Otherwise, using resource modules from the library will be your best option.

In cases where an AVM resource or pattern module isn’t available for use, review the Bicep or Terraform provider documentation to identify how to augment AVM modules with standalone resources. If you feel that additional resource or pattern modules would be useful, you can also request the creation of a pattern or resource module by creating a module proposal issue on the AVM github repository.

Module source considerations

Once the decision has been made to use AVM modules to help accelerate solution development, a decision about where those modules will be sourced from is the next key decision point. A detailed exploration of the different sourcing options can be found in the Module Sourcing section of the Concepts page. Take a moment to review the options discussed there.

For our solution we will leverage the Public Registry option by sourcing AVM modules directly from the respective Terraform and Bicep public registries. This will avoid the need to fork copies of the modules for private use.

Bicep - Solution Development

Introduction

Azure Verified Modules (AVM) for Bicep are a powerful tool that leverage the Bicep domain-specific language (DSL), industry knowledge, and an Open Source community, which altogether enable developers to quickly deploy Azure resources that follow Microsoft’s recommended practices for Azure.
In this article, we will walk through the Bicep specific considerations and recommended practices on developing your solution leveraging Azure Verified Modules. We’ll review some of the design features and trade-offs and include sample code to illustrate each discussion point.

In this tutorial, we will:

Deploy a basic Virtual Machine architecture into Azure
Explore recommended practices related to Bicep template development
Demonstrate the ease with which you can deploy AVM modules
Describe each of the development and deployment steps in detail

After completing this tutorial, you’ll have a working knowledge of:

How to discover and add AVM modules to your Bicep template
How to reference and use outputs across AVM modules
Recommended practices for parameterization and structure of your Bicep file
Configuration of AVM modules to meet Microsoft’s Well Architected Framework (WAF) principles
How to deploy your Bicep template into an Azure subscription from your local machine

Let’s get started!

Prerequisites

title: “Bicep Prerequisites”
description: “Learn about the prerequisites for using Bicep to deploy Azure Verified Modules or develop them.”

You will need the following tools and components to complete this guide:

Visual Studio Code (VS Code) to develop your solution.
Bicep Visual Studio Code Extension to author your Bicep template and explore modules published in the Registry.
One of the following command line tools:
- PowerShell AND Azure PowerShell
- Azure CLI to deploy your solution.
Bicep CLI
Azure Subscription to deploy your Bicep templates.

Before you begin, make sure you have these tools installed in your development environment.

Solution Architecture

Before we begin coding, it is important to have details about what the infrastructure architecture will include. For our example, we will be building a solution that will host a simple application on a Linux virtual machine (VM). The solution must be secure and auditable. The VM must not be accessible from the internet and its logs should be easily accessible. All azure services should utilize logging tools for auditing purposes.

Develop the Solution Code

Creating the main.bicep file

The architecture diagram shows all components needed for a successful solution deployment. Rather than building the complete solution at once, this tutorial takes an incremental approach building the Bicep file piece-by-piece and testing the deployment at each stage. This approach allows for discussion of each design decision along the way.

The development will start with core platform components: first the backend logging services (Log Analytics) and then the virtual network.

Let’s begin by creating our folder structure along with a main.bicep file. Your folder structure should be as follows:

VirtualMachineAVM_Example1/
└── main.bicep

After you have your folder structure and main.bicep file, we can proceed with our first AVM resources!

Log Analytics

Let’s start by adding a logging service to our main.bicep since all other deployed resources will use this service for their logs.

Tip

Always begin template development by adding resources that create dependencies for other downstream services. This approach simplifies referencing these dependencies within your other modules as you develop them. For example, starting with Logging and Virtual Network services makes sense since all other services will depend on these.

The logging solution depicted in our Architecture Diagram shows we will be using a Log Analytics workspace. Let’s add that to our template! Open your main.bicep file and add the following:

➕ Expand Code

1module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.11.1' = {
2  name: 'logAnalyticsWorkspace'
3  params: {
4    // Required parameters
5    name: 'VM-AVM-Ex1-law'
6    // Non-required parameters
7    location: 'westus2'
8  }
9}

Note

Always click on the “Copy to clipboard” button in the top right corner of the Code sample area in order not to have the line numbers included in the copied code.

You now have a fully functional Bicep template that will deploy a working Log Analytics workspace! If you would like to try it, run the following in your console:

Note

For keeping the example below simple, we are using the traditional deployment commands, e.g., az deployment group create or New-AzResourceGroupDeployment. However, we encourage you to look into using Deployment Stacks instead by simply replacing the previous commands with az stack group create or New-AzResourceGroupDeploymentStack as well as the other required input parameters as shown here.

Deployment Stacks allow you to deploy a Bicep file as a stack, which is a collection of resources that are deployed together. This allows you to manage the lifecycle of the stack as a single unit, making it easier to deploy, update, and now even delete resources via Bicep. You can also implement RBAC Deny Assignments on your stacks deployed resources to prevent changes to the resources or specific actions on the resources to all but an excluded list of users, groups or other principals.

Deploy with

# Log in to Azure
Connect-AzAccount

# Select your subscription
Set-AzContext -SubscriptionId '<subscriptionId>'

# Deploy a resource group
New-AzResourceGroup -Name 'avm-bicep-vmexample1' -Location '<location>'

# Invoke your deployment
New-AzResourceGroupDeployment -DeploymentName 'avm-bicep-vmexample1-deployment' -ResourceGroupName 'avm-bicep-vmexample1' -TemplateFile '/<path-to>/VirtualMachineAVM_Example1/main.bicep'

# Log in to Azure
az login

# Select your subscription
az account set --subscription '<subscriptionId>'

# Deploy a resource group
az group create --name 'avm-bicep-vmexample1' --location '<location>'

# Invoke your deployment
az deployment group create --name 'avm-bicep-vmexample1-deployment' --resource-group 'avm-bicep-vmexample1' --template-file '/<path-to>/VirtualMachineAVM_Example1/main.bicep'

The above commands will log you in to your Azure subscription, select a subscription to use, create a resource group, then deploy the main.bicep template to your resource group.

AVM Makes the deployment of Azure resources incredibly easy. Many of the parameters you would normally be required to define are taken care of by the AVM module itself. In fact, the location parameter is not even needed in your template—when left blank, by default, all AVM modules will deploy to the location in which your target Resource Group exists.

Now we have a Log Analytics workspace in our resource group which doesn’t do a whole lot of good on its own. Let’s take our template a step further by adding a Virtual Network that integrates with the Log Analytics workspace.

Virtual Network

We will now add a Virtual Network to our main.bicep file. This VNet will contain subnets and Network Security Groups (NSGs) for any of the resources we deploy that require IP addresses.

In your main.bicep file, add the following:

➕ Expand Code

 1module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.11.1' = {
 2  name: 'logAnalyticsWorkspace'
 3  params: {
 4    // Required parameters
 5    name: 'VM-AVM-Ex1-law'
 6    // Non-required parameters
 7    location: 'westus2'
 8  }
 9}
10
11module virtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = {
12  name: 'virtualNetworkDeployment'
13  params: {
14    // Required parameters
15    addressPrefixes: [
16      '10.0.0.0/16'
17    ]
18    name: 'VM-AVM-Ex1-vnet'
19    // Non-required parameters
20    location: 'westus2'
21  }
22}

Again, the Virtual Network AVM module requires only two things: a name and an addressPrefixes parameter.

Configure Diagnostics Settings

There is an additional parameter available in most AVM modules named diagnosticSettings. This parameter allows you to configure your resource to send its logs to any suitable logging service. In our case, we are using a Log Analytics workspace.

Let’s update our main.bicep file to have our VNet send all of its logging data to our Log Analytics workspace:

➕ Expand Code

 1module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.11.1' = {
 2  name: 'logAnalyticsWorkspace'
 3  params: {
 4    // Required parameters
 5    name: 'VM-AVM-Ex1-law'
 6    // Non-required parameters
 7    location: 'westus2'
 8  }
 9}
10
11module virtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = {
12  name: 'virtualNetworkDeployment'
13  params: {
14    // Required parameters
15    addressPrefixes: [
16      '10.0.0.0/16'
17    ]
18    name: 'VM-AVM-Ex1-vnet'
19    // Non-required parameters
20    location: 'westus2'
21    diagnosticSettings: [
22      {
23        name: 'vNetDiagnostics'
24        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
25      }
26    ]
27  }
28}

Notice how the diagnosticsSettings parameter needs a workspaceResourceId? All you need to do is add a reference to the built-in logAnalyticsWorkspaceId output of the logAnalyticsWorkspace AVM module. That’s it! Our VNet now has integrated its logging with our Log Analytics workspace. All AVM modules come with a set of built-in outputs that can be easily referenced by other modules within your template.

Info

All AVM modules have built-in outputs which can be referenced using the <moduleName>.outputs.<outputName> syntax.

When using plain Bicep, many of these outputs require multiple lines of code or knowledge of the correct object ID references to get at the desired output. AVM modules do much of this heavy lifting for you by taking care of these complex tasks within the module itself, then exposing them to you through the module’s outputs. Find out more about Bicep Outputs.

Add a Subnet and NAT Gateway

We can’t use a Virtual Network without subnets, so let’s add a subnet next. According to our Architecture, we will have three subnets: one for the Virtual Machine, one for the Bastion host, and one for Private Endpoints. We can start with the VM subnet for now. While we’re at it, let’s also add the NAT Gateway, the NAT Gateway’s Public IP, the attach the NAT Gateway to the VM subnet.

Add the following to your main.bicep:

➕ Expand Code

 1module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.11.1' = {
 2  name: 'logAnalyticsWorkspace'
 3  params: {
 4    // Required parameters
 5    name: 'VM-AVM-Ex1-law'
 6    // Non-required parameters
 7    location: 'westus2'
 8  }
 9}
10
11module natGwPublicIp 'br/public:avm/res/network/public-ip-address:0.8.0' = {
12  name: 'natGwPublicIpDeployment'
13  params: {
14    // Required parameters
15    name: 'VM-AVM-Ex1-natgwpip'
16    // Non-required parameters
17    location: 'westus2'
18    diagnosticSettings: [
19      {
20        name: 'natGwPublicIpDiagnostics'
21        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
22      }
23    ]
24  }
25}
26
27module natGateway 'br/public:avm/res/network/nat-gateway:1.2.2' = {
28  name: 'natGatewayDeployment'
29  params: {
30    // Required parameters
31    name: 'VM-AVM-Ex1-natGw'
32    zone: 1
33    // Non-required parameters
34    publicIpResourceIds: [
35      natGwPublicIp.outputs.resourceId
36    ]
37  }
38}
39
40module virtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = {
41  name: 'virtualNetworkDeployment'
42  params: {
43    // Required parameters
44    addressPrefixes: [
45      '10.0.0.0/16'
46    ]
47    name: 'VM-AVM-Ex1-vnet'
48    // Non-required parameters
49    location: 'westus2'
50    diagnosticSettings: [
51      {
52        name: 'vNetDiagnostics'
53        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
54      }
55    ]
56    subnets: [
57      {
58        name: 'VMSubnet'
59        addressPrefix: cidrSubnet('10.0.0.0/16', 24, 0) // first subnet in address space
60        natGatewayResourceId: natGateway.outputs.resourceId
61      }
62    ]
63  }
64}

The modification adds a subnets property to our virtualNetwork module. The AVM network/virtual-network module supports the creation of subnets directly within the module itself. We can also link our NAT Gateway directly to the subnet within this submodule.

A nice feature within Bicep are the various functions available. We use the cidrSubnet() function to declare CIDR blocks without having to calculate them on your own.

Switch to Parameters and Variables

See how we are reusing the same CIDR block 10.0.0.0/16 in multiple locations? You may have noticed we are defining the same location in two different spots as well. We’re now at a point in the development where we should leverage one of our first recommended practices: using parameters and variables!

Tip

Use Bicep variables to define values that will be constant and reused with your template; use parameters anywhere you may need a modifiable value.

Let’s enhance the template by adding variables for the CIDR block and prefix, then use a location parameter with a default value. We’ll then reference those in the module:

➕ Expand Code

 1param location string = 'westus2'
 2
 3var addressPrefix = '10.0.0.0/16'
 4var prefix = 'VM-AVM-Ex1'
 5
 6module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.11.1' = {
 7  name: 'logAnalyticsWorkspace'
 8  params: {
 9    // Required parameters
10    name: '${prefix}-law'
11    // Non-required parameters
12    location: location
13  }
14}
15
16module natGwPublicIp 'br/public:avm/res/network/public-ip-address:0.8.0' = {
17  name: 'natGwPublicIpDeployment'
18  params: {
19    // Required parameters
20    name: '${prefix}-natgwpip'
21    // Non-required parameters
22    location: location
23    diagnosticSettings: [
24      {
25        name: 'natGwPublicIpDiagnostics'
26        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
27      }
28    ]
29  }
30}
31
32module natGateway 'br/public:avm/res/network/nat-gateway:1.2.2' = {
33  name: 'natGatewayDeployment'
34  params: {
35    // Required parameters
36    name: '${prefix}-natgw'
37    zone: 1
38    // Non-required parameters
39    publicIpResourceIds: [
40      natGwPublicIp.outputs.resourceId
41    ]
42  }
43}
44
45module virtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = {
46  name: 'virtualNetworkDeployment'
47  params: {
48    // Required parameters
49    addressPrefixes: [
50      addressPrefix
51    ]
52    name: '${prefix}-vnet'
53    // Non-required parameters
54    location: location
55    diagnosticSettings: [
56      {
57        name: 'vNetDiagnostics'
58        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
59      }
60    ]
61    subnets: [
62      {
63        name: 'VMSubnet'
64        addressPrefix: cidrSubnet(addressPrefix, 24, 0) // first subnet in address space
65        natGatewayResourceId: natGateway.outputs.resourceId
66      }
67    ]
68  }
69}

We now have a good basis for the infrastructure to be utilized by the rest of the resources in our Architecture. We will come back to our networking in a future step, once we are ready to create some Network Security Groups. For now, let’s move on to other modules.

Key Vault

Key Vaults are one of the key components in most Azure architectures as they create a place where you can save and reference secrets in a secure manner (“secrets” in the general sense, as opposed to the secret object type in Key Vaults). The Key Vault AVM module makes it very simple to store secrets generated in your template. In this tutorial, we will use one of the most secure methods of storing and retrieving secrets by leveraging this Key Vault in our Bicep template.

The first step is easy: add the Key Vault AVM module to our main.bicep file. In addition, let’s also ensure it’s hooked into our Log Analytics workspace (we will do this for every new module from here on out).

➕ Expand Code

 1param location string = 'westus2'
 2
 3var addressPrefix = '10.0.0.0/16'
 4var prefix = 'VM-AVM-Ex1'
 5
 6module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.11.1' = {
 7  name: 'logAnalyticsWorkspace'
 8  params: {
 9    // Required parameters
10    name: '${prefix}-law'
11    // Non-required parameters
12    location: location
13  }
14}
15
16module natGwPublicIp 'br/public:avm/res/network/public-ip-address:0.8.0' = {
17  name: 'natGwPublicIpDeployment'
18  params: {
19    // Required parameters
20    name: '${prefix}-natgwpip'
21    // Non-required parameters
22    location: location
23    diagnosticSettings: [
24      {
25        name: 'natGwPublicIpDiagnostics'
26        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
27      }
28    ]
29  }
30}
31
32module natGateway 'br/public:avm/res/network/nat-gateway:1.2.2' = {
33  name: 'natGatewayDeployment'
34  params: {
35    // Required parameters
36    name: '${prefix}-natgw'
37    zone: 1
38    // Non-required parameters
39    publicIpResourceIds: [
40      natGwPublicIp.outputs.resourceId
41    ]
42  }
43}
44
45module virtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = {
46  name: 'virtualNetworkDeployment'
47  params: {
48    // Required parameters
49    addressPrefixes: [
50      addressPrefix
51    ]
52    name: '${prefix}-vnet'
53    // Non-required parameters
54    location: location
55    diagnosticSettings: [
56      {
57        name: 'vNetDiagnostics'
58        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
59      }
60    ]
61    subnets: [
62      {
63        name: 'VMSubnet'
64        addressPrefix: cidrSubnet(addressPrefix, 24, 0) // first subnet in address space
65        natGatewayResourceId: natGateway.outputs.resourceId
66      }
67    ]
68  }
69}
70
71module keyVault 'br/public:avm/res/key-vault/vault:0.12.1' = {
72  name: 'keyVaultDeployment'
73  params: {
74    // Required parameters
75    name: '${uniqueString(resourceGroup().id)}-kv'
76    // Non-required parameters
77    location: location
78    diagnosticSettings: [
79      {
80        name: 'keyVaultDiagnostics'
81        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
82      }
83    ]
84  }
85}

The name of the Key Vault we will deploy uses the uniqueString() Bicep function. Key Vault names must be globally unique. We will therefore deviate from our standard naming convention thus far and make an exception for the Key Vault. Note how we are still adding a suffix to the Key Vault name, so its name remains recognizable; you can use a combination of concatenating unique strings, prefixes, or suffixes to follow your own naming standard preferences.

When we generate our unique string, we will pass in the resourceGroup().id as the seed for the uniqueString() function so that every time you deploy this main.bicep to the same resource group, it will use the same randomly generated name for your Key Vault (since resourceGroup().id will be the same).

Tip

Bicep has many built-in functions available. We used two here: uniqueString() and resourceGroup(). The resourceGroup(), subscription(), and deployment() functions are very useful when seeding uniqueString() or guid() functions. Just be cautious about name length limitations for each Azure service! Visit this page to learn more about Bicep functions.

We will use this Key Vault later on when we create a VM and need to store its password. Now that we have it, a Virtual Network, Subnet, and Log Analytics prepared, we should have everything we need to deploy a Virtual Machine!

Info

In the future, we will update this guide to show how to generate and store a certificate in the Key Vault, then use that certificate to authenticate into the Virtual Machine.

Virtual Machine

Warning

The AVM Virtual Machine module enables the EncryptionAtHost feature by default. You must enable this feature within your Azure subscription successfully deploy this example code. To do so, run the following:

Deploy with

# Wait a few minutes after running the command to allow it to propagate
Register-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"

az feature register --namespace Microsoft.Compute --name EncryptionAtHost

# Propagate the change
az provider register --namespace Microsoft.Compute

For our Virtual Machine (VM) deployment, we need to add the following to our main.bicep file:

➕ Expand Code

  1param location string = 'westus2'
  2
  3// START add-password-param
  4@description('Required. A password for the VM admin user.')
  5@secure()
  6param vmAdminPass string
  7// END add-password-param
  8
  9var addressPrefix = '10.0.0.0/16'
 10var prefix = 'VM-AVM-Ex1'
 11
 12module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.11.1' = {
 13  name: 'logAnalyticsWorkspace'
 14  params: {
 15    // Required parameters
 16    name: '${prefix}-law'
 17    // Non-required parameters
 18    location: location
 19  }
 20}
 21
 22module natGwPublicIp 'br/public:avm/res/network/public-ip-address:0.8.0' = {
 23  name: 'natGwPublicIpDeployment'
 24  params: {
 25    // Required parameters
 26    name: '${prefix}-natgwpip'
 27    // Non-required parameters
 28    location: location
 29    diagnosticSettings: [
 30      {
 31        name: 'natGwPublicIpDiagnostics'
 32        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 33      }
 34    ]
 35  }
 36}
 37
 38module natGateway 'br/public:avm/res/network/nat-gateway:1.2.2' = {
 39  name: 'natGatewayDeployment'
 40  params: {
 41    // Required parameters
 42    name: '${prefix}-natgw'
 43    zone: 1
 44    // Non-required parameters
 45    publicIpResourceIds: [
 46      natGwPublicIp.outputs.resourceId
 47    ]
 48  }
 49}
 50
 51module virtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = {
 52  name: 'virtualNetworkDeployment'
 53  params: {
 54    // Required parameters
 55    addressPrefixes: [
 56      addressPrefix
 57    ]
 58    name: '${prefix}-vnet'
 59    // Non-required parameters
 60    location: location
 61    diagnosticSettings: [
 62      {
 63        name: 'vNetDiagnostics'
 64        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 65      }
 66    ]
 67    subnets: [
 68      {
 69        name: 'VMSubnet'
 70        addressPrefix: cidrSubnet(addressPrefix, 24, 0) // first subnet in address space
 71        natGatewayResourceId: natGateway.outputs.resourceId
 72      }
 73    ]
 74  }
 75}
 76
 77module keyVault 'br/public:avm/res/key-vault/vault:0.12.1' = {
 78  name: 'keyVaultDeployment'
 79  params: {
 80    // Required parameters
 81    name: '${uniqueString(resourceGroup().id)}-kv'
 82    // Non-required parameters
 83    location: location
 84    diagnosticSettings: [
 85      {
 86        name: 'keyVaultDiagnostics'
 87        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 88      }
 89    ]
 90    // START add-keyvault-secret
 91    secrets: [
 92      {
 93        name: 'vmAdminPassword'
 94        value: vmAdminPass
 95      }
 96    ]
 97    // END add-keyvault-secret
 98  }
 99}
100
101module virtualMachine 'br/public:avm/res/compute/virtual-machine:0.13.1' = {
102  name: 'linuxVirtualMachineDeployment'
103  params: {
104    // Required parameters
105    adminUsername: 'localAdminUser'
106    adminPassword: vmAdminPass
107    imageReference: {
108      offer: '0001-com-ubuntu-server-jammy'
109      publisher: 'Canonical'
110      sku: '22_04-lts-gen2'
111      version: 'latest'
112    }
113    name: '${prefix}-vm1'
114    // START vm-subnet-reference
115    nicConfigurations: [
116      {
117        ipConfigurations: [
118          {
119            name: 'ipconfig01'
120            subnetResourceId: virtualNetwork.outputs.subnetResourceIds[0] // VMSubnet
121          }
122        ]
123        nicSuffix: '-nic-01'
124      }
125    ]
126    // END vm-subnet-reference
127    osDisk: {
128      caching: 'ReadWrite'
129      diskSizeGB: 128
130      managedDisk: {
131        storageAccountType: 'Standard_LRS'
132      }
133    }
134    osType: 'Linux'
135    vmSize: 'Standard_B2s_v2'
136    zone: 0
137    // Non-required parameters
138    location: location
139  }
140}

The VM module is one of the more complex modules in AVM—behind the scenes, it takes care of a lot of heavy lifting that, without AVM, would require multiple Bicep resources to be deployed and referenced.

For example, look at the nicConfigurations parameter: normally, you would need to deploy a separate NIC resource, which itself also requires an IP resource, then attach them to each other, and finally, attach them all to your VM.

With the AVM VM module, the nicConfigurations parameter accepts an object, allowing you to create any number of NICs to attach to your VM from within the VM resource deployment itself. It handles all the naming, creation of other necessary dependencies, and attaches them all together, so you don’t have to. The osDisk parameter is similar, though slightly less complex. There are many more parameters within the VM module that you can leverage if needed, that share a similar ease-of-use.

Since this is the real highlight of our main.bicep file, we need to take a closer look at some of the other changes that were made.

VM Admin Password Parameter
```
1@description('Required. A password for the VM admin user.')
2@secure()
3param vmAdminPass string
```
First, we added a new parameter. The value of this will be provided when the main.bicep template is deployed. We don’t want any passwords stored as text in code; for our purposes, the safest way to do this is to prompt the end user for the password at the time of deployment.
Warning
The supplied password must be between 6-72 characters long and must satisfy at least 3 of password complexity requirements from the following: Contains an uppercase character; Contains a lowercase character; Contains a numeric digit; Contains a special character. Control characters are not allowed
Also note how we are using the @secure() decorator on the password parameter. This will ensure the value of the password is never displayed in any of the deployment logs or in Azure. We have also added the @description() decorator and started the description with “Required.” It’s a good habit and recommended practice to document your parameters in Bicep. This will ensure that VS Code’s built-in Bicep linter can provide end-users insightful information when deploying your Bicep templates.
Info
Always use the @secure() decorator when creating a parameter that will hold sensitive data!
Add the VM Admin Password to Key Vault
```
1    secrets: [
2      {
3        name: 'vmAdminPassword'
4        value: vmAdminPass
5      }
6    ]
```
The next thing we have done is save the value of our vmAdminPass parameter to our Key Vault. We have done this by adding a secrets parameter to the Key Vault module. Adding secrets to Key Vaults is very simple when using the AVM module.
By adding our password to the Key Vault, it will ensure that we never lose the password and that it is stored securely. As long as a user has appropriate permissions on the vault, the password can be fetched easily.
Reference the VM Subnet
```
 1    nicConfigurations: [
 2      {
 3        ipConfigurations: [
 4          {
 5            name: 'ipconfig01'
 6            subnetResourceId: virtualNetwork.outputs.subnetResourceIds[0] // VMSubnet
 7          }
 8        ]
 9        nicSuffix: '-nic-01'
10      }
11    ]
```
Here, we reference another built-in output, this time from the AVM Virtual Network module. This example shows how to use an output that is part of an array. When the Virtual Network module creates subnets, it automatically creates a set of pre-defined outputs for them, one of which is an array that contains each subnet’s subnetResourceId. Our VM Subnet was the first one created which is position [0] in the array.
Other AVM modules may make use of arrays to store outputs. If you are unsure what type of outputs a module provides, you can always reference the Outputs section of each module’s README.md.

Storage Account

The last major component we need to add is a Storage Account. Because this Storage Account will be used as a backend storage to hold blobs for the hypothetical application that runs on our VM, we’ll also create a blob container within it using the same AVM Storage Account module.

➕ Expand Code

  1param location string = 'westus2'
  2
  3@description('Required. A password for the VM admin user.')
  4@secure()
  5param vmAdminPass string
  6
  7var addressPrefix = '10.0.0.0/16'
  8var prefix = 'VM-AVM-Ex1'
  9
 10module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.11.1' = {
 11  name: 'logAnalyticsWorkspace'
 12  params: {
 13    // Required parameters
 14    name: '${prefix}-law'
 15    // Non-required parameters
 16    location: location
 17  }
 18}
 19
 20module natGwPublicIp 'br/public:avm/res/network/public-ip-address:0.8.0' = {
 21  name: 'natGwPublicIpDeployment'
 22  params: {
 23    // Required parameters
 24    name: '${prefix}-natgwpip'
 25    // Non-required parameters
 26    location: location
 27    diagnosticSettings: [
 28      {
 29        name: 'natGwPublicIpDiagnostics'
 30        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 31      }
 32    ]
 33  }
 34}
 35
 36module natGateway 'br/public:avm/res/network/nat-gateway:1.2.2' = {
 37  name: 'natGatewayDeployment'
 38  params: {
 39    // Required parameters
 40    name: '${prefix}-natgw'
 41    zone: 1
 42    // Non-required parameters
 43    publicIpResourceIds: [
 44      natGwPublicIp.outputs.resourceId
 45    ]
 46  }
 47}
 48
 49module virtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = {
 50  name: 'virtualNetworkDeployment'
 51  params: {
 52    // Required parameters
 53    addressPrefixes: [
 54      addressPrefix
 55    ]
 56    name: '${prefix}-vnet'
 57    // Non-required parameters
 58    location: location
 59    diagnosticSettings: [
 60      {
 61
 62        name: 'vNetDiagnostics'
 63        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 64      }
 65    ]
 66    subnets: [
 67      {
 68        name: 'VMSubnet'
 69        addressPrefix: cidrSubnet(addressPrefix, 24, 0) // first subnet in address space
 70        natGatewayResourceId: natGateway.outputs.resourceId
 71      }
 72    ]
 73  }
 74}
 75
 76module keyVault 'br/public:avm/res/key-vault/vault:0.12.1' = {
 77  name: 'keyVaultDeployment'
 78  params: {
 79    // Required parameters
 80    name: '${uniqueString(resourceGroup().id)}-kv'
 81    // Non-required parameters
 82    location: location
 83    diagnosticSettings: [
 84      {
 85        name: 'keyVaultDiagnostics'
 86        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 87      }
 88    ]
 89    enablePurgeProtection: false // disable purge protection for this example so we can more easily delete it
 90    secrets: [
 91      {
 92        name: 'vmAdminPassword'
 93        value: vmAdminPass
 94      }
 95    ]
 96  }
 97}
 98
 99module virtualMachine 'br/public:avm/res/compute/virtual-machine:0.13.1' = {
100  name: 'linuxVirtualMachineDeployment'
101  params: {
102    // Required parameters
103    adminUsername: 'localAdminUser'
104    adminPassword: vmAdminPass
105    imageReference: {
106      offer: '0001-com-ubuntu-server-jammy'
107      publisher: 'Canonical'
108      sku: '22_04-lts-gen2'
109      version: 'latest'
110    }
111    name: '${prefix}-vm1'
112    nicConfigurations: [
113      {
114        ipConfigurations: [
115          {
116            name: 'ipconfig01'
117            subnetResourceId: virtualNetwork.outputs.subnetResourceIds[0] // VMSubnet
118          }
119        ]
120        nicSuffix: '-nic-01'
121      }
122    ]
123    osDisk: {
124      caching: 'ReadWrite'
125      diskSizeGB: 128
126      managedDisk: {
127        storageAccountType: 'Standard_LRS'
128      }
129    }
130
131    osType: 'Linux'
132    vmSize: 'Standard_B2s_v2'
133    zone: 0
134    // Non-required parameters
135    location: location
136  }
137}
138
139module storageAccount 'br/public:avm/res/storage/storage-account:0.19.0' = {
140  name: 'storageAccountDeployment'
141  params: {
142    // Required parameters
143    name: '${uniqueString(resourceGroup().id)}sa'
144    // Non-required parameters
145    location: location
146    skuName: 'Standard_LRS'
147    diagnosticSettings: [
148      {
149        name: 'storageAccountDiagnostics'
150        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
151      }
152    ]
153    blobServices: {
154      containers: [
155        {
156          name: 'vmstorage'
157          publicAccess: 'None'
158        }
159      ]
160    }
161  }
162}

We now have all the major components of our Architecture diagram built!

The last steps we need to take to meet our requirements is to ensure our networking resources are secure and that we are using least privileged access by leveraging Role-Based Access Control (RBAC). Let’s get to it!

Network Security Groups

We’ll add a Network Security Group (NSG) to our VM subnet. This will act as a layer 3 and layer 4 firewall for networked resources. This implementation includes an appropriate inbound rule to allow SSH traffic from the Bastion host:

➕ Expand Code

  1param location string = 'westus2'
  2
  3@description('Required. A password for the VM admin user.')
  4@secure()
  5param vmAdminPass string
  6
  7var addressPrefix = '10.0.0.0/16'
  8var prefix = 'VM-AVM-Ex1'
  9
 10module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.11.1' = {
 11  name: 'logAnalyticsWorkspace'
 12  params: {
 13    // Required parameters
 14    name: '${prefix}-law'
 15    // Non-required parameters
 16    location: location
 17  }
 18}
 19
 20module natGwPublicIp 'br/public:avm/res/network/public-ip-address:0.8.0' = {
 21  name: 'natGwPublicIpDeployment'
 22  params: {
 23    // Required parameters
 24    name: '${prefix}-natgwpip'
 25    // Non-required parameters
 26    location: location
 27    diagnosticSettings: [
 28      {
 29        name: 'natGwPublicIpDiagnostics'
 30        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 31      }
 32    ]
 33  }
 34}
 35
 36module natGateway 'br/public:avm/res/network/nat-gateway:1.2.2' = {
 37  name: 'natGatewayDeployment'
 38  params: {
 39    // Required parameters
 40    name: '${prefix}-natgw'
 41    zone: 1
 42    // Non-required parameters
 43    publicIpResourceIds: [
 44      natGwPublicIp.outputs.resourceId
 45    ]
 46  }
 47}
 48
 49module virtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = {
 50  name: 'virtualNetworkDeployment'
 51  params: {
 52    // Required parameters
 53    addressPrefixes: [
 54      addressPrefix
 55    ]
 56    name: '${prefix}-vnet'
 57    // Non-required parameters
 58    location: location
 59    diagnosticSettings: [
 60      {
 61        name: 'vNetDiagnostics'
 62        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 63      }
 64    ]
 65    subnets: [
 66      {
 67        name: 'VMSubnet'
 68        addressPrefix: cidrSubnet(addressPrefix, 24, 0) // first subnet in address space
 69        natGatewayResourceId: natGateway.outputs.resourceId
 70        networkSecurityGroupResourceId: nsgVM.outputs.resourceId
 71      }
 72    ]
 73  }
 74}
 75
 76module nsgVM 'br/public:avm/res/network/network-security-group:0.5.1' = {
 77  name: 'nsgVmDeployment'
 78  params: {
 79    name: '${prefix}-NSG-VM'
 80    location: location
 81    securityRules: [
 82      {
 83        name: 'AllowBastionSSH'
 84        properties: {
 85          access: 'Allow'
 86          direction: 'Inbound'
 87          priority: 100
 88          protocol: 'Tcp'
 89          sourceAddressPrefix: 'virtualNetwork'
 90          sourcePortRange: '*'
 91          destinationAddressPrefix: '*'
 92          destinationPortRange: '22'
 93        }
 94      }
 95    ]
 96  }
 97}
 98
 99module keyVault 'br/public:avm/res/key-vault/vault:0.12.1' = {
100  name: 'keyVaultDeployment'
101  params: {
102    // Required parameters
103    name: '${uniqueString(resourceGroup().id)}-kv'
104    // Non-required parameters
105    location: location
106    diagnosticSettings: [
107      {
108        name: 'keyVaultDiagnostics'
109        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
110      }
111    ]
112    enablePurgeProtection: false // disable purge protection for this example so we can more easily delete it
113    secrets: [
114      {
115        name: 'vmAdminPassword'
116        value: vmAdminPass
117      }
118    ]
119  }
120}
121
122module virtualMachine 'br/public:avm/res/compute/virtual-machine:0.13.1' = {
123  name: 'linuxVirtualMachineDeployment'
124  params: {
125    // Required parameters
126    adminUsername: 'localAdminUser'
127    adminPassword: vmAdminPass
128    imageReference: {
129      offer: '0001-com-ubuntu-server-jammy'
130      publisher: 'Canonical'
131      sku: '22_04-lts-gen2'
132      version: 'latest'
133    }
134    name: '${prefix}-vm1'
135    nicConfigurations: [
136      {
137        ipConfigurations: [
138          {
139            name: 'ipconfig01'
140            subnetResourceId: virtualNetwork.outputs.subnetResourceIds[0] // VMSubnet
141          }
142        ]
143        nicSuffix: '-nic-01'
144      }
145    ]
146    osDisk: {
147      caching: 'ReadWrite'
148      diskSizeGB: 128
149      managedDisk: {
150        storageAccountType: 'Standard_LRS'
151      }
152    }
153
154    osType: 'Linux'
155    vmSize: 'Standard_B2s_v2'
156    zone: 0
157    // Non-required parameters
158    location: location
159  }
160}
161
162module storageAccount 'br/public:avm/res/storage/storage-account:0.19.0' = {
163  name: 'storageAccountDeployment'
164  params: {
165    // Required parameters
166    name: '${uniqueString(resourceGroup().id)}sa'
167    // Non-required parameters
168    location: location
169    skuName: 'Standard_LRS'
170    diagnosticSettings: [
171      {
172        name: 'storageAccountDiagnostics'
173        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
174      }
175    ]
176    blobServices: {
177      containers: [
178        {
179          name: 'vmstorage'
180          publicAccess: 'None'
181        }
182      ]
183    }
184  }
185}

Disable Public Access to Storage Account

Since the Storage Account serves as a backend resource exclusively for the Virtual Machine, it will be secured as much as possible. This involves adding a Private Endpoint and disabling public internet access. AVM makes creation and assignment of Private Endpoints to resources incredibly easy. Take a look:

➕ Expand Code

  1param location string = 'westus2'
  2
  3@description('Required. A password for the VM admin user.')
  4@secure()
  5param vmAdminPass string
  6
  7var addressPrefix = '10.0.0.0/16'
  8var prefix = 'VM-AVM-Ex1'
  9
 10module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.11.1' = {
 11  name: 'logAnalyticsWorkspace'
 12  params: {
 13    // Required parameters
 14    name: '${prefix}-law'
 15    // Non-required parameters
 16    location: location
 17  }
 18}
 19
 20module natGwPublicIp 'br/public:avm/res/network/public-ip-address:0.8.0' = {
 21  name: 'natGwPublicIpDeployment'
 22  params: {
 23    // Required parameters
 24    name: '${prefix}-natgwpip'
 25    // Non-required parameters
 26    location: location
 27    diagnosticSettings: [
 28      {
 29        name: 'natGwPublicIpDiagnostics'
 30        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 31      }
 32    ]
 33  }
 34}
 35
 36module natGateway 'br/public:avm/res/network/nat-gateway:1.2.2' = {
 37  name: 'natGatewayDeployment'
 38  params: {
 39    // Required parameters
 40    name: '${prefix}-natgw'
 41    zone: 1
 42    // Non-required parameters
 43    publicIpResourceIds: [
 44      natGwPublicIp.outputs.resourceId
 45    ]
 46  }
 47}
 48
 49module virtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = {
 50  name: 'virtualNetworkDeployment'
 51  params: {
 52    // Required parameters
 53    addressPrefixes: [
 54      addressPrefix
 55    ]
 56    name: '${prefix}-vnet'
 57    // Non-required parameters
 58    location: location
 59    diagnosticSettings: [
 60      {
 61        name: 'vNetDiagnostics'
 62        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 63      }
 64    ]
 65    subnets: [
 66      {
 67        name: 'VMSubnet'
 68        addressPrefix: cidrSubnet(addressPrefix, 24, 0) // first subnet in address space
 69        natGatewayResourceId: natGateway.outputs.resourceId
 70        networkSecurityGroupResourceId: nsgVM.outputs.resourceId
 71      }
 72      {
 73        name: 'PrivateEndpointSubnet'
 74        addressPrefix: cidrSubnet(addressPrefix, 24, 1) // second subnet in address space
 75      }
 76    ]
 77  }
 78}
 79
 80module nsgVM 'br/public:avm/res/network/network-security-group:0.5.1' = {
 81  name: 'nsgVmDeployment'
 82  params: {
 83    name: '${prefix}-NSG-VM'
 84    location: location
 85    securityRules: [
 86      {
 87        name: 'AllowBastionSSH'
 88        properties: {
 89          access: 'Allow'
 90          direction: 'Inbound'
 91          priority: 100
 92          protocol: 'Tcp'
 93          sourceAddressPrefix: 'virtualNetwork'
 94          sourcePortRange: '*'
 95          destinationAddressPrefix: '*'
 96          destinationPortRange: '22'
 97        }
 98      }
 99    ]
100  }
101}
102
103module keyVault 'br/public:avm/res/key-vault/vault:0.12.1' = {
104  name: 'keyVaultDeployment'
105  params: {
106    // Required parameters
107    name: '${uniqueString(resourceGroup().id)}-kv'
108    // Non-required parameters
109    location: location
110    diagnosticSettings: [
111      {
112        name: 'keyVaultDiagnostics'
113        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
114      }
115    ]
116    enablePurgeProtection: false // disable purge protection for this example so we can more easily delete it
117    secrets: [
118      {
119        name: 'vmAdminPassword'
120        value: vmAdminPass
121      }
122    ]
123  }
124}
125
126module virtualMachine 'br/public:avm/res/compute/virtual-machine:0.14.0' = {
127  name: 'linuxVirtualMachineDeployment'
128  params: {
129    // Required parameters
130    adminUsername: 'localAdminUser'
131    adminPassword: vmAdminPass
132    imageReference: {
133      offer: '0001-com-ubuntu-server-jammy'
134      publisher: 'Canonical'
135      sku: '22_04-lts-gen2'
136      version: 'latest'
137    }
138    name: '${prefix}-vm1'
139    nicConfigurations: [
140      {
141        ipConfigurations: [
142          {
143            name: 'ipconfig01'
144            subnetResourceId: virtualNetwork.outputs.subnetResourceIds[0] // VMSubnet
145          }
146        ]
147        nicSuffix: '-nic-01'
148      }
149    ]
150    osDisk: {
151      caching: 'ReadWrite'
152      diskSizeGB: 128
153      managedDisk: {
154        storageAccountType: 'Standard_LRS'
155      }
156    }
157    osType: 'Linux'
158    vmSize: 'Standard_B2s_v2'
159    zone: 0
160    // Non-required parameters
161    location: location
162  }
163}
164
165module storageAccount 'br/public:avm/res/storage/storage-account:0.19.0' = {
166  name: 'storageAccountDeployment'
167  params: {
168    // Required parameters
169    name: '${uniqueString(resourceGroup().id)}sa'
170    // Non-required parameters
171    location: location
172    skuName: 'Standard_LRS'
173    diagnosticSettings: [
174      {
175        name: 'storageAccountDiagnostics'
176        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
177      }
178    ]
179    publicNetworkAccess: 'Disabled'
180    allowBlobPublicAccess: false
181    blobServices: {
182      containers: [
183        {
184          name: 'vmstorage'
185          publicAccess: 'None'
186        }
187      ]
188    }
189    privateEndpoints: [
190      {
191        service: 'Blob'
192        subnetResourceId: virtualNetwork.outputs.subnetResourceIds[1] // Private Endpoint Subnet
193        privateDnsZoneGroup: {
194          privateDnsZoneGroupConfigs: [
195            {
196              privateDnsZoneResourceId: privateDnsBlob.outputs.resourceId
197            }
198          ]
199        }
200      }
201    ]
202  }
203}
204
205module privateDnsBlob 'br/public:avm/res/network/private-dns-zone:0.7.1' = {
206  name: '${prefix}-privatedns-blob'
207  params: {
208    name: 'privatelink.blob.${environment().suffixes.storage}'
209    location: 'global'
210    virtualNetworkLinks: [
211      {
212        name: '${virtualNetwork.outputs.name}-vnetlink'
213        virtualNetworkResourceId: virtualNetwork.outputs.resourceId
214      }
215    ]
216  }
217}

This implementation adds a dedicated subnet for Private Endpoints following the recommended practice of isolating Private Endpoints in their own subnet.

The addition of just a few lines of code in the privateEndpoints parameter handles the complex tasks of creating the Private Endpoint, associating it with the VNet, and attaching it to the resource. AVM drastically simplifies the creation of Private Endpoints for just about every Azure Resource that supports them.

The implementation also disables all public network connectivity to the Storage Account, ensuring it only accepts traffic via the Private Endpoint.

Finally, a Private DNS zone is added and linked to the VNet, enabling the VM to resolve the Private IP address associated with the Storage Account.

Bastion

To securely access the Virtual Machine without exposing its SSH port to the public internet, we’ll create an Azure Bastion host. The Bastion Host requires a subnet with the exact name AzureBastionSubnet which cannot contain anything other than Bastion Hosts.

➕ Expand Code

  1param location string = 'westus2'
  2
  3@description('Required. A password for the VM admin user.')
  4@secure()
  5param vmAdminPass string
  6
  7var addressPrefix = '10.0.0.0/16'
  8var prefix = 'VM-AVM-Ex1'
  9
 10module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.11.1' = {
 11  name: 'logAnalyticsWorkspace'
 12  params: {
 13    // Required parameters
 14    name: '${prefix}-law'
 15    // Non-required parameters
 16    location: location
 17  }
 18}
 19
 20module natGwPublicIp 'br/public:avm/res/network/public-ip-address:0.8.0' = {
 21  name: 'natGwPublicIpDeployment'
 22  params: {
 23    // Required parameters
 24    name: '${prefix}-natgwpip'
 25    // Non-required parameters
 26    location: location
 27    diagnosticSettings: [
 28      {
 29        name: 'natGwPublicIpDiagnostics'
 30        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 31      }
 32    ]
 33  }
 34}
 35
 36module natGateway 'br/public:avm/res/network/nat-gateway:1.2.2' = {
 37  name: 'natGatewayDeployment'
 38  params: {
 39    // Required parameters
 40    name: '${prefix}-natgw'
 41    zone: 1
 42    // Non-required parameters
 43    publicIpResourceIds: [
 44      natGwPublicIp.outputs.resourceId
 45    ]
 46  }
 47}
 48
 49module virtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = {
 50  name: 'virtualNetworkDeployment'
 51  params: {
 52    // Required parameters
 53    addressPrefixes: [
 54      addressPrefix
 55    ]
 56    name: '${prefix}-vnet'
 57    // Non-required parameters
 58    location: location
 59    diagnosticSettings: [
 60      {
 61        name: 'vNetDiagnostics'
 62        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 63      }
 64    ]
 65    subnets: [
 66      {
 67        name: 'VMSubnet'
 68        addressPrefix: cidrSubnet(addressPrefix, 24, 0) // first subnet in address space
 69        natGatewayResourceId: natGateway.outputs.resourceId
 70        networkSecurityGroupResourceId: nsgVM.outputs.resourceId
 71      }
 72      {
 73        name: 'PrivateEndpointSubnet'
 74        addressPrefix: cidrSubnet(addressPrefix, 24, 1) // second subnet in address space
 75      }
 76      {
 77        name: 'AzureBastionSubnet' // Azure Bastion Host requires this subnet to be named exactly "AzureBastionSubnet"
 78        addressPrefix: cidrSubnet(addressPrefix, 24, 2) // third subnet in address space
 79      }
 80    ]
 81  }
 82}
 83
 84module nsgVM 'br/public:avm/res/network/network-security-group:0.5.1' = {
 85  name: 'nsgVmDeployment'
 86  params: {
 87    name: '${prefix}-NSG-VM'
 88    location: location
 89    securityRules: [
 90      {
 91        name: 'AllowBastionSSH'
 92        properties: {
 93          access: 'Allow'
 94          direction: 'Inbound'
 95          priority: 100
 96          protocol: 'Tcp'
 97          sourceAddressPrefix: 'virtualNetwork'
 98          sourcePortRange: '*'
 99          destinationAddressPrefix: '*'
100          destinationPortRange: '22'
101        }
102      }
103    ]
104  }
105}
106
107module keyVault 'br/public:avm/res/key-vault/vault:0.12.1' = {
108  name: 'keyVaultDeployment'
109  params: {
110    // Required parameters
111    name: '${uniqueString(resourceGroup().id)}-kv'
112    // Non-required parameters
113    location: location
114    diagnosticSettings: [
115      {
116        name: 'keyVaultDiagnostics'
117        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
118      }
119    ]
120    enablePurgeProtection: false // disable purge protection for this example so we can more easily delete it
121    secrets: [
122      {
123        name: 'vmAdminPassword'
124        value: vmAdminPass
125      }
126    ]
127  }
128}
129
130module virtualMachine 'br/public:avm/res/compute/virtual-machine:0.14.0' = {
131  name: 'linuxVirtualMachineDeployment'
132  params: {
133    // Required parameters
134    adminUsername: 'localAdminUser'
135    adminPassword: vmAdminPass
136    imageReference: {
137      offer: '0001-com-ubuntu-server-jammy'
138      publisher: 'Canonical'
139      sku: '22_04-lts-gen2'
140      version: 'latest'
141    }
142    name: '${prefix}-vm1'
143    nicConfigurations: [
144      {
145        ipConfigurations: [
146          {
147            name: 'ipconfig01'
148            subnetResourceId: virtualNetwork.outputs.subnetResourceIds[0] // VMSubnet
149          }
150        ]
151        nicSuffix: '-nic-01'
152      }
153    ]
154    osDisk: {
155      caching: 'ReadWrite'
156      diskSizeGB: 128
157      managedDisk: {
158        storageAccountType: 'Standard_LRS'
159      }
160    }
161    osType: 'Linux'
162    vmSize: 'Standard_B2s_v2'
163    zone: 0
164    // Non-required parameters
165    location: location
166  }
167}
168
169module storageAccount 'br/public:avm/res/storage/storage-account:0.19.0' = {
170  name: 'storageAccountDeployment'
171  params: {
172    // Required parameters
173    name: '${uniqueString(resourceGroup().id)}sa'
174    // Non-required parameters
175    location: location
176    skuName: 'Standard_LRS'
177    diagnosticSettings: [
178      {
179        name: 'storageAccountDiagnostics'
180        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
181      }
182    ]
183    publicNetworkAccess: 'Disabled'
184    allowBlobPublicAccess: false
185    blobServices: {
186      containers: [
187        {
188          name: 'vmstorage'
189          publicAccess: 'None'
190        }
191      ]
192    }
193    privateEndpoints: [
194      {
195        service: 'Blob'
196        subnetResourceId: virtualNetwork.outputs.subnetResourceIds[1] // Private Endpoint Subnet
197        privateDnsZoneGroup: {
198          privateDnsZoneGroupConfigs: [
199            {
200              privateDnsZoneResourceId: privateDnsBlob.outputs.resourceId
201            }
202          ]
203        }
204      }
205    ]
206  }
207}
208
209module privateDnsBlob 'br/public:avm/res/network/private-dns-zone:0.7.1' = {
210  name: '${prefix}-privatedns-blob'
211  params: {
212    name: 'privatelink.blob.${environment().suffixes.storage}'
213    location: 'global'
214    virtualNetworkLinks: [
215      {
216        name: '${virtualNetwork.outputs.name}-vnetlink'
217        virtualNetworkResourceId: virtualNetwork.outputs.resourceId
218      }
219    ]
220  }
221}
222
223// Note: Deploying a Bastion Host will automatically create a Public IP and use the subnet named "AzureBastionSubnet"
224// within our VNet. This subnet is required and must be named exactly "AzureBastionSubnet" for the Bastion Host to work.
225module bastion 'br/public:avm/res/network/bastion-host:0.6.1' = {
226  name: 'bastionDeployment'
227  params: {
228    name: '${prefix}-bastion'
229    virtualNetworkResourceId: virtualNetwork.outputs.resourceId
230    skuName: 'Basic'
231    location: location
232    diagnosticSettings: [
233      {
234        name: 'bastionDiagnostics'
235        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
236      }
237    ]
238  }
239}

This simple addition of the bastion-host AVM module completes the secure access component of our architecture. You can now access the Virtual Machine by way of the Bastion Host in the Azure Portal.

Role-Based Access Control

To complete our solution, we have one final task: to apply Role-Based Access Control (RBAC) restrictions on our services, namely the Key Vault and Storage Account. The goal is to explicitly allow only the Virtual Machine to have Create, Read, Update, or Delete (CRUD) permissions on these two services.

This is accomplished by enabling a System-assigned Managed Identity on the Virtual Machine, then granting the VM’s Managed Identity appropriate permissions on the Storage Account and Key Vault:

➕ Expand Code

  1param location string = 'westus2'
  2
  3@description('Required. A password for the VM admin user.')
  4@secure()
  5param vmAdminPass string
  6
  7var addressPrefix = '10.0.0.0/16'
  8var prefix = 'VM-AVM-Ex1'
  9
 10module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.11.1' = {
 11  name: 'logAnalyticsWorkspace'
 12  params: {
 13    // Required parameters
 14    name: '${prefix}-law'
 15    // Non-required parameters
 16    location: location
 17  }
 18}
 19
 20module natGwPublicIp 'br/public:avm/res/network/public-ip-address:0.8.0' = {
 21  name: 'natGwPublicIpDeployment'
 22  params: {
 23    // Required parameters
 24    name: '${prefix}-natgwpip'
 25    // Non-required parameters
 26    location: location
 27    diagnosticSettings: [
 28      {
 29        name: 'natGwPublicIpDiagnostics'
 30        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 31      }
 32    ]
 33  }
 34}
 35
 36module natGateway 'br/public:avm/res/network/nat-gateway:1.2.2' = {
 37  name: 'natGatewayDeployment'
 38  params: {
 39    // Required parameters
 40    name: '${prefix}-natgw'
 41    zone: 1
 42    // Non-required parameters
 43    publicIpResourceIds: [
 44      natGwPublicIp.outputs.resourceId
 45    ]
 46  }
 47}
 48
 49module virtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = {
 50  name: 'virtualNetworkDeployment'
 51  params: {
 52    // Required parameters
 53    addressPrefixes: [
 54      addressPrefix
 55    ]
 56    name: '${prefix}-vnet'
 57    // Non-required parameters
 58    location: location
 59    diagnosticSettings: [
 60      {
 61        name: 'vNetDiagnostics'
 62        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 63      }
 64    ]
 65    subnets: [
 66      {
 67        name: 'VMSubnet'
 68        addressPrefix: cidrSubnet(addressPrefix, 24, 0) // first subnet in address space
 69        natGatewayResourceId: natGateway.outputs.resourceId
 70        networkSecurityGroupResourceId: nsgVM.outputs.resourceId
 71      }
 72      {
 73        name: 'PrivateEndpointSubnet'
 74        addressPrefix: cidrSubnet(addressPrefix, 24, 1) // second subnet in address space
 75      }
 76      {
 77        name: 'AzureBastionSubnet' // Azure Bastion Host requires this subnet to be named exactly "AzureBastionSubnet"
 78        addressPrefix: cidrSubnet(addressPrefix, 24, 2) // third subnet in address space
 79      }
 80    ]
 81  }
 82}
 83
 84module nsgVM 'br/public:avm/res/network/network-security-group:0.5.1' = {
 85  name: 'nsgVmDeployment'
 86  params: {
 87    name: '${prefix}-NSG-VM'
 88    location: location
 89    securityRules: [
 90      {
 91        name: 'AllowBastionSSH'
 92        properties: {
 93          access: 'Allow'
 94          direction: 'Inbound'
 95          priority: 100
 96          protocol: 'Tcp'
 97          sourceAddressPrefix: 'virtualNetwork'
 98          sourcePortRange: '*'
 99          destinationAddressPrefix: '*'
100          destinationPortRange: '22'
101        }
102      }
103    ]
104  }
105}
106
107module keyVault 'br/public:avm/res/key-vault/vault:0.12.1' = {
108  name: 'keyVaultDeployment'
109  params: {
110    // Required parameters
111    name: '${uniqueString(resourceGroup().id)}-kv'
112    // Non-required parameters
113    location: location
114    diagnosticSettings: [
115      {
116        name: 'keyVaultDiagnostics'
117        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
118      }
119    ]
120    enablePurgeProtection: false // disable purge protection for this example so we can more easily delete it
121    secrets: [
122      {
123        name: 'vmAdminPassword'
124        value: vmAdminPass
125      }
126    ]
127    roleAssignments: [
128      {
129        principalId: virtualMachine.outputs.systemAssignedMIPrincipalId
130        principalType: 'ServicePrincipal'
131        roleDefinitionIdOrName: 'Key Vault Secrets User' // Allows read access to secrets
132      }
133    ]
134  }
135}
136
137module virtualMachine 'br/public:avm/res/compute/virtual-machine:0.14.0' = {
138  name: 'linuxVirtualMachineDeployment'
139  params: {
140    // Required parameters
141    adminUsername: 'localAdminUser'
142    adminPassword: vmAdminPass
143    imageReference: {
144      offer: '0001-com-ubuntu-server-jammy'
145      publisher: 'Canonical'
146      sku: '22_04-lts-gen2'
147      version: 'latest'
148    }
149    name: '${prefix}-vm1'
150    nicConfigurations: [
151      {
152        ipConfigurations: [
153          {
154            name: 'ipconfig01'
155            subnetResourceId: virtualNetwork.outputs.subnetResourceIds[0] // VMSubnet
156          }
157        ]
158        nicSuffix: '-nic-01'
159      }
160    ]
161    osDisk: {
162      caching: 'ReadWrite'
163      diskSizeGB: 128
164      managedDisk: {
165        storageAccountType: 'Standard_LRS'
166      }
167    }
168    osType: 'Linux'
169    vmSize: 'Standard_B2s_v2'
170    zone: 0
171    // Non-required parameters
172    location: location
173    managedIdentities: {
174      systemAssigned: true
175    }
176  }
177}
178
179module storageAccount 'br/public:avm/res/storage/storage-account:0.19.0' = {
180  name: 'storageAccountDeployment'
181  params: {
182    // Required parameters
183    name: '${uniqueString(resourceGroup().id)}sa'
184    // Non-required parameters
185    location: location
186    skuName: 'Standard_LRS'
187    diagnosticSettings: [
188      {
189        name: 'storageAccountDiagnostics'
190        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
191      }
192    ]
193    publicNetworkAccess: 'Disabled'
194    allowBlobPublicAccess: false
195    blobServices: {
196      containers: [
197        {
198          name: 'vmstorage'
199          publicAccess: 'None'
200        }
201      ]
202      roleAssignments:[
203        {
204          principalId: virtualMachine.outputs.systemAssignedMIPrincipalId
205          principalType: 'ServicePrincipal'
206          roleDefinitionName: 'Storage Blob Data Contributor' // Allows read/write/delete on blob containers
207        }
208      ]
209    }
210    privateEndpoints: [
211      {
212        service: 'Blob'
213        subnetResourceId: virtualNetwork.outputs.subnetResourceIds[1] // Private Endpoint Subnet
214        privateDnsZoneGroup: {
215          privateDnsZoneGroupConfigs: [
216            {
217              privateDnsZoneResourceId: privateDnsBlob.outputs.resourceId
218            }
219          ]
220        }
221      }
222    ]
223  }
224}
225
226module privateDnsBlob 'br/public:avm/res/network/private-dns-zone:0.7.1' = {
227  name: '${prefix}-privatedns-blob'
228  params: {
229    name: 'privatelink.blob.${environment().suffixes.storage}'
230    location: 'global'
231    virtualNetworkLinks: [
232      {
233        name: '${virtualNetwork.outputs.name}-vnetlink'
234        virtualNetworkResourceId: virtualNetwork.outputs.resourceId
235      }
236    ]
237  }
238}
239
240// Note: Deploying a Bastion Host will automatically create a Public IP and use the subnet named "AzureBastionSubnet"
241// within our VNet. This subnet is required and must be named exactly "AzureBastionSubnet" for the Bastion Host to work.
242module bastion 'br/public:avm/res/network/bastion-host:0.6.1' = {
243  name: 'bastionDeployment'
244  params: {
245    name: '${prefix}-bastion'
246    virtualNetworkResourceId: virtualNetwork.outputs.resourceId
247    skuName: 'Basic'
248    location: location
249    diagnosticSettings: [
250      {
251        name: 'bastionDiagnostics'
252        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
253      }
254    ]
255  }
256}

Info

The Azure Subscription owner will have CRUD permissions for the Storage Account but not for the Key Vault. The Key Vault requires explicit RBAC permissions assigned to a user to grant them access: Provide access to Key Vaults using RBAC. Important!: at this point, you will only be able to access the Storage Account from the Bastion Host. Remember, public internet access has been disabled!

The RBAC policies have been successfully applied using a System-assigned Managed Identity on the Virtual Machine. This identity has been granted permissions on both the Key Vault and Storage Account. Now the VM can read secrets from the Key Vault and Read, Create, or Delete blobs in the Storage Account.

In a real production environment, the principle of least privileged access should be applied, providing only the exact permissions each service needs to carry out its functions. Learn more about Microsoft’s recommendations for identity and access management.

Conclusion

In this tutorial, we’ve explored how to leverage Azure Verified Modules (AVM) to build a secure, well-architected solution in Azure. AVM modules significantly simplify the deployment of Azure resources by abstracting away much of the complexity involved in configuring individual resources.

Your final, deployable Bicep template file should now look like this:

➕ Expand Code

  1param location string = 'westus2'
  2
  3@description('Required. A password for the VM admin user.')
  4@secure()
  5param vmAdminPass string
  6
  7var addressPrefix = '10.0.0.0/16'
  8var prefix = 'VM-AVM-Ex1'
  9
 10module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.11.1' = {
 11  name: 'logAnalyticsWorkspace'
 12  params: {
 13    // Required parameters
 14    name: '${prefix}-law'
 15    // Non-required parameters
 16    location: location
 17  }
 18}
 19
 20module natGwPublicIp 'br/public:avm/res/network/public-ip-address:0.8.0' = {
 21  name: 'natGwPublicIpDeployment'
 22  params: {
 23    // Required parameters
 24    name: '${prefix}-natgwpip'
 25    // Non-required parameters
 26    location: location
 27    diagnosticSettings: [
 28      {
 29        name: 'natGwPublicIpDiagnostics'
 30        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 31      }
 32    ]
 33  }
 34}
 35
 36module natGateway 'br/public:avm/res/network/nat-gateway:1.2.2' = {
 37  name: 'natGatewayDeployment'
 38  params: {
 39    // Required parameters
 40    name: '${prefix}-natgw'
 41    zone: 1
 42    // Non-required parameters
 43    publicIpResourceIds: [
 44      natGwPublicIp.outputs.resourceId
 45    ]
 46  }
 47}
 48
 49module virtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = {
 50  name: 'virtualNetworkDeployment'
 51  params: {
 52    // Required parameters
 53    addressPrefixes: [
 54      addressPrefix
 55    ]
 56    name: '${prefix}-vnet'
 57    // Non-required parameters
 58    location: location
 59    diagnosticSettings: [
 60      {
 61        name: 'vNetDiagnostics'
 62        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
 63      }
 64    ]
 65    subnets: [
 66      {
 67        name: 'VMSubnet'
 68        addressPrefix: cidrSubnet(addressPrefix, 24, 0) // first subnet in address space
 69        natGatewayResourceId: natGateway.outputs.resourceId
 70        networkSecurityGroupResourceId: nsgVM.outputs.resourceId
 71      }
 72      {
 73        name: 'PrivateEndpointSubnet'
 74        addressPrefix: cidrSubnet(addressPrefix, 24, 1) // second subnet in address space
 75      }
 76      {
 77        name: 'AzureBastionSubnet' // Azure Bastion Host requires this subnet to be named exactly "AzureBastionSubnet"
 78        addressPrefix: cidrSubnet(addressPrefix, 24, 2) // third subnet in address space
 79      }
 80    ]
 81  }
 82}
 83
 84module nsgVM 'br/public:avm/res/network/network-security-group:0.5.1' = {
 85  name: 'nsgVmDeployment'
 86  params: {
 87    name: '${prefix}-NSG-VM'
 88    location: location
 89    securityRules: [
 90      {
 91        name: 'AllowBastionSSH'
 92        properties: {
 93          access: 'Allow'
 94          direction: 'Inbound'
 95          priority: 100
 96          protocol: 'Tcp'
 97          sourceAddressPrefix: 'virtualNetwork'
 98          sourcePortRange: '*'
 99          destinationAddressPrefix: '*'
100          destinationPortRange: '22'
101        }
102      }
103    ]
104  }
105}
106
107module keyVault 'br/public:avm/res/key-vault/vault:0.12.1' = {
108  name: 'keyVaultDeployment'
109  params: {
110    // Required parameters
111    name: '${uniqueString(resourceGroup().id)}-kv'
112    // Non-required parameters
113    location: location
114    diagnosticSettings: [
115      {
116        name: 'keyVaultDiagnostics'
117        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
118      }
119    ]
120    enablePurgeProtection: false // disable purge protection for this example so we can more easily delete it
121    secrets: [
122      {
123        name: 'vmAdminPassword'
124        value: vmAdminPass
125      }
126    ]
127    roleAssignments: [
128      {
129        principalId: virtualMachine.outputs.systemAssignedMIPrincipalId
130        principalType: 'ServicePrincipal'
131        roleDefinitionIdOrName: 'Key Vault Secrets User' // Allows read access to secrets
132      }
133    ]
134  }
135}
136
137module virtualMachine 'br/public:avm/res/compute/virtual-machine:0.14.0' = {
138  name: 'linuxVirtualMachineDeployment'
139  params: {
140    // Required parameters
141    adminUsername: 'localAdminUser'
142    adminPassword: vmAdminPass
143    imageReference: {
144      offer: '0001-com-ubuntu-server-jammy'
145      publisher: 'Canonical'
146      sku: '22_04-lts-gen2'
147      version: 'latest'
148    }
149    name: '${prefix}-vm1'
150    nicConfigurations: [
151      {
152        ipConfigurations: [
153          {
154            name: 'ipconfig01'
155            subnetResourceId: virtualNetwork.outputs.subnetResourceIds[0] // VMSubnet
156          }
157        ]
158        nicSuffix: '-nic-01'
159      }
160    ]
161    osDisk: {
162      caching: 'ReadWrite'
163      diskSizeGB: 128
164      managedDisk: {
165        storageAccountType: 'Standard_LRS'
166      }
167    }
168    osType: 'Linux'
169    vmSize: 'Standard_B2s_v2'
170    zone: 0
171    // Non-required parameters
172    location: location
173    managedIdentities: {
174      systemAssigned: true
175    }
176  }
177}
178
179module storageAccount 'br/public:avm/res/storage/storage-account:0.19.0' = {
180  name: 'storageAccountDeployment'
181  params: {
182    // Required parameters
183    name: '${uniqueString(resourceGroup().id)}sa'
184    // Non-required parameters
185    location: location
186    skuName: 'Standard_LRS'
187    diagnosticSettings: [
188      {
189        name: 'storageAccountDiagnostics'
190        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
191      }
192    ]
193    publicNetworkAccess: 'Disabled'
194    allowBlobPublicAccess: false
195    blobServices: {
196      containers: [
197        {
198          name: 'vmstorage'
199          publicAccess: 'None'
200        }
201      ]
202      roleAssignments:[
203        {
204          principalId: virtualMachine.outputs.systemAssignedMIPrincipalId
205          principalType: 'ServicePrincipal'
206          roleDefinitionName: 'Storage Blob Data Contributor' // Allows read/write/delete on blob containers
207        }
208      ]
209    }
210    privateEndpoints: [
211      {
212        service: 'Blob'
213        subnetResourceId: virtualNetwork.outputs.subnetResourceIds[1] // Private Endpoint Subnet
214        privateDnsZoneGroup: {
215          privateDnsZoneGroupConfigs: [
216            {
217              privateDnsZoneResourceId: privateDnsBlob.outputs.resourceId
218            }
219          ]
220        }
221      }
222    ]
223  }
224}
225
226module privateDnsBlob 'br/public:avm/res/network/private-dns-zone:0.7.1' = {
227  name: '${prefix}-privatedns-blob'
228  params: {
229    name: 'privatelink.blob.${environment().suffixes.storage}'
230    location: 'global'
231    virtualNetworkLinks: [
232      {
233        name: '${virtualNetwork.outputs.name}-vnetlink'
234        virtualNetworkResourceId: virtualNetwork.outputs.resourceId
235      }
236    ]
237  }
238}
239
240// Note: Deploying a Bastion Host will automatically create a Public IP and use the subnet named "AzureBastionSubnet"
241// within our VNet. This subnet is required and must be named exactly "AzureBastionSubnet" for the Bastion Host to work.
242module bastion 'br/public:avm/res/network/bastion-host:0.6.1' = {
243  name: 'bastionDeployment'
244  params: {
245    name: '${prefix}-bastion'
246    virtualNetworkResourceId: virtualNetwork.outputs.resourceId
247    skuName: 'Basic'
248    location: location
249    diagnosticSettings: [
250      {
251        name: 'bastionDiagnostics'
252        workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
253      }
254    ]
255  }
256}

AVM modules provide several key advantages over writing raw Bicep templates:

Simplified Resource Configuration: AVM modules handle much of the complex configuration work behind the scenes
Built-in Recommended Practices: The modules implement many of Microsoft’s recommended practices by default
Consistent Outputs: Each module exposes a consistent set of outputs that can be easily referenced
Reduced Boilerplate Code: What would normally require hundreds of lines of Bicep code can be accomplished in a fraction of the space

As you continue your journey with Azure and AVM, remember that this approach can be applied to more complex architectures as well. The modular nature of AVM allows you to mix and match components to build solutions that meet your specific needs while adhering to Microsoft’s Well-Architected Framework.

By using AVM modules as building blocks, you can focus more on your solution architecture and less on the intricacies of individual resource configurations, ultimately leading to faster development cycles and more reliable deployments.

Clean up your environment

When you are ready, you can remove the infrastructure deployed in this example. Key Vaults are set to a soft-delete state so you will also need to purge the one we created in order to fully delete it. The following commands will remove all resources created by your deployment:

Clean up with

# Delete the resource group
Remove-AzResourceGroup -Name "avm-bicep-vmexample1" -Force

# Purge the Key Vault
Remove-AzKeyVault -VaultName "<keyVaultName>" -Location "<location>" -InRemovedState -Force

# Delete the resource group
az group delete --name 'avm-bicep-vmexample1' --yes --no-wait

# Purge the Key Vault
az keyvault purge --name '<keyVaultName>' --no-wait

Congratulations, you have successfully leveraged AVM Bicep modules to deploy resources in Azure!

Tip

We welcome your contributions and feedback to help us improve the AVM modules and the overall experience for the community!

Terraform - Solution Development

Introduction

Azure Verified Modules (AVM) for Terraform are a powerful tool that leverage the Terraform domain-specific language (DSL), industry knowledge, and an Open Source community, which altogether enable developers to quickly deploy Azure resources that follow Microsoft’s recommended practices for Azure.
In this article, we will walk through the Terraform specific considerations and recommended practices on developing your solution leveraging Azure Verified Modules. We’ll review some of the design features and trade-offs and include sample code to illustrate each discussion point.

Prerequisites

title: “Terraform Prerequisites”
description: “Learn about the prerequisites for using Terraform to deploy Azure Verified Modules or develop them.”

You will need the following tools and components to complete this guide:

Visual Studio Code (VS Code) to develop your solution.
Terraform CLI to deploy your Terraform modules. Make sure you have a recent version installed.
Azure CLI to authenticate to Azure.
Azure Subscription to deploy your resources.

Before you begin, ensure you have these tools installed in your development environment.

Planning

Good module development should start with a good plan. Let’s first review the architecture and module design prior to developing our solution.

Solution Architecture

In our design, the resource group for our solution will require appropriate tagging to comply with our corporate standards. Resources that support Diagnostic Settings must also send metric data to a Log Analytics workspace, so that the infrastructure support teams can get metric telemetry. The virtual machine will require outbound internet access to allow the application to properly function. A Key Vault will be included to store any secrets and key artifacts, and we will include a Bastion instance to allow support personnel to access the virtual machine if needed. Finally, the VM is intended to run without interaction, so we will auto-generate an SSH private key and store it in the Key Vault for the rare event of someone needing to log into the VM.

Based on this narrative, we will create the following resources:

A resource group to contain all the resources with tagging
A random string resource for use in resources with global naming (Key Vault)
A Log Analytics workspace for diagnostic data
A Key Vault with:
- Role-Based Access Control (RBAC) to allow data access
- Logging to the Log Analytics workspace
A virtual network with:
- A virtual machine subnet
- A Bastion subnet
- Network Security Group on the VM subnet allowing SSH traffic
- Logging to the Log Analytics workspace
A NAT Gateway for enabling outbound internet access
- Associated to the virtual machine subnet
A Bastion service for secure remote access to the Virtual Machine
- Logging to the Log Analytics workspace
A virtual machine resource with
- A single private IPv4 interface attached to the VM subnet
- A randomly generated admin account private key stored in the Key Vault
- Metrics sent to the log Analytics workspace

Solution template (root module) design

Since our solution template (root module) is intended to be deployed multiple times, we want to develop it in a way that provides flexibility while minimizing the amount of input necessary to deploy the solution. For these reasons, we will create our module with a small set of variables that allow for deployment differentiation while still populating solution-specific defaults to minimize input. We will also separate our content into variables.tf, outputs.tf, terraform.tf, and main.tf files to simplify future maintenance.

Based on this, our file system will take the following structure:

Module Directory
- terraform.tf - This file holds the provider definitions and versions.
- variables.tf - This file contains the input variable definitions and defaults.
- outputs.tf - This file contains the outputs and their descriptions for use by any external modules calling this root module.
- main.tf - This file contains the core module code for creating the solutions infrastructure.
- development.tfvars - This file will contain the inputs for the instance of the module that is being deployed. Content in this file will vary from instance to instance.

Note

Terraform will merge content from any file ending in a .tf extension in the module folder to create the full module content. Because of this, using different files is not required. We encourage file separation to allow for organizing code in a way that makes it easier to maintain. While the naming structure we’ve used is common, there are many other valid file naming and organization options that can be used.

In our example, we will use the following variables as inputs to allow for customization:

location - The location where our infrastructure will be deployed.
name_prefix - This will be used to preface all of the resource naming.
virtual_network_prefix - This will be used to ensure IP uniqueness for the deployment.
tags - The custom tags to use for each deployment.

Finally, we will export the following outputs:

resource_group_name - This will allow for finding this deployment if there are multiples.
virtual_machine_name - This can be used to find and login to the vm if needed.

Identifying AVM modules that match our solution

Now that we’ve determined our architecture and module configurations, we need to see what AVM modules exist for use in our solution. To do this, we will open the AVM Terraform pattern module index and check if there are any existing pattern modules that match our requirement. In this case, no pattern modules fit our needs. If this was a common pattern, we could open an issue on the AVM github repository to get assistance from the AVM project to create a pattern module matching our requirements. Since our architecture isn’t common, we’ll continue to the next step.

When a pattern module fitting our needs doesn’t exist for a solution, leveraging AVM resource modules to build our own solution is the next best option. Review the AVM Terraform published resource module index for each of the resource types included in your architecture. For each AVM module, capture a link to the module to allow for a review of the documentation details on the Terraform Registry website.

Note

Some of the published pattern modules cover multi-resource configurations that can sometimes be interpreted as a single resource. Be sure to check the pattern index for groups of resources that may be part of your architecture and that don’t exist in the resource module index. (e.g., Virtual WAN)

For our sample architecture, we have the following AVM resource modules at our disposal. Click on each module to explore its documentation on the Terraform Registry.

Develop the Solution Code

We can now begin coding our solution. We will create each element individually, to allow us to test our deployment as we build it out. This will also allow us to correct any bugs incrementally, so that we aren’t troubleshooting a large number of resources at the end.

Creating the terraform.tf file

Let’s begin by configuring the provider details necessary to build our solution. Since this is a root module, we want to include any provider and Terraform version constraints for this module. We’ll periodically come back and add any needed additional providers if our design includes a resource from a new provider.

Open up your development IDE (Visual studio code in our example) and create a file named terraform.tf in your root directory.

Add the following code to your terraform.tf file:

➕ Expand Code

1terraform {
2  required_version = "~> 1.9"
3  required_providers {
4  }
5}

Note

Always click on the “Copy to clipboard” button in the top right corner of the Code sample area in order not to have the line numbers included in the copied code.

This specifies that the required Terraform binary version to run your module can be any version between 1.9 and 2.0. This is a good compromise for allowing a range of binary versions while also ensuring support for any required features that are used as part of the module. This can include things like newly introduced functions or support for new key words.

Since we are developing our solution incrementally, we should validate our code. To do this, we will take the following steps:

Open up a terminal window if it is not already open. In some IDE’s this can be done as a function of the IDE.
Change directory to the module directory by typing cd and then the path to the module. As an example, if the module directory was named example we would run cd example.
Run terraform init to initialize your provider file.

You should now see a message indicating that Terraform has been successfully initialized. This indicates that our code is error free and we can continue on. If you get errors, examine the provider syntax for typos, missing quotes, or missing brackets.

Creating a variables.tf file

Because our module is intended to be reusable, we want to provide the capability to customize each module call with those items that will differ between them. This is done by using variables to accept inputs into the module. We’ll define these inputs in a separate file named variables.tf.

Go back to the IDE, and create a file named variables.tf in the working directory.

Add the following code to your variables.tf file to configure the inputs for our example:

➕ Expand Code

 1variable "name_prefix" {
 2  description = "Prefix for the name of the resources"
 3  type        = string
 4  default     = "example"
 5}
 6
 7variable "location" {
 8  description = "The Azure location to deploy the resources"
 9  type        = string
10  default     = "East US"
11}
12
13variable "virtual_network_cidr" {
14  description = "The CIDR prefix for the virtual network. This should be at least a /22. Example 10.0.0.0/22"
15  type        = string
16}
17
18variable "tags" {
19  description = "Tags to be applied to all resources"
20  type        = map(string)
21  default     = {}
22}

Note

Note that each variable definition includes a type definition to guide module users on how to properly define an input. Also note that it is possible to set a default value. This allows module consumers to avoid setting a value if they find the default to be acceptable.

We should now test the new content we’ve created for our module. To do this, first re-run terraform init on your command line. Note that nothing has changed and the initialization completes successfully. Since we now have module content, we will attempt to run the plan as the next step of the workflow.

Type terraform plan on your command line. Note that it now asks for us to provide a value for the var.virtual_network_cidr variable. This is because we don’t provide a default value for that input so Terraform must have a valid input before it can continue. Type 10.0.0.0/22 into the input and press enter to allow the plan to complete. You should now see a message indicating that Your infrastructure matches the configuration and that no changes are needed.

Creating a development.tfvars file

There are multiple ways to provide input to the module we’re creating. We will create a tfvars file that can be supplied during plan and apply stages to minimize the need for manual input. tfvars files are a nice way to document inputs as well as allow for deploying different versions of your module. This is useful if you have a pipeline where infrastructure code is deployed first for development, and then is deployed for QA, staging, or production with different input values.

In your IDE, create a new file named development.tfvars in your working directory.

Now add the following content to your development.tfvars file.

➕ Expand Code

1location = "westus2"
2prefix = dev
3virtual_network_cidr = "10.1.0.0/22"
4tags = {
5  environment = "development"
6  owner       = "dev-team"
7}

Note

Note that each variable has a value defined. Although, only inputs without default values are required, we include values for all of the inputs for clarity. Consider doing this in your environments so that someone looking at the tfvars files has a full picture of what values are being set.

Re-run the terraform apply, but this time, reference the .tfvars file by using the following command: terraform plan -var-file=development.tfvars. You should get a successful completion without needing to manually provide inputs.

Creating the main.tf file

Now that we’ve created the supporting files, we can start building the actual infrastructure code in our main file. We will add one AVM resource module at a time so that we can test each as we implement them.

Return to your IDE and create a new file named main.tf.

Add a resource group

In Azure, we need a resource group to hold any infrastructure resources we create. This is a simple resource that typically wouldn’t require an AVM module, but we’ll include the AVM module so we can take advantage of the Role-Based Access Control (RBAC) interface if we need to restrict access to the resource group in future versions.

First, let’s visit the Terraform registry documentation page for the resource group and explore several key sections.

Note the Provision Instructions box on the right-hand side of the page. This contains the module source and version details which allows us to copy the latest version syntax without needing to type everything ourselves.
Now review the Readme tab in the middle of the page. It contains details about all required and optional inputs, resources that are created with the module, and any outputs that are defined. If you want to explore any of these items in detail, each element has a tab that you can review as needed.
Finally, in the middle of the page, there is a drop-down menu named Examples that contains functioning examples for the AVM module. These showcase a good example of using copy/paste to bootstrap module code and then modify it for your specific purpose.

Now that we’ve explored the registry content, let’s add a resource group to our module.

First, copy the content from the Provision Instructions box into our main.tf file.

➕ Expand Code

1module "avm-res-resources-resourcegroup" {
2  source  = "Azure/avm-res-resources-resourcegroup/azurerm"
3  version = "0.2.1"
4  # insert the 2 required variables here
5}

On the modules documentation page, go to the inputs tab. Review the Required Inputs tab. These are the values that don’t have defaults and are the minimum required values to deploy the module. There are additional inputs in the Optional Inputs section that can be used to configure additional module functionality. Review these inputs and determine which values you would like to define in your AVM module call.

Now, replace the # insert the 2 required variables here comment with the following code to define the module inputs. Our main.tf code should look like the following:

➕ Expand Code

1module "avm-res-resources-resourcegroup" {
2  source  = "Azure/avm-res-resources-resourcegroup/azurerm"
3  version = "0.2.1"
4
5  name = "${var.name_prefix}-rg"
6  location = var.location
7  tags = var.tags
8}

Note

Note how we’ve used the prefix variable and Terraform interpolation syntax to dynamically name the resource group. This allows for module customization and re-use. Also note that even though we chose to use the default module name of avm-res-resources-resourcegroup, we could modify the name of the module if needed.

After saving the file, we want to test our new content. To do this, return to the command line and first run terraform init. Notice how Terraform has downloaded the module code, as well as providers that the module requires. In this case, you can see the azurerm, random, and modtm providers were downloaded.

Let’s now deploy our resource group. First, let’s run a plan operation to review what will be created. Type terraform plan -var-file=development.tfvars and press enter to initiate the plan.

Add the features block

Notice that we get an error indicating that we are Missing required argument and that for the azurerm provider, we need to provide a features argument. The addition of the resource group AVM resource requires that the azurerm provider be installed to provision resources in our module. This provider requires a features block in its provider definition that is missing in our configuration.

Return to the terraform.tf file and add the following content to it. Note how the features block is currently empty. If we needed to activate any feature flags in our module, we could add them here.

➕ Expand Code

 1terraform {
 2  required_version = "~> 1.9"
 3  required_providers {
 4  }
 5}
 6
 7provider "azurerm" {
 8  features {
 9  }
10}

Re-run terraform plan -var-file=development.tfvars now that we have updated the features block.

Set the subscription ID

Note that we once again get an error. This time, the error indicates that subscription_id is a required provider property for plan/apply operations. This is a change that was introduced as part of the version 4 release of the AzureRM provider. We need to supply the ID of the deployment subscription where our resources will be created.

First, we need to get the subscription ID value. We will use the portal for this exercise, but using the Azure CLI, PowerShell, or the resource graph will also work to retrieve this value.

Open the Azure portal.
Enter Subscriptions in the search field at the top middle of the page.
Select Subscriptions from the services menu in the search drop-down.
Select the subscription you wish to deploy to, from the list of subscriptions.
Find the Subscription ID field on the overview page and click the copy button to copy it to the clipboard.

Secondly, we need to update Terraform so that it can use the subscription ID. There are multiple ways to provide a subscription ID to the provider including adding it to the features block or using environment variables. For this scenario we’ll use environment variables to set the values so that we don’t have to re-enter them on each run. This also keeps us from storing the subscription ID in our code since it is considered a sensitive value. Select a command from the list below based on your operating system.

(Linux/MacOS) - Run the following command with your subscription ID: export ARM_SUBSCRIPTION_ID=<your ID here>
(Windows) - Run the following command with your subscription ID: set ARM_SUBSCRIPTION_ID=<your ID here>

Finally, we should now be able to complete our plan operation by re-running terraform plan -var-file=development.tfvars. Note that the plan will create three resources, two for telemetry and one for the resource group.

Deploy the resource group

We can complete testing by implementing the resource group. Run terraform apply -var-file="development.tfvars" and type yes and press enter when prompted to accept the changes. Terraform will create the resource group and notify you with a Apply complete message and a summary of the resources that were added, changed, and destroyed.

Deploy the Log Analytics Workspace

We can now continue by adding the Log Analytics Workspace to our main.tf file. We will follow a workflow similar to what we did with the resource group.

Browse to the AVM Log Analytics Workspace module page in the Terraform Registry.
Copy the module content from the Provision Instructions portion of the page into the main.tf file.

This time, instead of manually supplying module inputs, we will copy module content from one of the examples to minimize the amount of typing required. In most examples, the AVM module call is located at the bottom of the example.

Navigate to the Examples drop-down menu in the documentation and select the default example from the menu. You will see a fully functioning example code which includes the module and any supporting resources. Since we only care about the workspace resource from this example, we can scroll to the bottom of the code block and find the module "log_analytics_workspace" line.
Copy the content between the module brackets with the exception of the line defining the module source. Because these examples are part of the testing methodology for the module, they use a dot reference value (../..) for the module source value which will not work in our module call. To work around this, we copied those values from the provision instructions section of the module documentation in a previous step.
Update the location and resource group name values to reference outputs from the resource group module. Using implicit references such as these allow Terraform to determine the order in which resources should be built.
Update the name field using the prefix variable to allow for customization using a similar pattern to what we used on the resource group.

The Log Analytics module content should look like the following code block. For simplicity, you can also copy this directly to avoid multiple copy/paste actions.

➕ Expand Code

 1module "avm-res-operationalinsights-workspace" {
 2  source  = "Azure/avm-res-operationalinsights-workspace/azurerm"
 3  version = "0.4.2"
 4
 5  enable_telemetry                          = true
 6  location                                  = module.avm-res-resources-resourcegroup.resource.location
 7  resource_group_name                       = module.avm-res-resources-resourcegroup.name
 8  name                                      = "${var.name_prefix}-law"
 9  log_analytics_workspace_retention_in_days = 30
10  log_analytics_workspace_sku               = "PerGB2018"
11}

Again, we will need to run terraform init to allow Terraform to initialize a copy of the AVM Log Analytics module.

Now, we can deploy the Log Analytics workspace by running terraform apply -var-file="development.tfvars", typing yes and pressing enter. Note that Terraform will only create the new Log Analytics resources since the resource group already exists. This is one of the key benefits of deploying using Infrastructure as Code (IAC) tools like Terraform.

Note

Note that we ran the terraform apply command without first running terraform plan. Because terraform apply runs a plan before prompting for the apply, we opted to shorten the instructions by skipping the explicit plan step. If you are testing in a live environment, you may want to run the plan step and save the plan as part of your governance or change control processes.

Deploy the Azure Key Vault

Our solution calls for a simple Key Vault implementation to store virtual machine secrets. We’ll follow the same workflow for deploying the Key Vault as we used for the previous resource group and Log Analytics workspace resources. However, since Key Vaults require data roles to manage secrets and keys, we will need to use the RBAC interface and a data resource to configure Role-Based Access Control (RBAC) during the deployment.

Note

For this exercise, we will provision the deployment user with data rights on the Key Vault. In your environment, you will likely want to either provide additional roles as inputs or statically assign users, or groups to the Key Vault data roles. For simplicity we also set the Key Vault to have public access enabled due to us not being able to dictate a private deployment environment. In your environment where your deployment machine will be on a private network it is recommended to restrict public access for the Key Vault.

Before we implement the AVM module for the Key Vault, we want to use a data resource to read the client details about the user context of the current Terraform deployment.

Add the following line to your main.tf file and save it.

➕ Expand Code

1data "azurerm_client_config" "this" {}

Key vaults use a global namespace which means that we will also need to add a randomization resource to allow us to randomize the name to avoid any potential name intersection issues with other Key Vault deployments. We will use Terraform’s random provider to generate the random string which we will append to the Key Vault name. Add the following code to your main module to create the random_string resource we will use for naming.

➕ Expand Code

1resource "random_string" "name_suffix" {
2  length  = 4
3  special = false
4  upper   = false
5}

Now we can continue with adding the AVM Key Vault module to our solution.

Browse to the AVM Key Vault resource module page in the Terraform Registry.
Copy the module content from the Provision Instructions portion of the page into the main.tf file.
This time, we’re going to select relevant content from the Create secret example to fill out our module.
Copy the name, location, enable_telemetry, resource_group_name, tenant_id, and role_assignments value content from the example and paste it into the new Key Vault module in your solution.
Update the name value to be "${var.prefix}-kv-${random_string.name_suffix.result}"
Update the location and resource_group_name values to the same implicit resource group module references we used in the Log Analytics workspace.
Set the enable_telemetry value to true.
Leave the tenant_id and role_assignments values to the same values that are in the example.

Our architecture calls for us to include a diagnostic settings configuration for each resource that supports it. We’ll use the diagnostic-settings example to copy this content.

Return to the documentation page and select the diagnostic-settings option from the examples drop-down.
Locate the Key Vault resource in the example’s code block and copy the diagnostic_settings value and paste it into the Key Vault module block we’re building in main.tf.
Update the name value to use our prefix variable to allow for name customization.
Update the workspace_resource_id value to be an implicit reference to the output from the previously implemented Log Analytics module (module.avm-res-operationalinsights-workspace.resource_id in our code).

Finally, we will allow public access, so that our deployer machine can add secrets to the Key Vault. If your environment doesn’t allow public access for Key Vault deployments, locate the public IP address of your deployer machine (this may be an external NAT IP for your network) and add it to the network_acls.ip_rules list value using CIDR notation.

Set the network_acls input to null in your module block for the Key Vault.

Your Key Vault module definition should now look like the following:

➕ Expand Code

 1module "avm-res-keyvault-vault" {
 2  source  = "Azure/avm-res-keyvault-vault/azurerm"
 3  version = "0.10.0"
 4
 5  enable_telemetry    = true
 6  location            = module.avm-res-resources-resourcegroup.resource.location
 7  resource_group_name = module.avm-res-resources-resourcegroup.name
 8  name                = "${var.name_prefix}-kv-${random_string.name_suffix.result}"
 9  tenant_id           = data.azurerm_client_config.this.tenant_id
10  network_acls        = null
11
12  diagnostic_settings = {
13    to_la = {
14      name                  = "${var.name_prefix}-kv-diags"
15      workspace_resource_id = module.avm-res-operationalinsights-workspace.resource_id
16    }
17  }
18
19  role_assignments = {
20    deployment_user_kv_admin = {
21      role_definition_id_or_name = "Key Vault Administrator"
22      principal_id               = data.azurerm_client_config.this.object_id
23    }
24  }
25}

Note

One of the core values of AVM is the standard configuration for interfaces across modules. The Role Assignments interface we used as part of the Key Vault deployment is a good example of this.

Continue the incremental testing of your module by running another terraform init and terraform apply -var-file="development.tfvars" sequence.

Deploy the NAT Gateway

Our architecture calls for a NAT Gateway to allow virtual machines to access the internet. We will use the NAT Gateway resource_id output in future modules to link the virtual machine subnet.

Browse to the AVM NAT Gateway resource module page in the Terraform Registry.
Copy the module definition and source from the Provision Instructions card from the module main page.
Copy the remaining module content from the default example excluding the subnet associations map, as we will do the association when we build the vnet.
Update the location and resource_group_nameusing implicit references from our resource group module.
Then update each of the name values to use the name_prefix variables.

Review the following code to see each of these changes.

➕ Expand Code

 1module "avm-res-network-natgateway" {
 2  source  = "Azure/avm-res-network-natgateway/azurerm"
 3  version = "0.2.1"
 4
 5  name                = "${var.name_prefix}-natgw"
 6  enable_telemetry    = true
 7  location            = module.avm-res-resources-resourcegroup.resource.location
 8  resource_group_name = module.avm-res-resources-resourcegroup.name
 9
10  public_ips = {
11    public_ip_1 = {
12      name = "${var.name_prefix}-natgw-pip"
13    }
14  }
15}

Continue the incremental testing of your module by running another terraform init and terraform apply -var-file="development.tfvars" sequence.

Deploy the Network Security Group

Our architecture calls for a Network Security Group (NSG) allowing SSH access to the virtual machine subnet. We will use the NSG AVM resource module to accomplish this task.

Browse to the AVM Network Security Group resource module page in the Terraform Registry.
Copy the module definition and source from the Provision Instructions card from the module main page.
Copy the remaining module content from the example_with_NSG_rule example.
Update the location and resource_group_nameusing implicit references from our resource group module.
Update the name value using the name_prefix variable interpolation as we did with the other modules.
Copy the map entry labeled rule02 from the locals nsg_rules map and paste it between two curly braces to create the security_rules attribute in the NSG module we’re building.
Make the following updates to the rule details:
1. Rename the map key to "rule01" from "rule02".
2. Update the name to use the var.prefix interpolation and SSH to describe the rule.
3. Update the destination_port_ranges list to be ["22"].

Upon completion the code for the NSG module should be as follows:

➕ Expand Code

 1module "avm-res-network-networksecuritygroup" {
 2  source  = "Azure/avm-res-network-networksecuritygroup/azurerm"
 3  version = "0.4.0"
 4  resource_group_name = module.avm-res-resources-resourcegroup.name
 5  name                = "${var.name_prefix}-vm-subnet-nsg"
 6  location            = module.avm-res-resources-resourcegroup.resource.location
 7
 8  security_rules = {
 9    "rule01" = {
10      name                       = "${var.name_prefix}-ssh"
11      access                     = "Allow"
12      destination_address_prefix = "*"
13      destination_port_ranges    = ["22"]
14      direction                  = "Inbound"
15      priority                   = 200
16      protocol                   = "Tcp"
17      source_address_prefix      = "*"
18      source_port_range          = "*"
19    }
20  }
21}

Continue the incremental testing of your module by running another terraform init and terraform apply -var-file="development.tfvars" sequence.

Deploy the Virtual Network

We can now continue the build-out of our architecture by configuring the virtual network (vnet) deployment. This will follow a similar pattern as the previous resource modules, but this time, we will also add some network functions to help us customize the subnet configurations.

Browse to the AVM Virtual Network resource module page in the Terraform Registry.
Copy the module definition and source from the Provision Instructions card from the module main page.
After looking through the examples, this time, we’ll use the complete example as a source to copy our content.
Copy the resource_group_name, location, name, and address_space lines and replace their values with our deployment specific variables or module references.
We’ll copy the subnets map and duplicate the subnet0 map for each subnet.
Now we will update the map key and name values for each subnet so that they are unique.
Then we’ll use the cidrsubnet function to dynamically generate the CIDR range for each subnet. You can explore the function documentation for more details on how it can be used.
We will also populate the nat_gateway object on subnet0 with the resource_id output from our NAT Gateway module.
To configure the NSG on the VM subnet we need to link it. Add a network_security_group attribute to the subnet0 definition and replace the value with the resource_id output from the NSG module.
Finally, we’ll copy the diagnostic settings from the example and update the implicit references to point to our previously deployed Log Analytics workspace.

After making these changes our virtual network module call code will be as follows:

➕ Expand Code

 1module "avm-res-network-virtualnetwork" {
 2  source  = "Azure/avm-res-network-virtualnetwork/azurerm"
 3  version = "0.8.1"
 4
 5  resource_group_name = module.avm-res-resources-resourcegroup.name
 6  location            = module.avm-res-resources-resourcegroup.resource.location
 7  name                = "${var.name_prefix}-vnet"
 8
 9  address_space = [var.virtual_network_cidr]
10
11  subnets = {
12    subnet0 = {
13      name                            = "${var.name_prefix}-vm-subnet"
14      default_outbound_access_enabled = false
15      address_prefixes = [cidrsubnet(var.virtual_network_cidr, 1, 0)]
16      nat_gateway = {
17        id = module.avm-res-network-natgateway.resource_id
18      }
19      network_security_group = {
20        id = module.avm-res-network-networksecuritygroup.resource_id
21      }
22    }
23    bastion = {
24      name                            = "AzureBastionSubnet"
25      default_outbound_access_enabled = false
26      address_prefixes = [cidrsubnet(var.virtual_network_cidr, 1, 1)]
27    }
28  }
29
30  diagnostic_settings = {
31    sendToLogAnalytics = {
32      name                           = "${var.name_prefix}-vnet-diagnostic"
33      workspace_resource_id          = module.avm-res-operationalinsights-workspace.resource_id
34      log_analytics_destination_type = "Dedicated"
35    }
36  }
37}

Note

Note how the Log Analytics workspace reference ends in resource_id. Each AVM module is required to export its Azure resource ID with the resource_id name to allow for consistent references.

Continue the incremental testing of your module by running another terraform init and terraform apply -var-file="development.tfvars" sequence.

Deploy the Bastion service

We want to allow for secure remote access to the virtual machine for configuration and troubleshooting tasks. We’ll use Azure Bastion to accomplish this objective following a similar workflow to our other resources.

Browse to the AVM Bastion resource module page in the Terraform Registry.
Copy the module definition and source from the Provision Instructions card from the module main page.
Copy the remaining module content from the Simple Deployment example.
Update the location and resource_group_nameusing implicit references from our resource group module.
Update the name value using the name_prefix variable interpolation as we did with the other modules.
Finally, update the subnet_id value to include an implicit reference to the bastion keyed subnet from our virtual network module.

Our architecture calls for diagnostic settings to be configured on the Azure Bastion resource. In this case, there aren’t any examples that include this configuration. However, since the diagnostic settings interface is one of the standard interfaces in Azure Verified Modules, we can just copy the interface definition from our virtual network module.

Locate the virtual network module and copy the diagnostic_settings value from it.
Paste the diagnostic_settings value into the code for our Bastion module.
Update the diagnostic setting’s name value from vnet to Bastion.

The new code we added for the Bastion resource will be as follows:

➕ Expand Code

 1module "avm-res-network-bastionhost" {
 2  source  = "Azure/avm-res-network-bastionhost/azurerm"
 3  version = "0.7.2"
 4
 5  name                = "${var.name_prefix}-bastion"
 6  resource_group_name = module.avm-res-resources-resourcegroup.name
 7  location            = module.avm-res-resources-resourcegroup.resource.location
 8  ip_configuration = {
 9    subnet_id = module.avm-res-network-virtualnetwork.subnets["bastion"].resource_id
10  }
11
12  diagnostic_settings = {
13    sendToLogAnalytics = {
14      name                           = "${var.name_prefix}-bastion-diagnostic"
15      workspace_resource_id          = module.avm-res-operationalinsights-workspace.resource_id
16      log_analytics_destination_type = "Dedicated"
17    }
18  }
19}

Note

Pay attention to the subnet_id syntax. In the virtual network module, the subnets are created as a sub-module allowing us to reference each of them using the map key that was defined in the subnets input. Again, we see the consistent output naming with the resource_id output for the sub-module.

Continue the incremental testing of your module by running another terraform init and terraform apply -var-file="development.tfvars" sequence.

Deploy the virtual machine

The final step in our deployment will be our application virtual machine. We’ve had good success with our workflow so far, so we’ll use it for this step as well.

Browse to the AVM Virtual Machine resource module page in the Terraform Registry.
Copy the module definition and source from the Provision Instructions card from the module main page.
Copy the remaining module content from the linux_default example.
Update the location and resource_group_nameusing implicit references from our resource group module.
To be compliant with Well Architected Framework guidance we encourage defining a zone if your region supports it. Update the zone input to 1.
Update the sku_size input to “Standard_D2s_v5”.
Update the name values using the name_prefix variable interpolation as we did with the other modules and include the output from the random_string.name_suffix resource to add uniqueness.
Set the account_credentials.key_vault_configuration.resource_id value to reference the resource_id output from the Key Vault module.
Update the private_ip_subnet_resource_id value to an implicit reference to the subnet0 subnet output from the virtual network module.

Because the default Linux example doesn’t include diagnostic settings, we need to add that content in a different way. Since the diagnostic settings interface has a standard schema, we can copy the diagnostic_settings input from our virtual network module.

Locate the virtual network module in your code and copy the diagnostic_settings map from it.
Paste the diagnostic_settings content into your virtual machine module code.
Update the name value to reflect that it applies to the virtual machine.

The new code we added for the virtual machine resource will be as follows:

➕ Expand Code

 1module "avm-res-compute-virtualmachine" {
 2  source  = "Azure/avm-res-compute-virtualmachine/azurerm"
 3  version = "0.19.1"
 4
 5  enable_telemetry    = true
 6  location            = module.avm-res-resources-resourcegroup.resource.location
 7  resource_group_name = module.avm-res-resources-resourcegroup.name
 8  name                = "${var.name_prefix}-vm"
 9  os_type             = "Linux"
10  sku_size            = "Standard_D2s_v5"
11  zone                = 1
12
13  source_image_reference = {
14    publisher = "Canonical"
15    offer     = "0001-com-ubuntu-server-focal"
16    sku       = "20_04-lts-gen2"
17    version   = "latest"
18  }
19
20  network_interfaces = {
21    network_interface_1 = {
22      name = "${var.name_prefix}-nic-${random_string.name_suffix.result}"
23      ip_configurations = {
24        ip_configuration_1 = {
25          name                          = "${var.name_prefix}-ipconfig-${random_string.name_suffix.result}"
26          private_ip_subnet_resource_id = module.avm-res-network-virtualnetwork.subnets["subnet0"].resource_id
27        }
28      }
29    }
30  }
31
32  diagnostic_settings = {
33    sendToLogAnalytics = {
34      name                           = "${var.name_prefix}-vm-diagnostic"
35      workspace_resource_id          = module.avm-res-operationalinsights-workspace.resource_id
36      log_analytics_destination_type = "Dedicated"
37    }
38  }
39}

Continue the incremental testing of your module by running another terraform init and terraform apply -var-file="development.tfvars" sequence.

Creating the outputs.tf file

The final piece of our module is to export any values that may need to be consumed by module users. From our architecture, we’ll export the resource group name and the virtual machine resource name.

Create an outputs.tf file in your IDE.
Create an output named resource_group_name and set the value to an implicit reference to the resource group modules name output. Include a brief description for the output.
Create an output named virtual_machine_name and set the value to an implicit reference to the virtual machine module’s name output. Include a brief description for the output.

The new code we added for the outputs will be as follows:

➕ Expand Code

1output "resource_group_name" {
2  value =  module.avm-res-resources-resourcegroup.name
3  description = "The resource group name where the resources are deployed"
4}
5
6output "virtual_machine_name" {
7    value = module.avm-res-compute-virtualmachine.name
8    description = "The name of the virtual machine"
9}

Because no new modules were created, we don’t need to run terraform init to test this change. Run terraform apply -var-file="development.tfvars" to see the new outputs that have been created.

Update the terraform.tf file

It is a recommended practice to define the required versions of the providers for your module to ensure consistent behavior when it is being run. In this case we are going to be slightly permissive and allow increases in minor and patch versions to fluctuate, since those are not supposed to include breaking changes. In a production environment, you would likely want to pin on a specific version to guarantee behavior.

Run terraform init to review the providers and versions that are currently installed.
Update your terraform.tf file’s required providers field for each provider listed in the downloaded providers.

The updated code we added for the providers in the terraform.tf file will be as follows:

➕ Expand Code

 1terraform {
 2  required_version = "~> 1.9"
 3  required_providers {
 4    azapi = {
 5      source  = "azure/azapi"
 6      version = "~> 2.3"
 7    }
 8    azurerm = {
 9      source  = "hashicorp/azurerm"
10      version = "~> 4.27"
11    }
12    modtm = {
13      source  = "azure/modtm"
14      version = "~> 0.3"
15    }
16    random = {
17      source  = "hashicorp/random"
18      version = "~> 3.7"
19    }
20    time = {
21      source  = "hashicorp/time"
22      version = "~> 0.13"
23    }
24    tls = {
25      source  = "hashicorp/tls"
26      version = "~> 4.1"
27    }
28  }
29}
30
31provider "azurerm" {
32  features {
33  }
34}

Conclusion

Congratulations on successfully implementing a solution using Azure Verified Modules! You were able to build out our sample architecture using module documentation and taking advantage of features like standard interfaces and pre-defined defaults to simplify the development experience.

Note

This was a long exercise and mistakes can happen. If you’re getting errors or a resource is incomplete and you want to see the final main.tf, expand the following code block to see the full file.

➕ Expand Code

  1module "avm-res-resources-resourcegroup" {
  2  source  = "Azure/avm-res-resources-resourcegroup/azurerm"
  3  version = "0.2.1"
  4
  5  name = "${var.name_prefix}-rg"
  6  location = var.location
  7  tags = var.tags
  8}
  9
 10module "avm-res-operationalinsights-workspace" {
 11  source  = "Azure/avm-res-operationalinsights-workspace/azurerm"
 12  version = "0.4.2"
 13
 14  enable_telemetry                          = true
 15  location                                  = module.avm-res-resources-resourcegroup.resource.location
 16  resource_group_name                       = module.avm-res-resources-resourcegroup.name
 17  name                                      = "${var.name_prefix}-law"
 18  log_analytics_workspace_retention_in_days = 30
 19  log_analytics_workspace_sku               = "PerGB2018"
 20}
 21
 22data "azurerm_client_config" "this" {}
 23
 24resource "random_string" "name_suffix" {
 25  length  = 4
 26  special = false
 27  upper   = false
 28}
 29
 30module "avm-res-keyvault-vault" {
 31  source  = "Azure/avm-res-keyvault-vault/azurerm"
 32  version = "0.10.0"
 33
 34  enable_telemetry    = true
 35  location            = module.avm-res-resources-resourcegroup.resource.location
 36  resource_group_name = module.avm-res-resources-resourcegroup.name
 37  name                = "${var.name_prefix}-kv-${random_string.name_suffix.result}"
 38  tenant_id           = data.azurerm_client_config.this.tenant_id
 39  network_acls        = null
 40
 41  diagnostic_settings = {
 42    to_la = {
 43      name                  = "${var.name_prefix}-kv-diags"
 44      workspace_resource_id = module.avm-res-operationalinsights-workspace.resource_id
 45    }
 46  }
 47
 48  role_assignments = {
 49    deployment_user_kv_admin = {
 50      role_definition_id_or_name = "Key Vault Administrator"
 51      principal_id               = data.azurerm_client_config.this.object_id
 52    }
 53  }
 54}
 55
 56module "avm-res-network-natgateway" {
 57  source  = "Azure/avm-res-network-natgateway/azurerm"
 58  version = "0.2.1"
 59
 60  name                = "${var.name_prefix}-natgw"
 61  enable_telemetry    = true
 62  location            = module.avm-res-resources-resourcegroup.resource.location
 63  resource_group_name = module.avm-res-resources-resourcegroup.name
 64
 65  public_ips = {
 66    public_ip_1 = {
 67      name = "${var.name_prefix}-natgw-pip"
 68    }
 69  }
 70}
 71
 72module "avm-res-network-virtualnetwork" {
 73  source  = "Azure/avm-res-network-virtualnetwork/azurerm"
 74  version = "0.8.1"
 75
 76  resource_group_name = module.avm-res-resources-resourcegroup.name
 77  location            = module.avm-res-resources-resourcegroup.resource.location
 78  name                = "${var.name_prefix}-vnet"
 79
 80  address_space = [var.virtual_network_cidr]
 81
 82  subnets = {
 83    subnet0 = {
 84      name                            = "${var.name_prefix}-vm-subnet"
 85      default_outbound_access_enabled = false
 86      address_prefixes = [cidrsubnet(var.virtual_network_cidr, 1, 0)]
 87      nat_gateway = {
 88        id = module.avm-res-network-natgateway.resource_id
 89      }
 90      network_security_group = {
 91        id = module.avm-res-network-networksecuritygroup.resource_id
 92      }
 93    }
 94    bastion = {
 95      name                            = "AzureBastionSubnet"
 96      default_outbound_access_enabled = false
 97      address_prefixes = [cidrsubnet(var.virtual_network_cidr, 1, 1)]
 98    }
 99  }
100
101  diagnostic_settings = {
102    sendToLogAnalytics = {
103      name                           = "${var.name_prefix}-vnet-diagnostic"
104      workspace_resource_id          = module.avm-res-operationalinsights-workspace.resource_id
105      log_analytics_destination_type = "Dedicated"
106    }
107  }
108}
109
110module "avm-res-network-bastionhost" {
111  source  = "Azure/avm-res-network-bastionhost/azurerm"
112  version = "0.7.2"
113
114  name                = "${var.name_prefix}-bastion"
115  resource_group_name = module.avm-res-resources-resourcegroup.name
116  location            = module.avm-res-resources-resourcegroup.resource.location
117  ip_configuration = {
118    subnet_id = module.avm-res-network-virtualnetwork.subnets["bastion"].resource_id
119  }
120
121  diagnostic_settings = {
122    sendToLogAnalytics = {
123      name                           = "${var.name_prefix}-bastion-diagnostic"
124      workspace_resource_id          = module.avm-res-operationalinsights-workspace.resource_id
125      log_analytics_destination_type = "Dedicated"
126    }
127  }
128}
129
130module "avm-res-network-networksecuritygroup" {
131  source  = "Azure/avm-res-network-networksecuritygroup/azurerm"
132  version = "0.4.0"
133  resource_group_name = module.avm-res-resources-resourcegroup.name
134  name                = "${var.name_prefix}-vm-subnet-nsg"
135  location            = module.avm-res-resources-resourcegroup.resource.location
136
137  security_rules = {
138    "rule01" = {
139      name                       = "${var.name_prefix}-ssh"
140      access                     = "Allow"
141      destination_address_prefix = "*"
142      destination_port_ranges    = ["22"]
143      direction                  = "Inbound"
144      priority                   = 200
145      protocol                   = "Tcp"
146      source_address_prefix      = "*"
147      source_port_range          = "*"
148    }
149  }
150}
151
152module "avm-res-compute-virtualmachine" {
153  source  = "Azure/avm-res-compute-virtualmachine/azurerm"
154  version = "0.19.1"
155
156  enable_telemetry    = true
157  location            = module.avm-res-resources-resourcegroup.resource.location
158  resource_group_name = module.avm-res-resources-resourcegroup.name
159  name                = "${var.name_prefix}-vm"
160  os_type             = "Linux"
161  sku_size            = "Standard_D2s_v5"
162  zone                = 1
163
164  source_image_reference = {
165    publisher = "Canonical"
166    offer     = "0001-com-ubuntu-server-focal"
167    sku       = "20_04-lts-gen2"
168    version   = "latest"
169  }
170
171  network_interfaces = {
172    network_interface_1 = {
173      name = "${var.name_prefix}-nic-${random_string.name_suffix.result}"
174      ip_configurations = {
175        ip_configuration_1 = {
176          name                          = "${var.name_prefix}-ipconfig-${random_string.name_suffix.result}"
177          private_ip_subnet_resource_id = module.avm-res-network-virtualnetwork.subnets["subnet0"].resource_id
178        }
179      }
180    }
181  }
182
183  diagnostic_settings = {
184    sendToLogAnalytics = {
185      name                           = "${var.name_prefix}-vm-diagnostic"
186      workspace_resource_id          = module.avm-res-operationalinsights-workspace.resource_id
187      log_analytics_destination_type = "Dedicated"
188    }
189  }
190}

AVM modules provide several key advantages over writing raw Terraform templates:

Simplified Resource Configuration: AVM modules handle much of the complex configuration work behind the scenes
Built-in Recommended Practices: The modules implement many of Microsoft’s recommended practices by default
Consistent Outputs: Each module exposes a consistent set of outputs that can be easily referenced
Reduced Boilerplate Code: What would normally require hundreds of lines of Terraform code can be accomplished in a fraction of the space

Additional exercises

For additional learning, it can be helpful to experiment with modifying this solution. Here are some ideas you can try if you have time and would like to experiment further.

Use the managed_identities interface to add a system assigned managed identity to the virtual machine and give it Key Vault Administrator rights on the Key Vault.
Use the tags interface to assign tags directly to one or more resources.
Add an Azure Monitoring Agent extension to the virtual machine resource.
Add additional inputs like VM sku to your module to make it more customizable. Be sure to update the code and tfvars files to match.

Clean up your environment

Once you have completed this set of exercises, it is a good idea to clean up your resources to avoid incurring costs for them. This can be done typing terraform destroy -var-file=development.tfvars and entering yes when prompted.

Solution Development

Considerations and steps of Solution Development

Decide on the IaC language (Bicep or Terraform)
Decide on the module sourcing method (public registry, private registry, inner-sourcing)
Decide on the orchestration method (template or pipeline)
Identify the resources needed for the solution (are they all available in AVM?)
Implement, validate, deploy, test the solution

Questions to cover on this page

Pick a realistically complex solution and demonstrate how to build it using AVM modules
Best practices for coding (link to official language specific guidance AND AVM specs where/if applicable)
Best practices for input and output parameters

Next steps

To be covered in separate, future articles.

To make this solution enterprise-ready, you need to consider the following:

Deploy with DevOps tools and practices (e.g., CI/CD in Azure DevOps, GitHub Actions, etc.)
Deploy into Azure Landing Zones (ALZ)
Make sure the solution follows the recommendations of the Well-Architected Framework (WAF) and it’s compliant with and integrates into your organization’s policies and standards, e.g.:
- Security & Identity (e.g., RBAC, Entra ID, service principals, secrets management, MFA, etc.)
- Networking (e.g., Azure Firewall, NSGs, etc.)
- Monitoring (e.g., Azure Monitor, Log Analytics, etc.)
- Cost management (e.g., Azure Cost Management, budgets, etc.)
- Governance (e.g., Azure Policy, etc.)

Other recommendations

Don’t use latest, but a specific version of the module
Don’t expose secrets in output parameters/command line/logs/etc.
Don’t use hard-coded values, but use parameters and variables

Bicep Prerequisites

You will need the following tools and components to complete this guide:

Visual Studio Code (VS Code) to develop your solution.
Bicep Visual Studio Code Extension to author your Bicep template and explore modules published in the Registry.
One of the following command line tools:
- PowerShell AND Azure PowerShell
- Azure CLI to deploy your solution.
Bicep CLI
Azure Subscription to deploy your Bicep templates.

Quickstart Guide

This QuickStart guide offers step-by-step instructions for integrating Azure Verified Modules (AVM) into your solutions. It includes the initial setup, essential tools, and configurations required to deploy and manage your Azure resources efficiently using AVM.

The AVM Key Vault resource module, used as an example in this chapter, simplifies the deployment and management of Azure Key Vaults, ensuring secure storage and access to your secrets, keys, and certificates.

Leveraging Azure Verified Modules

Using AVM ensures that your infrastructure-as-code deployments follow Microsoft’s best practices and guidelines, providing a consistent and reliable foundation for your cloud solutions. AVM helps accelerate your development process, reduce the risk of misconfigurations, and enhance the security and compliance of your applications.

Using default values

The default values provided by AVM are generally safe, as they follow best practices and ensure a secure and reliable setup. However, it is important to review these values to ensure they meet your specific requirements and compliance needs. Customizing the default values may be necessary to align with your organization’s policies and the specific needs of your solution.

Exploring examples and module features

You can find examples and detailed documentation for each AVM module in their respective code repository’s README.MD file, which details features, input parameters, and outputs. The module’s documentation also provides comprehensive usage examples, covering various scenarios and configurations. Additionally, you can explore the module’s source code repository. This information will help you understand the full capabilities of the module and how to effectively integrate it into your solutions.

Bicep Quickstart Guide

Introduction

This guide explains how to use an Azure Verified Modules (AVM) in your Bicep workflow. By leveraging AVM modules, you can rapidly deploy and manage Azure infrastructure without having to write extensive code from scratch.

In this guide, you will deploy a Key Vault resource and a Personal Access Token as a secret.

This article is intended for a typical ‘infra-dev’ user (cloud infrastructure professional) who has a basic understanding of Azure and Bicep but is new to Azure Verified Modules and wants to learn how to deploy a module in the easiest way using AVM.

For additional Bicep learning resources use the Bicep documentation on the Microsoft Learn platform, or leverage the Fundamentals of Bicep learning path.

Prerequisites

title: “Bicep Prerequisites”
description: “Learn about the prerequisites for using Bicep to deploy Azure Verified Modules or develop them.”

You will need the following tools and components to complete this guide:

Visual Studio Code (VS Code) to develop your solution.
Bicep Visual Studio Code Extension to author your Bicep template and explore modules published in the Registry.
One of the following command line tools:
- PowerShell AND Azure PowerShell
- Azure CLI to deploy your solution.
Bicep CLI
Azure Subscription to deploy your Bicep templates.

Make sure you have these tools set up before proceeding.

Module Discovery

Find your module

In this scenario, you need to deploy a Key Vault resource and some of its child resources, such as a secret. Let’s find the AVM module that will help us achieve this.

There are two primary ways for locating published Bicep Azure Verified Modules:

Option 1 (preferred): Using IntelliSense in the Bicep extension of Visual Studio Code, and
Option 2: browsing the AVM Bicep module index.

Option 1: Use the Bicep Extension in VS Code

In VS Code, create a new file called main.bicep.
Start typing module, then give your module a symbolic name, such as myModule.
Use IntelliSense to select br/public.
The list of all AVM modules published in the Bicep Public Registry will show up. Use this to explore the published modules.
Note
The Bicep VSCode extension is reading metadata through this JSON file. All modules are added to this file, as part of the publication process. This lists all the modules marked as Published or Orphaned on the AVM Bicep module index pages.
Select the module you want to use and the version you want to deploy. Note how you can type full or partial module names to filter the list.
Right click on the module’s path and select Go to definition or hit F12 to see the module’s source code. You can toggle between the Bicep and the JSON view.
Hover over the module’s symbolic name to view its documentation URL. By clicking on it, you will be directed to the module’s GitHub folder in the bicep-registry-modules (BRM) repository. There, you can access the source code and documentation, as illustrated below.

Option 2: Use the AVM Bicep Module Index

Searching the Azure Verified Modules indexes is the most complete way to discover published as well as planned (proposed) modules. As shown in the video above, use the following steps to locate a specific module on the AVM website:

Open the AVM website in your favorite web browser: https://aka.ms/avm.
Expand the Module Indexes menu item and select the Bicep sub-menu item.
Select the menu item for the module type you are searching for: Resource, Pattern, or Utility.
Note
Since the Key Vault module used as an example in this guide is published as an AVM resource module, it can be found under the resource modules section in the AVM Bicep module index.
A detailed description of module classification types can be found under the related section here.
Select the Published modules link from the table of contents at the top of the page.
Use the in-page search feature of your browser. In most Windows browsers you can access it using the CTRL + F keyboard shortcut.
Enter a search term to find the module you are looking for - e.g., Key Vault.
Move through the search results until you locate the desired module. If you are unable to find a published module, return to the table of contents and expand the All modules link to search both published and proposed modules - i.e., modules that are planned, likely in development but not published yet.
After finding the desired module, click on the module’s name. This link will lead you to the module’s folder in the bicep-registry-modules (BRM) repository, where the module’s source code and documentation can be found, including usage examples.

Module details and examples

In the module’s documentation, you can find detailed information about the module’s functionality, components, input parameters, outputs and more. The documentation also provides comprehensive usage examples, covering various scenarios and configurations.

Explore the Key Vault module’s documentation for usage examples and to understand its functionality, input parameters, and outputs.

Note the mandatory and optional parameters in the Parameters section.
Review the Usage examples section. AVM modules include multiple tests that can be found under the tests folder. These tests are also used as the basis of the usage examples ensuring they are always up-to-date and deployable.

In this example, you will deploy a secret in a new Key Vault instance with minimal input. AVM provides default parameter values with security and reliability being core principles. These settings apply the recommendations of the Well Architected Framework where possible and appropriate.

Note how Example 2 does most of what you need to achieve.

Create your new solution using AVM

In this section, you will develop a Bicep template that references the AVM Key Vault module and its child resources and features. These include secret and role based access control configurations that grant permissions to a user.

Start VSCode (make sure the Bicep extension is installed) and open a folder in which you want to work.
Create a main.bicep and a dev.bicepparam file, which will hold parameters for your Key Vault deployment.
Copy the content below into your main.bicep file. We have included comments to distinguish between the two different occurrences of the names attribute.

module myKeyVault 'br/public:avm/res/key-vault/vault:0.11.0' = {
  name: // the name of the module's deployment
  params: {
    name: '<keyVaultName>' // the name of the Key Vault instance - length and character limits apply
  }
}

Note

For Azure Key Vaults, the name must be globally unique. When you deploy the Key Vault, ensure you select a name that is alphanumeric, twenty-four characters or less, and unique enough to ensure no one else has used the name for their Key Vault. If the name has been previously taken, you will get an error.

After setting the values for the required properties, the module can be deployed. This minimal configuration automatically applies the security and reliability recommendations of the Well Architected Framework where possible and appropriate. These settings can be overridden if needed.

Bicep-specific configuration

It is recommended to create a bicepconfig.json file, and enable use-recent-module-versions, which warns you to use the latest available version of the AVM module.

// This is a Bicep configuration file. It can be used to control how Bicep operates and to customize
// validation settings for the Bicep linter. The linter relies on these settings when evaluating your
// Bicep files for best practices. For further information, please refer to the official documentation at:
// https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-config
{
  "analyzers": {
    "core": {
      "rules": {
        "use-recent-module-versions": {
          "level": "warning",
          "message": "The module version is outdated. Please consider updating to the latest version."
        }
      }
    }
  }
}

Define the Key Vault instance

In this scenario - and every other real-world setup - there is more that you need to configure. You can open the module’s documentation by hovering over its symbolic name to see all of the module’s capabilities - including supported parameters.

Note

The Bicep extension facilitates code-completion, enabling you to easily locate and utilize the Azure Verified Module. This feature also provides the necessary properties for a module, allowing you to begin typing and leverage IntelliSense for completion.

Add parameters and values to the main.bicep file to customize your configuration. These parameters are used for passing in the Key Vault name and enabling purge protection. You might not want to enable the latter in a non-production environment, as it makes it harder to delete and recreate resources.

The main.bicep file will now look like this:

// the scope, the deployment deploys resources to
targetScope = 'resourceGroup'

// parameters and default values
param keyVaultName string

@description('Disable for development deployments.')
param enablePurgeProtection bool = true

// the resources to deploy
module myKeyVault 'br/public:avm/res/key-vault/vault:0.11.0' = {
  name: 'key-vault-deployment'
  params: {
    name: keyVaultName
    enablePurgeProtection: enablePurgeProtection
    // more properties are not needed, as AVM provides default values
  }
}

Note that the Key Vault instance will be deployed within a resource group scope in our example.

Create a dev.bicepparam file (this is optional) and set parameter values for your environment. You can now pass these values by referencing this file at the time of deployment (using PowerShell or Azure CLI).

using 'main.bicep'

// environment specific values
param keyVaultName = '<keyVaultName>'
param enablePurgeProtection = false

Create a secret and set permissions

Add a secret to the Key Vault instance and grant permissions to a user to work with the secret. Sample role assignments can be found in Example 3: Using large parameter set. See Parameter: roleAssignments for a list of pre-defined roles that you can reference by name instead of a GUID. This is a key benefit of using AVM, as the code is easy to read and increases the maintainability.

You can also leverage User-defined data types and simplify the parameterization of the modules instead of guessing or looking up parameters. Therefore, first import UDTs from the Key Vault and common types module and leverage the UDTs in your Bicep and parameter files.

For a role assignment, the principal ID is needed, that will be granted a role (specified by its name) on the resource. Your own ID can be found out with az ad signed-in-user show --query id.

// the scope, the deployment deploys resources to
targetScope = 'resourceGroup'

// parameters and default values
param keyVaultName string
// the PAT token is a secret and should not be stored in the Bicep(parameter) file.
// It can be passed via the commandline, if you don't use a parameter file.
@secure()
param patToken string = newGuid()

@description('Enabled by default. Disable for development deployments')
param enablePurgeProtection bool = true

import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.4.0'
// the role assignments are optional in the Key Vault module
param roleAssignments roleAssignmentType[]?

// the resources to deploy
module myKeyVault 'br/public:avm/res/key-vault/vault:0.11.0' = {
  name: 'key-vault-deployment'
  params: {
    name: keyVaultName
    enablePurgeProtection: enablePurgeProtection
    secrets: [
      {
        name: 'PAT'
        value: patToken
      }
    ]
    roleAssignments: roleAssignments
  }
}

The secrets parameter references a UDT (User-defined data type) that is part of the Key Vault module and enables code completion for easy usage. There is no need to look up what attributes the secret object might have. Start typing and tab-complete what you need from the content offered by the Bicep extension’s integration with AVM.

The bicep parameter file now looks like this:

// reference to the Bicep file to set the context
using 'main.bicep'

// environment specific values
param keyVaultName = '<keyVaultName>'
param enablePurgeProtection = false
// for security reasons, the secret value must not be stored in this file.
// You can change it later in the deployed Key Vault instance, where you also renew it after expiration.

param roleAssignments = [
  {
    principalId: '<principalId>'
    // using the name of the role instead of looking up the GUID (which can also be used)
    roleDefinitionIdOrName: 'Key Vault Secrets Officer'
  }
]

Note

The display names for roleDefinitionIdOrName can be acquired the following two ways:

From the parameters section of the module’s documentation.
From the builtInRoleNames variable in the module’s source code. To get there, hit F12 while the cursor is on the part of the module path starting with br/public:.

Boost your development with VS Code IntelliSense

Leverage the IntelliSense feature in VS Code to speed up your development process. IntelliSense provides code completion, possible parameter values and structure. It helps you write code more efficiently by providing context-aware suggestions as you type.

Here is how quickly you can deliver the solution detailed in this section:

Deploy your solution

Now that your template and parameter file is ready, you can deploy your solution to Azure. Use PowerShell or the Azure CLI to deploy your solution.

Deploy with

# Log in to Azure
Connect-AzAccount

# Select your subscription
Set-AzContext -SubscriptionId '<subscriptionId>'

# Deploy a resource group
New-AzResourceGroup -Name 'avm-quickstart-rg' -Location 'germanywestcentral'

# Invoke your deployment
New-AzResourceGroupDeployment -DeploymentName 'avm-quickstart-deployment' -ResourceGroupName 'avm-quickstart-rg' -TemplateParameterFile 'dev.bicepparam' -TemplateFile 'main.bicep'

# Log in to Azure
az login

# Select your subscription
az account set --subscription '<subscriptionId>'

# Deploy a resource group
az group create --name 'avm-quickstart-rg' --location 'germanywestcentral'

# Invoke your deployment
az deployment group create --name 'avm-quickstart' --resource-group 'avm-quickstart-rg' --template-file 'main.bicep' --parameters 'dev.bicepparam'

Use the Azure portal, Azure PowerShell, or the Azure CLI to verify that the Key Vault instance and secret have been successfully created with the correct configuration.

Clean up your environment

When you are ready, you can remove the infrastructure deployed in this example. The following commands will remove all resources created by your deployment:

Clean up with

# Delete the resource group
Remove-AzResourceGroup -Name "avm-quickstart-rg" -Force

# Purge the Key Vault
Remove-AzKeyVault -VaultName "<keyVaultName>" -Location "germanywestcentral" -InRemovedState -Force

# Delete the resource group
az group delete --name 'avm-quickstart-rg' --yes --no-wait

# Purge the Key Vault
az keyvault purge --name '<keyVaultName>' --no-wait

Congratulations, you have successfully leveraged an AVM Bicep module to deploy resources in Azure!

Tip

We welcome your contributions and feedback to help us improve the AVM modules and the overall experience for the community!

Next Steps

For developing a more advanced solution, please see the lab titled “Introduction to using Azure Verified Modules for Bicep”.

Terraform Quickstart Guide

Introduction

This guide explains how to use an Azure Verified Modules (AVM) in your Terraform workflow. With AVM modules, you can quickly deploy and manage Azure infrastructure without writing extensive code from scratch.

In this guide, you will deploy a Key Vault resource and generate and store a key.

This article is intended for a typical ‘infra-dev’ user (cloud infrastructure professional) who is new to Azure Verified Modules and wants to learn how to deploy a module in the easiest way using AVM. The user has a basic understanding of Azure and Terraform.

For additional Terraform resources, try a tutorial on the HashiCorp website or study the detailed documentation.

Prerequisites

title: “Terraform Prerequisites”
description: “Learn about the prerequisites for using Terraform to deploy Azure Verified Modules or develop them.”

You will need the following tools and components to complete this guide:

Visual Studio Code (VS Code) to develop your solution.
Terraform CLI to deploy your Terraform modules. Make sure you have a recent version installed.
Azure CLI to authenticate to Azure.
Azure Subscription to deploy your resources.

Before you begin, ensure you have these tools installed in your development environment.

Module Discovery

Find your module

In this scenario, you need to deploy a Key Vault resource and some of its child resources, such as a key. Let’s find the AVM module that will help us achieve this.

There are two primary ways for locating published Terraform Azure Verified Modules:

Searching the official Terraform Registry, and
Browsing theAVM Terraform module index.

Use the Terraform Registry

The easiest way to find published AVM Terraform modules is by searching the Terraform Registry. Follow these steps to locate a specific module, as shown in the video above.

Use your web browser to go to the HashiCorp Terraform Registry
In the search bar at the top of the screen type avm. Optionally, append additional search terms to narrow the search results. (e.g., avm key vault for AVM modules with Key Vault in the name.)
Select see all to display the full list of published modules matching your search criteria.
Find the module you wish to use and select it from the search results.

Note

It is possible to discover other unofficial modules with avm in the name using this search method. Look for the Partner tag in the module title to determine if the module is part of the official set.

Use the AVM Terraform Module Index

Searching the Azure Verified Modules indexes is the most complete way to discover published as well as planned modules - shown as proposed. As presented in the video above, use the following steps to locate a specific module on the AVM website:

Use your web browser to open the AVM website at https://aka.ms/avm.
Expand the Module Indexes menu item and select the Terraform sub-menu item.
Select the menu item for the module type you are searching for: Resource, Pattern, or Utility.
Note
Since the Key Vault module used as an example in this guide is published as an AVM resource module, it can be found under the resource modules section in the AVM Terraform module index.
A detailed description of each module classification type can be found under the related section here.
Select the Published modules link from the table of contents at the top of the page.
Use the in-page search feature of your browser (in most Windows browsers you can access it using the CTRL + F keyboard shortcut).
Enter a search term to find the module you are looking for - e.g., Key Vault.
Move through the search results until you locate the desired module. If you are unable to find a published module, return to the table of contents and expand the All modules link to search both published and proposed modules - i.e., modules that are planned, likely in development but not published yet.
After finding the desired module, click on the module’s name. This link will lead you to the official HashiCorp Terraform Registry page for the module where you can find the module’s documentation and examples.

Module details and examples

Once you have identified the AVM module in the Terraform Registry you can find detailed information about the module’s functionality, components, input parameters, outputs and more. The documentation also provides comprehensive usage examples, covering various scenarios and configurations.

Explore the Key Vault module’s documentation and usage examples to understand its functionality, input variables, and outputs.

Note the Examples drop-down list and explore each example
Review the Readme tab to see module provider minimums, a list of resources and data sources used by the module, a nicely formatted version of the inputs and outputs, and a reference to any submodules that may be called.
Explore the Inputs tab and observe how each input has a detailed description and a type definition for you to use when adding input values to your module configuration.
Explore the Outputs tab and review each of the outputs that are exported by the AVM module for use by other modules in your deployment.
Finally, review the Resources tab to get a better understanding of the resources defined in the module.

In this example, you will deploy a secret in a new Key Vault instance without needing to provide other parameters. The AVM Key Vault resource module provides these capabilities and does so with security and reliability being core principles. The default settings of the module also apply the recommendations of the Well Architected Framework where possible and appropriate.

Note how the create-key example seems to do what you need to achieve.

Create your new solution using AVM

Now that you have found the module details, you can use the content from the Terraform Registry to speed up your development in the following ways:

Option 1: Create a solution using AVM module examples: duplicate a module example and edit it for your needs. This is useful if you are starting without any existing infrastructure and need to create supporting resources like resource groups as part of your deployment.
Option 2: Create a solution by changing the AVM module input values: add the AVM module to an existing solution that already includes other resources. This method requires some knowledge of the resource(s) being deployed so that you can make choices about optional features configured in your solution’s version of the module.

Each deployment method includes a section below so that you can choose the method which best fits your needs.

Note

Option 1: Create a solution using AVM module examples

Leverage the following steps as a template for how to leverage examples for bootstrapping your new solution code. The Key Vault resource module is used here as an example, but in practice you may choose any module that applies to your scenario.

Locate and select the Examples drop down menu in the middle of the Key Vault module page.
From the drop-down list select an example whose name most closely aligns with your scenario - e.g., create-key.
When the example page loads, read the example description to determine if this is the desired example. If it is not, return to the module main page, and select a different example until you are satisfied that the example covers the scenario you are trying to deploy. If you are unable to find a suitable example, leverage the last two steps in the option 2 instructions to modify the inputs of the selected example to match your requirements.
Scroll to the code block for the example and select the Copy button on the top right of the block to copy the content to the clipboard.

➕ Click here to copy the sample code from the video.

provider "azurerm" {
  features {}
}

terraform {
  required_version = "~> 1.9"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 3.71"
    }
    http = {
      source  = "hashicorp/http"
      version = "~> 3.4"
    }
    random = {
      source  = "hashicorp/random"
      version = "~> 3.5"
    }
  }
}

module "regions" {
  source  = "Azure/avm-utl-regions/azurerm"
  version = "0.1.0"
}

# This allows us to randomize the region for the resource group.
resource "random_integer" "region_index" {
  max = length(module.regions.regions) - 1
  min = 0
}

# This ensures you have unique CAF compliant names for our resources.
module "naming" {
  source  = "Azure/naming/azurerm"
  version = "0.3.0"
}

resource "azurerm_resource_group" "this" {
  location = module.regions.regions[random_integer.region_index.result].name
  name     = module.naming.resource_group.name_unique
}

# Get current IP address for use in KV firewall rules
data "http" "ip" {
  url = "https://api.ipify.org/"
  retry {
    attempts     = 5
    max_delay_ms = 1000
    min_delay_ms = 500
  }
}

data "azurerm_client_config" "current" {}

module "key_vault" {
  source                        = "Azure/avm-res-keyvault-vault/azurerm"
  name                          = module.naming.key_vault.name_unique
  location                      = azurerm_resource_group.this.location
  enable_telemetry              = var.enable_telemetry
  resource_group_name           = azurerm_resource_group.this.name
  tenant_id                     = data.azurerm_client_config.current.tenant_id
  public_network_access_enabled = true
  keys = {
    cmk_for_storage_account = {
      key_opts = [
        "decrypt",
        "encrypt",
        "sign",
        "unwrapKey",
        "verify",
        "wrapKey"
      ]
      key_type: "RSA"
      name     = "cmk-for-storage-account"
      key_size = 2048
    }
  }
  role_assignments = {
    deployment_user_kv_admin = {
      role_definition_id_or_name = "Key Vault Administrator"
      principal_id               = data.azurerm_client_config.current.object_id
    }
  }
  wait_for_rbac_before_key_operations = {
    create = "60s"
  }
  network_acls = {
    bypass   = "AzureServices"
    ip_rules = ["${data.http.ip.response_body}/32"]
  }
}

In your IDE - Visual Studio Code in our example - create the main.tf file for your new solution.
Paste the content from the clipboard into main.tf.
AVM examples frequently use naming and/or region selection AVM utility modules to generate deployment region and/or naming values as well as any default values for required fields. If you want to use a specific region name or other custom resource values, remove the existing region and naming module calls and replace example input values with the new desired custom input values.
Once supporting resources such as resource groups have been modified, locate the module call for the AVM module - i.e., module "keyvault".
AVM module examples use dot notation for a relative reference that is useful during module testing. However, you will need to replace the relative reference with a source reference that points to the Terraform Registry source location. In most cases, this source reference has been left as a comment in the module example to simplify replacing the existing source dot reference. Perform the following two actions to update the source:
- Delete the existing source definition that uses a dot reference - i.e., source = "../../".
- Uncomment the Terraform Registry source reference by deleting the # sign at the start of the commented source line - i.e., source = "Azure/avm-res-keyvault-vault/azurerm".
Note
If the module example does not include a commented Terraform Registry source reference, you will need to copy it from the module’s main documentation page. Use the following steps to do so:
- Use the breadcrumbs to leave the example documentation and return to the module’s primary Terraform Registry documentation page.
- Locate the Provision Instructions box on the right side of the module’s Terraform Registry page in your web browser.
- Select the second line that starts with source = from the code block - e.g., source = "Azure/avm-res-keyvault-vault/azurerm". Copy it onto the clipboard.
- Return to your code solution and Paste the clipboard’s content where you previously deleted the source dot reference - e.g., source = "../../".
AVM module examples use a variable to enable or disable the telemetry collection. Update the enable_telemetry input value to true or false. - e.g. enable_telemetry = true
Save your main.tf file changes and then proceed to the guide section for running your solution code.

Option 2: Create a solution by changing the AVM module input values

Click here to copy the sample code from the video.

module "avm-res-keyvault-vault" {
  source                        = "Azure/avm-res-keyvault-vault/azurerm"
  version                       = "0.9.1"
  name                          = "<custom_name_here>"
  resource_group_name           = azurerm_resource_group.this.name
  location                      = azurerm_resource_group.this.location
  tenant_id                     = data.azurerm_client_config.this.tenant_id

  keys = {
    cmk_for_storage_account = {
      key_opts = [
        "decrypt",
        "encrypt",
        "sign",
        "unwrapKey",
        "verify",
        "wrapKey"
      ]
      key_type: "RSA"
      name     = "cmk-for-storage-account"
      key_size = 2048
    }
  }
  role_assignments = {
    deployment_user_kv_admin = {
      role_definition_id_or_name = "Key Vault Administrator"
      principal_id               = data.azurerm_client_config.current.object_id
    }
  }
  wait_for_rbac_before_key_operations = {
    create = "60s"
  }
}

Use the following steps as a guide for the custom implementation of an AVM Module in your solution code. This instruction path assumes that you have an existing Terraform file that you want to add the AVM module to.

Locate the Provision Instructions box on the right side of the module’s Terraform Registry page in your web browser.
Select the module template code from the code block and Copy it onto the clipboard.
Switch to your IDE and Paste the contents of the clipboard into your solution’s .tf Terraform file - main.tf in our example.
Return to the module’s Terraform Registry page in the browser and select the Inputs tab.
Review each input and add the inputs with the desired target value to the solution’s code - i.e., name = "custom_name".
Once you are satisfied that you have included all required inputs and any optional inputs, Save your file and continue to the next section.

Deploy your solution

After completing your solution development, you can move to the deployment stage. Follow these steps for a basic Terraform workflow:

Open the command line and login to Azure using the Azure cli
```
az login
```
If your account has access to multiple tenants, you may need to modify the command to az login --tenant <tenant id> where “<tenant id>” is the guid for the target tenant.
After logging in, select the target subscription from the list of subscriptions that you have access to.
Change the path to the directory where your completed terraform solution files reside.
Note
Many AVM modules depend on the AzureRM 4.0 Terraform provider which mandates that a subscription id is configured. If you receive an error indicating that subscription_id is a required provider property, you will need to set a subscription id value for the provider. For Unix based systems (Linux or MacOS) you can configure this by running export ARM_SUBSCRIPTION_ID=<your subscription guid> on the command line. On Microsoft Windows, you can perform the same operation by running set ARM_SUBSCRIPTION_ID="<your subscription guid>" from the Windows command prompt or by running $env:ARM_SUBSCRIPTION_ID="<your subscription guid>" from a powershell prompt. Replace the “<your subscription id>” notation in each command with your Azure subscription’s unique id value.
Initialize your Terraform project. This command downloads the necessary providers and modules to the working directory.
```
terraform init
```
Before applying the configuration, it is good practice to validate it to ensure there are no syntax errors.
```
terraform validate
```
Create a deployment plan. This step shows what actions Terraform will take to reach the desired state defined in your configuration.
```
terraform plan
```
Review the plan to ensure that only the desired actions are in the plan output.
Apply the configuration and create the resources defined in your configuration file. This command will prompt you to confirm the deployment prior to making changes. Type yes to create your solution’s infrastructure.
```
terraform apply
```
Info
If you are confident in your changes, you can add the -auto-approve switch to bypass manual approval: terraform apply -auto-approve
Once the deployment completes, validate that the infrastructure is configured as desired.
Info
A local terraform.tfstate file and a state backup file have been created during the deployment. The use of local state is acceptable for small temporary configurations, but production or long-lived installations should use a remote state configuration where possible. Configuring remote state is out of scope for this guide, but you can find details on using an Azure storage account for this purpose in the Microsoft Learn documentation.

Clean up your environment

When you are ready, you can remove the infrastructure deployed in this example. Use the following command to delete all resources created by your deployment:

terraform destroy

Note

Most Key Vault deployment examples activate soft-delete functionality as a default. The terraform destroy command will remove the Key Vault resource but does not purge a soft-deleted vault. You may encounter errors if you attempt to re-deploy a Key Vault with the same name during the soft-delete retention window. If you wish to purge the soft-delete for this example you can run az keyvault purge -n <keyVaultName> -l <regionName> using the Azure CLI, or Remove-AzKeyVault -VaultName "<keyVaultName>" -Location "<regionName>" -InRemovedState using Azure PowerShell.

Congratulations, you have successfully leveraged Terraform and AVM to deploy resources in Azure!

Tip

We welcome your contributions and feedback to help us improve the AVM modules and the overall experience for the community!

Next Steps

For developing a more advanced solution, please see the lab titled “Introduction to using Azure Verified Modules for Terraform”.

Terraform Prerequisites

You will need the following tools and components to complete this guide:

Visual Studio Code (VS Code) to develop your solution.
Terraform CLI to deploy your Terraform modules. Make sure you have a recent version installed.
Azure CLI to authenticate to Azure.
Azure Subscription to deploy your resources.

Specifications & Definitions

Summary

This section lists AVM’s Specifications & Definitions.

Module Specifications

This section documents all the specifications for Azure Verified Modules (AVM) and their respective IaC languages.

Specifications by IaC Language

Category	Bicep			Terraform
Category	Resource	Pattern	Utility	Resource	Pattern	Utility
Contribution/Support	9	8	8	9	8	8
Telemetry	4	3	4	2	2	2
Naming/Composition	24	17	8	17	12	7
CodeStyle	2	2	2	29	29	29
Inputs/Outputs	14	11	10	8	6	5
Testing	14	13	13	10	10	9
Documentation	5	5	5	4	4	4
Release/Publishing	5	5	5	4	4	4
Summary	77	64	55	83	75	68

What changed recently?

No specifications were changed in the last 30 days.

How to navigate the specifications?

The “Module Specifications” section uses tags to dynamically render content based on the selected attributes, such as the IaC language, module classification, category, severity and more. The tags are defined in header of each specification page.

To make it easier for module owners and contributors to navigate the documentation, the specifications are grouped to distinct pages by the IaC language (Bicep | Terraform) and module classification ( resource | pattern | utility). The specifications on each page are further ordered by the category (e.g., Composition, CodeStyle, Testing, etc.), severity of the requirements (MUST | SHOULD | MAY) and at what stage of the module’s lifecycle the specification is typically applicable (Initial | BAU | EOL).

To find what you need, simply decide which IaC language you’d like develop in and what classification your module falls under, then navigate to the respective page to find the specifications that are relevant to you.

Info

All specifications have a 4-9 character long unique ID - a combination of letters and numbers. These letters only carry legacy meaning only leveraged by the AVM core team and are no longer used to group the specifications in any visible way. The ID is used to reference the specification in the code, documentation, and discussions.

Specification Tags

The following tags are used to qualify the specifications:

Key	Allowed Values	Multiple/Single
Language	Bicep, Terraform	Multiple
Class	Resource, Pattern, Utility	Multiple
Type	Functional, NonFunctional	Single
Category	Testing, Telemetry, Contribution/Support, Documentation, CodeStyle, Naming/Composition, Inputs/Outputs, Release/Publishing	Single
Severity	MUST, SHOULD, MAY	Single
Persona	Owner, Contributor	Multiple
Lifecycle	Initial, BAU, EOL	Single
Validation	Bicep: BCP/Manual, BCP/CI/Informational, BCP/CI/Enforced Terraform: TF/Manual, TF/CI/Informational, TF/CI/Enforced	Single per language

Each tag is a concatenation of exactly one of the keys and one of the values, e.g., Language-Bicep, Class-Resource, Type-Functional, etc. When it’s marked as Multiple, it means that the tag can have multiple values, e.g., Language-Bicep, Language-Terraform, or Persona-Owner, Persona-Contributor, etc. When it’s marked as Single, it means that the tag can have only one value, e.g., Type-Functional, Lifecycle-Initial, etc.

➕ Click here to see the definition of the Severity, Persona, Lifecycle and Validation tags...

Severity

What’s the severity or importance of this specification? See “How to read the specifications?” section for more details.

Persona

Who is this specification for? The Owner is the module owner, while the Contributor is anyone who contributes to the module.

Lifecycle

When is this specification mostly relevant?

The Initial stage is when the module is being developed first - e.g., naming related specs are labeled with Lifecycle-Initial as the naming of the module only happens once: at the beginning of their life.
The BAU (business as usual) stage is at any time during the module’s typical lifecycle - e.g., specs that describe coding standards are relevant throughout the module’s life, for any time a new module version is released.
The EOL (end of life) stage is when the module is being decommissioned - e.g., specs describing how a module should be retired are labeled with Lifecycle-EOL.

Validation

How is this specification checked/validated/enforced?

Manual means that the specification is manually enforced at the time of the module review (at the time of the first or any subsequent module version release).
CI/Informational means that the module is checked against the specification by a CI pipeline, but the failure is only informational and doesn’t block the module release.
CI/Enforced means that the specification is automatically enforced by a CI pipeline, and the failure blocks the module release.

Note: the BCP/ or TF/ prefix is required as shared (language-agnostic) specifications may have different level of validation/enforcement per each language - e.g., it is possible that a specification is enforced by a CI pipeline for Bicep modules, while it is manually enforced for Terraform modules.

Why are there language specific specifications?

While every effort is being made to standardize requirements and implementation details across all languages (and most specifications in fact, are applicable to all), it is expected that some of the specifications will be different between their respective languages to ensure we follow the best practices and leverage features of each language.

How to read the specifications?

Important

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.

As you’re developing/maintaining a module as a module owner or contributor, you need to ensure that your module adheres to the specifications outlined in this section. The specifications are designed to ensure that all AVM modules are consistent, secure, and compliant with best practices.

There are 3 levels of specifications:

MUST: These are mandatory requirements that MUST be followed.
SHOULD: These are recommended requirements that SHOULD be followed, unless there are good reasons for not to.
MAY: These are optional requirements that MAY be followed at the module owner’s/contributor’s discretion.

Bicep Specifications

Specifications by Category and Module Classification

Category	Resource	Pattern	Utility
Contribution/Support	9	8	8
Telemetry	4	3	4
Naming/Composition	24	17	8
CodeStyle	2	2	2
Inputs/Outputs	14	11	10
Testing	14	13	13
Documentation	5	5	5
Release/Publishing	5	5	5
Summary	77	64	55

How to propose changes to the specifications?

Important

Any updates to existing or new specifications for Bicep must be submitted as a draft for review by the AVM core team(@Azure/avm-core-team).

What changed recently?

No specifications were changed in the last 30 days.

Bicep Interfaces

This chapter details the interfaces/schemas for the AVM Resource Modules features/extension resources as referenced in RMFR4 and RMFR5.

Diagnostic Settings

Important

Allowed values for logs and metric categories or category groups MUST NOT be specified to keep the module implementation evergreen for any new categories or category groups added by RPs, without module owners having to update a list of allowed values and cut a new release of their module.

Diagnostic Settings

  
  // ============== //
  //   Parameters   //
  // ============== //
  
  import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('Optional. The diagnostic settings of the service.')
  param diagnosticSettings diagnosticSettingFullType[]?
  
  // ============= //
  //   Resources   //
  // ============= //
  
  resource >singularMainResourceType<_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): {
    name: diagnosticSetting.?name ?? '${name}-diagnosticSettings'
    properties: {
      storageAccountId: diagnosticSetting.?storageAccountResourceId
      workspaceId: diagnosticSetting.?workspaceResourceId
      eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId
      eventHubName: diagnosticSetting.?eventHubName
      metrics: [for group in (diagnosticSetting.?metricCategories ?? [ { category: 'AllMetrics' } ]): {
        category: group.category
        enabled: group.?enabled ?? true
        timeGrain: null
      }]
      logs: [for group in (diagnosticSetting.?logCategoriesAndGroups ?? [ { categoryGroup: 'allLogs' } ]): {
        categoryGroup: group.?categoryGroup
        category: group.?category
        enabled: group.?enabled ?? true
      }]
      marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId
      logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType
    }
    scope: >singularMainResourceType<
  }]

  diagnosticSettings: [
    {
      name: 'diagSetting1'
      logCategoriesAndGroups: [
        {
          category: 'AzurePolicyEvaluationDetails'
        }
        {
          category: 'AuditEvent'
        }
      ]
      metricCategories: [
        {
          category: 'AllMetrics'
        }
      ]
      logAnalyticsDestinationType: 'Dedicated'
      workspaceResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'
      storageAccountResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}'
      eventHubAuthorizationRuleResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.EventHub/namespaces/{namespaceName}/eventhubs/{eventHubName}/authorizationrules/{authorizationRuleName}'
      eventHubName: '{eventHubName}'
      marketplacePartnerResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{partnerResourceProvider}/{partnerResourceType}/{partnerResourceName}'
    }
  ]

  
  // ============== //
  //   Parameters   //
  // ============== //
  
  import { diagnosticSettingMetricsOnlyType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('Optional. The diagnostic settings of the service.')
  param diagnosticSettings diagnosticSettingMetricsOnlyType[]?
  
  // ============= //
  //   Resources   //
  // ============= //
  
  resource >singularMainResourceType<_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): {
    name: diagnosticSetting.?name ?? '${name}-diagnosticSettings'
    properties: {
      storageAccountId: diagnosticSetting.?storageAccountResourceId
      workspaceId: diagnosticSetting.?workspaceResourceId
      eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId
      eventHubName: diagnosticSetting.?eventHubName
      metrics: [for group in (diagnosticSetting.?metricCategories ?? [ { category: 'AllMetrics' } ]): {
        category: group.category
        enabled: group.?enabled ?? true
        timeGrain: null
      }]
      marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId
      logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType
    }
    scope: >singularMainResourceType<
  }]

  diagnosticSettings: [
    {
      name: 'diagSetting1'
      metricCategories: [
        {
          category: 'AllMetrics'
        }
      ]
      logAnalyticsDestinationType: 'Dedicated'
      workspaceResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'
      storageAccountResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}'
      eventHubAuthorizationRuleResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.EventHub/namespaces/{namespaceName}/eventhubs/{eventHubName}/authorizationrules/{authorizationRuleName}'
      eventHubName: '{eventHubName}'
      marketplacePartnerResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{partnerResourceProvider}/{partnerResourceType}/{partnerResourceName}'
    }
  ]

  
  // ============== //
  //   Parameters   //
  // ============== //
  
  import { diagnosticSettingLogsOnlyType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('Optional. The diagnostic settings of the service.')
  param diagnosticSettings diagnosticSettingLogsOnlyType[]?
  
  // ============= //
  //   Resources   //
  // ============= //
  
  resource >singularMainResourceType<_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [for (diagnosticSetting, index) in (diagnosticSettings ?? []): {
    name: diagnosticSetting.?name ?? '${name}-diagnosticSettings'
    properties: {
      storageAccountId: diagnosticSetting.?storageAccountResourceId
      workspaceId: diagnosticSetting.?workspaceResourceId
      eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId
      eventHubName: diagnosticSetting.?eventHubName
      logs: [for group in (diagnosticSetting.?logCategoriesAndGroups ?? [ { categoryGroup: 'allLogs' } ]): {
        categoryGroup: group.?categoryGroup
        category: group.?category
        enabled: group.?enabled ?? true
      }]
      marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId
      logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType
    }
    scope: >singularMainResourceType<
  }]

  diagnosticSettings: [
    {
      name: 'diagSetting1'
      logCategoriesAndGroups: [
        {
          category: 'AzurePolicyEvaluationDetails'
        }
        {
          category: 'AuditEvent'
        }
      ]
      logAnalyticsDestinationType: 'Dedicated'
      workspaceResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'
      storageAccountResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}'
      eventHubAuthorizationRuleResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.EventHub/namespaces/{namespaceName}/eventhubs/{eventHubName}/authorizationrules/{authorizationRuleName}'
      eventHubName: '{eventHubName}'
      marketplacePartnerResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{partnerResourceProvider}/{partnerResourceType}/{partnerResourceName}'
    }
  ]

Note

In the provided example for Diagnostic Settings, both logs and metrics are enabled for the associated resource. However, it is IMPORTANT to note that certain resources may not support both diagnostic setting types/categories. In such cases, the resource configuration MUST be modified accordingly to ensure proper functionality and compliance with system requirements.

Role Assignments

  
  // ============== //
  //   Parameters   //
  // ============== //
  
  import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('Optional. Array of role assignments to create.')
  param roleAssignments roleAssignmentType[]?
  
  // ============= //
  //   Variables   //
  // ============= //
  
  var builtInRoleNames = {
    // Add other relevant built-in roles here for your resource as per BCPNFR5
    Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
    Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
    Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
    'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')
    'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
  }
  
  var formattedRoleAssignments = [
    for (roleAssignment, index) in (roleAssignments ?? []): union(roleAssignment, {
      roleDefinitionId: builtInRoleNames[?roleAssignment.roleDefinitionIdOrName] ?? (contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/')
            ? roleAssignment.roleDefinitionIdOrName
            : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName))
    })
  ]
  
  // ============= //
  //   Resources   //
  // ============= //
  
  resource >singularMainResourceType<_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
    for (roleAssignment, index) in (formattedRoleAssignments ?? []): {
      name: roleAssignment.?name ?? guid(>singularMainResourceType<.id, roleAssignment.principalId, roleAssignment.roleDefinitionId)
      properties: {
        roleDefinitionId: roleAssignment.roleDefinitionId
        principalId: roleAssignment.principalId
        description: roleAssignment.?description
        principalType: roleAssignment.?principalType
        condition: roleAssignment.?condition
        conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set
        delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId
      }
      scope: >singularMainResourceType<
    }
  ]

  roleAssignments: [
    {
      roleDefinitionIdOrName: 'Owner'
      principalId: nestedDependencies.outputs.managedIdentityPrincipalId
      principalType: 'ServicePrincipal'
    }
    {
      roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
      principalId: nestedDependencies.outputs.managedIdentityPrincipalId
      principalType: 'ServicePrincipal'
    }
    {
      roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
      principalId: nestedDependencies.outputs.managedIdentityPrincipalId
      principalType: 'ServicePrincipal'
    }
    {
      name: guid('Custom role assignment name seed')
      roleDefinitionIdOrName: 'Storage Blob Data Reader'
      principalId: '00000000-0000-0000-0000-000000000000'
      principalType: 'Group'
      description: 'Group with read-only access'
      condition: '@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container''
      conditionVersion: '2.0'
    }
  ]

Details on child, extension and cross-referenced resources:

Modules MUST support Role Assignments on child, extension and cross-referenced resources as well as the primary resource via parameters/variables

Resource Locks

  // ============== //
  //   Parameters   //
  // ============== //
  
  import { lockType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('Optional. The lock settings of the service.')
  param lock lockType?
  
  // ============= //
  //   Resources   //
  // ============= //
  
  resource >singularMainResourceType<_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') {
    name: lock.?name ?? 'lock-${name}'
    properties: {
      level: lock.?kind ?? ''
      notes: lock.?notes ?? (lock.?kind == 'CanNotDelete'
        ? 'Cannot delete resource or child resources.'
        : 'Cannot delete or modify the resource or child resources.')
    }
    scope: >singularMainResourceType<
  }

  lock: {
    kind: 'CanNotDelete'
    name: 'myCustomLockName'
    notes: 'This is a custom lock note.'
  }

Details on child and extension resources:

Locks SHOULD be able to be set for child resources of the primary resource in resource modules

Details on cross-referenced resources:

Locks MUST be automatically applied to cross-referenced resources if the primary resource has a lock applied.
- This MUST also be able to be turned off for each of the cross-referenced resources by the module consumer via a parameter/variable if they desire

An example of this is a Key Vault module that has a Private Endpoints enabled. If a lock is applied to the Key Vault via the lock parameter/variable then the lock should also be applied to the Private Endpoint automatically, unless the privateEndpointLock/private_endpoint_lock (example name) parameter/variable is set to None

Managed Identities

  
  // ============== //
  //   Parameters   //
  // ============== //
  
  import { managedIdentityAllType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('Optional. The managed identity definition for this resource.')
  param managedIdentities managedIdentityAllType?
  
  // ============= //
  //   Variables   //
  // ============= //
  
  var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} }
  var identity = !empty(managedIdentities) ? {
    type: (managedIdentities.?systemAssigned ?? false) ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null)
    userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
  } : null
  
  // ============= //
  //   Resources   //
  // ============= //
  
  resource >singularMainResourceType< '>providerNamespace</>resourceType<@>apiVersion<' = {
    name: name
    identity: identity
    properties: {
      ... // other properties
    }
  }
  
  // =========== //
  //   Outputs   //
  // =========== //
  
  @description('The principal ID of the system assigned identity.')
  output systemAssignedMIPrincipalId string? = >singularMainResourceType<.?identity.?principalId

  managedIdentities: {
    systemAssigned: true
    userAssignedResourceIds: [
      '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'
      '/subscriptions/{subscriptionId2}/resourceGroups/{resourceGroupName2}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName2}'
    ]
  }

  
  // ============== //
  //   Parameters   //
  // ============== //
  
  import { managedIdentityOnlySysAssignedType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('Optional. The managed identity definition for this resource.')
  param managedIdentities managedIdentityOnlySysAssignedType?
  
  // ============= //
  //   Variables   //
  // ============= //
  
  var identity = !empty(managedIdentities)
    ? {
        type: (managedIdentities.?systemAssigned ?? false) ? 'SystemAssigned' : null
      }
    : null
  
  // ============= //
  //   Resources   //
  // ============= //
  
  resource >singularMainResourceType< '>providerNamespace</>resourceType<@>apiVersion<' = {
    name: name
    identity: identity
    properties: {
      ... // other properties
    }
  }
  
  // =========== //
  //   Outputs   //
  // =========== //
  
  @description('The principal ID of the system assigned identity.')
  output systemAssignedMIPrincipalId string? = >singularMainResourceType<.?identity.?principalId

  managedIdentities: {
    systemAssigned: true
  }

  
  // ============== //
  //   Parameters   //
  // ============== //
  
  import { managedIdentityOnlyUserAssignedType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('Optional. The managed identity definition for this resource.')
  param managedIdentities managedIdentityOnlyUserAssignedType?
  
  // ============= //
  //   Variables   //
  // ============= //
  
  var formattedUserAssignedIdentities = reduce(map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), {}, (cur, next) => union(cur, next)) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} }
  var identity = !empty(managedIdentities)
    ? {
        type: !empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : 'None'
        userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
      }
    : null
  
  // ============= //
  //   Resources   //
  // ============= //
  
  resource >singularMainResourceType< '>providerNamespace</>resourceType<@>apiVersion<' = {
    name: name
    identity: identity
    properties: {
      ... // other properties
    }
  }

  managedIdentities: {
    userAssignedResourceIds: [
      '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'
      '/subscriptions/{subscriptionId2}/resourceGroups/{resourceGroupName2}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName2}'
    ]
  }

Reason for differences in User Assigned data type in languages:

We do not foresee the Managed Identity Resource Provider team to ever add additional properties within the empty object ({}) value required on the input of a User Assigned Managed Identity.
In Bicep we therefore have removed the need for this to be declared and just converted it to a simple array of Resource IDs

Private Endpoints

E.g., for services that only have one private endpoint type.

  
  // ============== //
  //   Parameters   //
  // ============== //
  
  import { privateEndpointSingleServiceType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
  param privateEndpoints privateEndpointSingleServiceType[]?
  
  var enableReferencedModulesTelemetry = false // resource module
  
  // ============= //
  //   Resources   //
  // ============= //
  
  module >singularMainResourceType<_privateEndpoints 'br/public:avm/res/network/private-endpoint:>version<' = [for (privateEndpoint, index) in (privateEndpoints ?? []): {
    name: '${uniqueString(deployment().name, location)}->singularMainResourceType<-PrivateEndpoint-${index}'
    scope: resourceGroup(
      split(privateEndpoint.?resourceGroupResourceId ?? resourceGroup().id, '/')[2],
      split(privateEndpoint.?resourceGroupResourceId ?? resourceGroup().id, '/')[4]
    )
    params: {
      // Variant 1: A default service can be assumed (i.e., for services that only have one private endpoint type)
      name: privateEndpoint.?name ?? 'pep-${last(split(>singularMainResourceType<.id, '/'))}-${privateEndpoint.?service ?? '>defaultServiceName<'}-${index}'
      privateLinkServiceConnections: privateEndpoint.?isManualConnection != true ? [
        {
          name: privateEndpoint.?privateLinkServiceConnectionName ?? '${last(split(>singularMainResourceType<.id, '/'))}-${privateEndpoint.?service ?? '>defaultServiceName<'}-${index}'
          properties: {
            privateLinkServiceId: >singularMainResourceType<.id
            groupIds: [
              privateEndpoint.?service ?? '>defaultServiceName<'
            ]
          }
        }
      ] : null
      manualPrivateLinkServiceConnections: privateEndpoint.?isManualConnection == true ? [
        {
          name: privateEndpoint.?privateLinkServiceConnectionName ?? '${last(split(>singularMainResourceType<.id, '/'))}-${privateEndpoint.?service ?? '>defaultServiceName<'}-${index}'
          properties: {
            privateLinkServiceId: >singularMainResourceType<.id
            groupIds: [
              privateEndpoint.?service ?? '>defaultServiceName<'
            ]
            requestMessage: privateEndpoint.?manualConnectionRequestMessage ?? 'Manual approval required.'
          }
        }
      ] : null
      subnetResourceId: privateEndpoint.subnetResourceId
      enableTelemetry: enableReferencedModulesTelemetry // resource module
      enableTelemetry: privateEndpoint.?enableTelemetry ?? enableTelemetry // pattern / utility module
      location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location
      lock: privateEndpoint.?lock ?? lock
      privateDnsZoneGroup: privateEndpoint.?privateDnsZoneGroup
      roleAssignments: privateEndpoint.?roleAssignments
      tags: privateEndpoint.?tags ?? tags
      customDnsConfigs: privateEndpoint.?customDnsConfigs
      ipConfigurations: privateEndpoint.?ipConfigurations
      applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds
      customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName
    }
  }]
  
  @description('The private endpoints of the resource.')
  output privateEndpoints privateEndpointOutputType[] = [
    for (pe, index) in (privateEndpoints ?? []): {
      name: >singularMainResourceType<_privateEndpoints[index].outputs.name
      resourceId: >singularMainResourceType<_privateEndpoints[index].outputs.resourceId
      groupId: >singularMainResourceType<_privateEndpoints[index].outputs.?groupId!
      customDnsConfigs: >singularMainResourceType<_privateEndpoints[index].outputs.customDnsConfigs
      networkInterfaceResourceIds: >singularMainResourceType<_privateEndpoints[index].outputs.networkInterfaceResourceIds
    }
  ]
  
  // =============== //
  //   Definitions   //
  // =============== //
  
  @export()
  type privateEndpointOutputType = {
    @description('The name of the private endpoint.')
    name: string
  
    @description('The resource ID of the private endpoint.')
    resourceId: string
  
    @description('The group Id for the private endpoint Group.')
    groupId: string?
  
    @description('The custom DNS configurations of the private endpoint.')
    customDnsConfigs: {
      @description('FQDN that resolves to private endpoint IP address.')
      fqdn: string?
  
      @description('A list of private IP addresses of the private endpoint.')
      ipAddresses: string[]
    }[]
  
    @description('The IDs of the network interfaces associated with the private endpoint.')
    networkInterfaceResourceIds: string[]
  }

  privateEndpoints: {
    {
      name: 'myPeName'
      privateLinkServiceConnectionName: 'myPrivateLinkConnectionName'
      lock: 'CanNotDelete'
      tags: {
        'hidden-title': 'This is visible in the resource name'
      }
      subnetResourceId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRg/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mysubnet'
      resourceGroupResourceId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRg'
      applicationSecurityGroupResourceIds: [
        '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRg/providers/Microsoft.Network/applicationSecurityGroups/myAsg'
      ]
      privateDnsZoneGroup: {
        privateDnsZoneGroupConfigs: [
          {
            name: 'config'
            privateDnsZoneResourceId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRg/providers/Microsoft.Network/privateDnsZones/myZone'
          }
        ]
      }
      customDnsConfigs: [
        {
          fqdn: 'fqdn1.example.com'
          ipAddresses: [
            '10.0.0.1',
            '10.0.0.2'
          ]
        }
      ]
      networkInterfaceName: 'nic1'
      ipConfigurations: [
        {
          name: 'ipconfig1'
          groupId: 'vault'
          memberName: 'default'
          privateIpAddress: '10.0.0.7'
        }
      ]
      roleAssignments: [
        {
          roleDefinitionIdOrName: 'Owner'
          principalId: '11111111-1111-1111-1111-111111111111'
          principalType: 'ServicePrincipal'
        }
        {
          roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7')
          principalId: '11111111-1111-1111-1111-111111111111'
          principalType: 'ServicePrincipal'
        }
      ]
    }
  }

E.g., for services that have more than one private endpoint type, like a Storage Account (blob, file, etc.)

  
  // ============== //
  //   Parameters   //
  // ============== //
  
  import { privateEndpointMultiServiceType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
  param privateEndpoints privateEndpointMultiServiceType[]?
  
  var enableReferencedModulesTelemetry = false // resource module
  
  // ============= //
  //   Resources   //
  // ============= //
  
  module >singularMainResourceType<_privateEndpoints 'br/public:avm/res/network/private-endpoint:>version<' = [for (privateEndpoint, index) in (privateEndpoints ?? []): {
    name: '${uniqueString(deployment().name, location)}->singularMainResourceType<-PrivateEndpoint-${index}'
    scope: resourceGroup(
      split(privateEndpoint.?resourceGroupResourceId ?? resourceGroup().id, '/')[2],
      split(privateEndpoint.?resourceGroupResourceId ?? resourceGroup().id, '/')[4]
    )
    params: {
      // Variant 2: A default service cannot be assumed (i.e., for services that have more than one private endpoint type, like Storage Account)
      name: privateEndpoint.?name ?? 'pep-${last(split(>singularMainResourceType<.id, '/'))}-${privateEndpoint.service}-${index}'
      privateLinkServiceConnections: privateEndpoint.?isManualConnection != true ? [
        {
          name: privateEndpoint.?privateLinkServiceConnectionName ?? '${last(split(>singularMainResourceType<.id, '/'))}-${privateEndpoint.service}-${index}'
          properties: {
            privateLinkServiceId: >singularMainResourceType<.id
            groupIds: [
              privateEndpoint.service
            ]
          }
        }
      ] : null
      manualPrivateLinkServiceConnections: privateEndpoint.?isManualConnection == true ? [
        {
          name: privateEndpoint.?privateLinkServiceConnectionName ?? '${last(split(>singularMainResourceType<.id, '/'))}-${privateEndpoint.service}-${index}'
          properties: {
            privateLinkServiceId: >singularMainResourceType<.id
            groupIds: [
              privateEndpoint.service
            ]
            requestMessage: privateEndpoint.?manualConnectionRequestMessage ?? 'Manual approval required.'
          }
        }
      ] : null
      subnetResourceId: privateEndpoint.subnetResourceId
      enableTelemetry: enableReferencedModulesTelemetry // resource module
      enableTelemetry: privateEndpoint.?enableTelemetry ?? enableTelemetry // pattern / utility module
      location: privateEndpoint.?location ?? reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location
      lock: privateEndpoint.?lock ?? lock
      privateDnsZoneGroup: privateEndpoint.?privateDnsZoneGroup
      roleAssignments: privateEndpoint.?roleAssignments
      tags: privateEndpoint.?tags ?? tags
      customDnsConfigs: privateEndpoint.?customDnsConfigs
      ipConfigurations: privateEndpoint.?ipConfigurations
      applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds
      customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName
    }
  }]
  
  @description('The private endpoints of the resource.')
  output privateEndpoints privateEndpointOutputType[] = [
    for (pe, index) in (privateEndpoints ?? []): {
      name: >singularMainResourceType<_privateEndpoints[index].outputs.name
      resourceId: >singularMainResourceType<_privateEndpoints[index].outputs.resourceId
      groupId: >singularMainResourceType<_privateEndpoints[index].outputs.?groupId!
      customDnsConfigs: >singularMainResourceType<_privateEndpoints[index].outputs.customDnsConfigs
      networkInterfaceResourceIds: >singularMainResourceType<_privateEndpoints[index].outputs.networkInterfaceResourceIds
    }
  ]
  
  // =============== //
  //   Definitions   //
  // =============== //
  
  @export()
  type privateEndpointOutputType = {
    @description('The name of the private endpoint.')
    name: string
  
    @description('The resource ID of the private endpoint.')
    resourceId: string
  
    @description('The group Id for the private endpoint Group.')
    groupId: string?
  
    @description('The custom DNS configurations of the private endpoint.')
    customDnsConfigs: {
      @description('FQDN that resolves to private endpoint IP address.')
      fqdn: string?
  
      @description('A list of private IP addresses of the private endpoint.')
      ipAddresses: string[]
    }[]
  
    @description('The IDs of the network interfaces associated with the private endpoint.')
    networkInterfaceResourceIds: string[]
  }

  privateEndpoints: {
    {
      name: 'myPeName'
      privateLinkServiceConnectionName: 'myPrivateLinkConnectionName'
      lock: 'CanNotDelete'
      tags: {
        'hidden-title': 'This is visible in the resource name'
      }
      service: 'blob'
      subnetResourceId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRg/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mysubnet'
      resourceGroupResourceId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRg'
      applicationSecurityGroupResourceIds: [
        '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRg/providers/Microsoft.Network/applicationSecurityGroups/myAsg'
      ]
      privateDnsZoneGroup: {
        privateDnsZoneGroupConfigs: [
          {
            name: 'config'
            privateDnsZoneResourceId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRg/providers/Microsoft.Network/privateDnsZones/myZone'
          }
        ]
      }
      customDnsConfigs: [
        {
          fqdn: 'fqdn1.example.com'
          ipAddresses: [
            '10.0.0.1',
            '10.0.0.2'
          ]
        }
      ]
      networkInterfaceName: 'nic1'
      ipConfigurations: [
        {
          name: 'ipconfig1'
          groupId: 'blob'
          memberName: 'default'
          privateIpAddress: '10.0.0.7'
        }
      ]
      roleAssignments: [
        {
          roleDefinitionIdOrName: 'Owner'
          principalId: '11111111-1111-1111-1111-111111111111'
          principalType: 'ServicePrincipal'
        }
        {
          roleDefinitionIdOrName: subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7')
          principalId: '11111111-1111-1111-1111-111111111111'
          principalType: 'ServicePrincipal'
        }
      ]
    }
  }

Notes:

The properties defined in the schema above are the minimum amount of properties expected to be exposed for Private Endpoints in AVM Resource Modules.
- A module owner MAY chose to expose additional properties of the Private Endpoint resource
  - However, module owners considering this SHOULD contact the AVM core team first to consult on how the property should be exposed to avoid future breaking changes to the schema that may be enforced upon them
Module owners MAY chose to define a list of allowed value for the ‘service’ (a.k.a. groupIds) property
- However, they should do so with caution as should a new service appear for their resource module, a new release will need to be cut to add this new service to the allowed values
  - Whereas not specifying allowed values will allow flexibility from day 0 without the need for any changes and releases to be made

Customer Managed Keys

  // ============== //
  //   Parameters   //
  // ============== //
  
  import { customerManagedKeyType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('Optional. The customer managed key definition.')
  param customerManagedKey customerManagedKeyType?
  
  // ============= //
  //   Variables   //
  // ============= //
  
  // If user-assiged identities are supported => Adds any user assigned identity specified in the customer managed key definition to the general managed-identity spcification
  var formattedUserAssignedIdentities = reduce(
    map(
      union(
        (managedIdentities.?userAssignedResourceIds ?? []),
        (!empty(customerManagedKey.?userAssignedIdentityResourceId)
          ? [customerManagedKey.?userAssignedIdentityResourceId]
          : [])
      ),
      (id) => { '${id}': {} }
    ),
    {},
    (cur, next) => union(cur, next)
  ) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} }
  
  var identity = !empty(managedIdentities) || !empty(formattedUserAssignedIdentities) 
    ? {
        type: (managedIdentities.?systemAssigned ?? false)
          ? (!empty(formattedUserAssignedIdentities) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned')
          : (!empty(formattedUserAssignedIdentities) ? 'UserAssigned' : null)
        userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
      }
    : null
  
  var isHSMManagedCMK = split(customerManagedKey.?keyVaultResourceId ?? '', '/')[?7] == 'managedHSMs'
  
  // ============= //
  //   Resources   //
  // ============= //
  
  resource cMKKeyVault 'Microsoft.KeyVault/vaults@2025-05-01' existing = if (!empty(customerManagedKey) && !isHSMManagedCMK) {
    name: last(split((customerManagedKey!.?keyVaultResourceId!), '/'))
    scope: resourceGroup(
      split(customerManagedKey!.?keyVaultResourceId!, '/')[2],
      split(customerManagedKey!.?keyVaultResourceId!, '/')[4]
    )
  
    resource cMKKey 'keys@2025-05-01' existing = if (!empty(customerManagedKey) && !isHSMManagedCMK) {
      name: customerManagedKey!.?keyName!
    }
  }
  
  resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2024-11-30' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) {
    name: last(split(customerManagedKey!.?userAssignedIdentityResourceId!, '/'))
    scope: resourceGroup(
      split(customerManagedKey!.?userAssignedIdentityResourceId!, '/')[2],
      split(customerManagedKey!.?userAssignedIdentityResourceId!, '/')[4]
    )
  }
  
  resource >singularMainResourceType< '>providerNamespace</>resourceType<@>apiVersion<' = {
    name: '>exampleResource<'
    properties: {
      ... // other properties
      encryption: !empty(customerManagedKey)
        ? {
            keySource: 'Microsoft.KeyVault'
            keyVaultProperties: {
              keyVaultUri: !isHSMManagedCMK
                  ? cMKKeyVault!.properties.vaultUri
                  : 'https://${last(split((customerManagedKey!.keyVaultResourceId), '/'))}.managedhsm.azure.net/'
              keyName: customerManagedKey!.keyName
              keyVersion: !empty(customerManagedKey!.?keyVersion)
                ? customerManagedKey!.keyVersion!
                : (!isHSMManagedCMK
                  ? last(split(cMKKeyVault::cMKKey!.properties.keyUriWithVersion, '/'))
                  : fail('Managed HSM CMK encryption requires specifying the \'keyVersion\'.'))
              keyIdentifier: !empty(customerManagedKey!.?keyVersion)
                ? ( !isHSMManagedCMK
                  ? '${cMKKeyVault::cMKKey!.properties.keyUri}/${customerManagedKey!.keyVersion!}'
                  : 'https://${last(split((customerManagedKey!.keyVaultResourceId), '/'))}.managedhsm.azure.net/keys/${customerManagedKey!.keyName}/${customerManagedKey!.keyVersion!}')
                : ( !isHSMManagedCMK
                  ? cMKKeyVault::cMKKey!.properties.keyUriWithVersion
                  : fail('Managed HSM CMK encryption requires specifying the \'keyVersion\'.'))
              identityClientId: !empty(customerManagedKey!.?userAssignedIdentityResourceId)
                ? cMKUserAssignedIdentity!.properties.clientId
                : null
              identity: !empty(customerManagedKey!.?userAssignedIdentityResourceId)
                ? {
                    userAssignedIdentity: cMKUserAssignedIdentity!.id
                  }
                : null
            }
          }
        : null
    }
  }

  customerManagedKey: {
    keyVaultResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{keyVaultName}'
    keyName: '{keyName}'
    keyVersion: '{keyVersion}'
    userAssignedIdentityResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{uamiName}'
  }

  // ============== //
  //   Parameters   //
  // ============== //
  import { customerManagedKeyWithAutoRotateType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('Optional. The customer managed key definition.')
  param customerManagedKey customerManagedKeyWithAutoRotateType?
  
  // ============= //
  //   Variables   //
  // ============= //
  
  // If user-assiged identities are supported => Adds any user assigned identity specified in the customer managed key definition to the general managed-identity spcification
  var formattedUserAssignedIdentities = reduce(
    map(
      union(
        (managedIdentities.?userAssignedResourceIds ?? []),
        (!empty(customerManagedKey.?userAssignedIdentityResourceId)
          ? [customerManagedKey.?userAssignedIdentityResourceId]
          : [])
      ),
      (id) => { '${id}': {} }
    ),
    {},
    (cur, next) => union(cur, next)
  ) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} }
  
  var identity = !empty(managedIdentities) || !empty(formattedUserAssignedIdentities) 
    ? {
        type: (managedIdentities.?systemAssigned ?? false)
          ? (!empty(formattedUserAssignedIdentities) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned')
          : (!empty(formattedUserAssignedIdentities) ? 'UserAssigned' : null)
        userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
      }
    : null
    
  var isHSMManagedCMK = split(customerManagedKey.?keyVaultResourceId ?? '', '/')[?7] == 'managedHSMs'
  
  // ============= //
  //   Resources   //
  // ============= //
  
  resource cMKKeyVault 'Microsoft.KeyVault/vaults@2025-05-01' existing = if (!empty(customerManagedKey) && !isHSMManagedCMK) {
    name: last(split((customerManagedKey!.?keyVaultResourceId!), '/'))
    scope: resourceGroup(
      split(customerManagedKey!.?keyVaultResourceId!, '/')[2],
      split(customerManagedKey!.?keyVaultResourceId!, '/')[4]
    )
  
    resource cMKKey 'keys@2025-05-01' existing = if (!empty(customerManagedKey) && !isHSMManagedCMK) {
      name: customerManagedKey!.?keyName!
    }
  }
  
  resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2024-11-30' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) {
    name: last(split(customerManagedKey!.?userAssignedIdentityResourceId!, '/'))
    scope: resourceGroup(
      split(customerManagedKey!.?userAssignedIdentityResourceId!, '/')[2],
      split(customerManagedKey!.?userAssignedIdentityResourceId!, '/')[4]
    )
  }
  
  resource >singularMainResourceType< '>providerNamespace</>resourceType<@>apiVersion<' = {
    name: '>exampleResource<'
    properties: {
      ... // other properties
      encryption: !empty(customerManagedKey)
        ? {
            keySource: 'Microsoft.KeyVault'
            keyVaultProperties: {
              keyVaultUri: !isHSMManagedCMK
                  ? cMKKeyVault!.properties.vaultUri
                  : 'https://${last(split((customerManagedKey!.keyVaultResourceId), '/'))}.managedhsm.azure.net/'
              keyName: customerManagedKey!.keyName
              keyVersion: !empty(customerManagedKey!.?keyVersion)
                  ? customerManagedKey!.keyVersion!
                  : (customerManagedKey!.?autoRotationEnabled ?? true)
                      ? null
                      : (!isHSMManagedCMK
                          ? last(split(cMKKeyVault::cMKKey!.properties.keyUriWithVersion, '/'))
                          : fail('Managed HSM CMK encryption requires either specifying the \'keyVersion\' or omitting the \'autoRotationEnabled\' property. Setting \'autoRotationEnabled\' to false without a \'keyVersion\' is not allowed.'))
              keyIdentifier: !empty(customerManagedKey!.?keyVersion)
                ? (!isHSMManagedCMK
                  ? '${cMKKeyVault::cMKKey!.properties.keyUri}/${customerManagedKey!.keyVersion!}'
                  : 'https://${last(split((customerManagedKey!.keyVaultResourceId), '/'))}.managedhsm.azure.net/keys/${customerManagedKey!.keyName}/${customerManagedKey!.keyVersion!}')
                : (customerManagedKey!.?autoRotationEnabled ?? true)
                  ? (!isHSMManagedCMK
                    ? cMKKeyVault::cMKKey!.properties.keyUri
                    : 'https://${last(split((customerManagedKey!.keyVaultResourceId), '/'))}.managedhsm.azure.net/keys/${customerManagedKey!.keyName}')
                  : (!isHSMManagedCMK
                    ? cMKKeyVault::cMKKey!.properties.keyUriWithVersion
                    : fail('Managed HSM CMK encryption requires either specifying the \'keyVersion\' or omitting the \'autoRotationEnabled\' property. Setting \'autoRotationEnabled\' to false without a \'keyVersion\' is not allowed.'))
              identityClientId: !empty(customerManagedKey!.?userAssignedIdentityResourceId)
                ? cMKUserAssignedIdentity!.properties.clientId
                : null
              identity: !empty(customerManagedKey!.?userAssignedIdentityResourceId)
                ? {
                    userAssignedIdentity: cMKUserAssignedIdentity!.id
                  }
                : null
            }
          }
        : null
    }
  }

  customerManagedKey: {
    keyVaultResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{keyVaultName}'
    keyName: '{keyName}'
    autoRotationEnabled: {true|false}
    userAssignedIdentityResourceId: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{uamiName}'
  }

Secrets export (DEPRECATED)

Important

Since version Bicep 0.35.1, it is possible to export secrets securely using the secure() annotation.

As this approach is fairly simple compared with the below workaround it is highly recommended to use it instead.

Example

@secure()
@description('The primary connection string of the service bus namespace.')
output primaryConnectionString string = listkeys(
  '${serviceBusNamespace.id}/AuthorizationRules/RootManageSharedAccessKey',
  '2024-01-01'
).primaryConnectionString

@secure()
@description('The primary key of the service bus namespace.')
output primaryKey string = listkeys(
  '${serviceBusNamespace.id}/AuthorizationRules/RootManageSharedAccessKey',
  '2024-01-01'
).primaryKey

Secrets used inside a module can be exported to a Key Vault reference provided as per the below schema.
This implementation provides a secure way around the current limitation of Bicep on providing a secure template output (that can be used for secrets).

The user MUST

provide the resource Id to a Key Vault. The principal used for the deployment MUST be allowed to set secrets in this Key Vault.
provide a name for each secret they want to store (opt-in). The module will suggest which secrets are available via the implemented user-defined type.

The module returns an output table where the key is the name of the secret the user provided, and the value contains both the secret’s resource Id and URI.

Important

The feature MUST be implemented as per the below schema. Diversions are only allowed in places marked as >text< to ensure a consistent user experience across modules.

User Defined Type, Parameter & Resource Example

  
  // ============== //
  //   Parameters   //
  // ============== //
  
  @description('Optional. Key vault reference and secret settings for the module\'s secrets export.')
  param secretsExportConfiguration secretsExportConfigurationType?
  
  // ============= //
  //   Resources   //
  // ============= //
  
  module secretsExport 'modules/keyVaultExport.bicep' = if (secretsExportConfiguration != null) {
    name: '${uniqueString(deployment().name, location)}-secrets-kv'
    scope: resourceGroup(
      split(secretsExportConfiguration.?keyVaultResourceId, '/')[2],
      split(secretsExportConfiguration.?keyVaultResourceId, '/')[4]
    )
    params: {
      keyVaultName: last(split(secretsExportConfiguration.?keyVaultResourceId, '/'))
      secretsToSet: union(
        [],
        contains(secretsExportConfiguration!, '>secretToExport1<Name')
          ? [
              {
                name: secretsExportConfiguration!.?>secretToExport1<Name
                value: >secretReference1< // e.g., >singularMainResourceType<.listKeys().primaryMasterKey
              }
            ]
          : [],
        contains(secretsExportConfiguration!, '>secretToExport2<Name')
          ? [
              {
                name: secretsExportConfiguration!.?>secretToExport2<Name
                value:>secretReference2<  // e.g., >singularMainResourceType<.listKeys().secondaryMasterKey
              }
            ]
          : []
          // (...)
      )
    }
  }
  
  // =========== //
  //   Outputs   //
  // =========== //
  
  import { secretsOutputType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('A hashtable of references to the secrets exported to the provided Key Vault. The key of each reference is each secret\'s name.')
  output exportedSecrets secretsOutputType = (secretsExportConfiguration != null)
    ? toObject(secretsExport.outputs.secretsSet, secret => last(split(secret.secretResourceId, '/')), secret => secret)
    : {}
  
  // =============== //
  //   Definitions   //
  // =============== //
  
  @export()
  type secretsExportConfigurationType = {
    @description('Required. The resource ID of the key vault where to store the secrets of this module.')
    keyVaultResourceId: string
  
    @description('Optional. The >secretToExport1< secret name to create.')
    >secretToExport1<Name: string?
  
    @description('Optional. The >secretToExport2< secret name to create.')
    >secretToExport2<Name: string?
  
    // (...)
  }

Input Example with Values

  
  // ============== //
  //   Parameters   //
  // ============== //
  
  @description('Optional. Key vault reference and secret settings for the module\'s secrets export.')
  param secretsExportConfiguration secretsExportConfigurationType?
  
  // ============= //
  //   Resources   //
  // ============= //
  
  module secretsExport 'modules/keyVaultExport.bicep' = if (secretsExportConfiguration != null) {
    name: '${uniqueString(deployment().name, location)}-secrets-kv'
    scope: resourceGroup(
      split(secretsExportConfiguration.?keyVaultResourceId, '/')[2],
      split(secretsExportConfiguration.?keyVaultResourceId, '/')[4]
    )
    params: {
      keyVaultName: last(split(secretsExportConfiguration.?keyVaultResourceId, '/'))
      secretsToSet: union(
        [],
        contains(secretsExportConfiguration!, '>secretToExport1<Name')
          ? [
              {
                name: secretsExportConfiguration!.?>secretToExport1<Name
                value: >secretReference1< // e.g., >singularMainResourceType<.listKeys().primaryMasterKey
              }
            ]
          : [],
        contains(secretsExportConfiguration!, '>secretToExport2<Name')
          ? [
              {
                name: secretsExportConfiguration!.?>secretToExport2<Name
                value:>secretReference2<  // e.g., >singularMainResourceType<.listKeys().secondaryMasterKey
              }
            ]
          : []
          // (...)
      )
    }
  }
  
  // =========== //
  //   Outputs   //
  // =========== //
  
  import { secretsOutputType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('A hashtable of references to the secrets exported to the provided Key Vault. The key of each reference is each secret\'s name.')
  output exportedSecrets secretsOutputType = (secretsExportConfiguration != null)
    ? toObject(secretsExport.outputs.secretsSet, secret => last(split(secret.secretResourceId, '/')), secret => secret)
    : {}
  
  // =============== //
  //   Definitions   //
  // =============== //
  
  @export()
  type secretsExportConfigurationType = {
    @description('Required. The resource ID of the key vault where to store the secrets of this module.')
    keyVaultResourceId: string
  
    @description('Optional. The >secretToExport1< secret name to create.')
    >secretToExport1<Name: string?
  
    @description('Optional. The >secretToExport2< secret name to create.')
    >secretToExport2<Name: string?
  
    // (...)
  }

[modules/keyVaultExport.bicep] file

  
  // ============== //
  //   Parameters   //
  // ============== //
  
  @description('Required. The name of the Key Vault to set the secrets in.')
  param keyVaultName string
  
  import { secretToSetType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('Required. The secrets to set in the Key Vault.')
  param secretsToSet secretToSetType[]
  
  // ============= //
  //   Resources   //
  // ============= //
  
  resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
    name: keyVaultName
  }
  
  resource secrets 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = [
    for secret in secretsToSet: {
      name: secret.name
      parent: keyVault
      properties: {
        value: secret.value
      }
    }
  ]
  
  // =========== //
  //   Outputs   //
  // =========== //
  
  import { secretSetOutputType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('The references to the secrets exported to the provided Key Vault.')
  output secretsSet secretSetOutputType[] = [
    #disable-next-line outputs-should-not-contain-secrets // Only returning the references, not a secret value
    for index in range(0, length(secretsToSet ?? [])): {
      secretResourceId: secrets[index].id
      secretUri: secrets[index].properties.secretUri
      secretUriWithVersion: secrets[index].properties.secretUriWithVersion
    }
  ]

Output Usage Example

When using a module that implements the above interface, you can access its outputs for example in the following ways:

  
  // ============== //
  //   Parameters   //
  // ============== //
  
  @description('Optional. Key vault reference and secret settings for the module\'s secrets export.')
  param secretsExportConfiguration secretsExportConfigurationType?
  
  // ============= //
  //   Resources   //
  // ============= //
  
  module secretsExport 'modules/keyVaultExport.bicep' = if (secretsExportConfiguration != null) {
    name: '${uniqueString(deployment().name, location)}-secrets-kv'
    scope: resourceGroup(
      split(secretsExportConfiguration.?keyVaultResourceId, '/')[2],
      split(secretsExportConfiguration.?keyVaultResourceId, '/')[4]
    )
    params: {
      keyVaultName: last(split(secretsExportConfiguration.?keyVaultResourceId, '/'))
      secretsToSet: union(
        [],
        contains(secretsExportConfiguration!, '>secretToExport1<Name')
          ? [
              {
                name: secretsExportConfiguration!.?>secretToExport1<Name
                value: >secretReference1< // e.g., >singularMainResourceType<.listKeys().primaryMasterKey
              }
            ]
          : [],
        contains(secretsExportConfiguration!, '>secretToExport2<Name')
          ? [
              {
                name: secretsExportConfiguration!.?>secretToExport2<Name
                value:>secretReference2<  // e.g., >singularMainResourceType<.listKeys().secondaryMasterKey
              }
            ]
          : []
          // (...)
      )
    }
  }
  
  // =========== //
  //   Outputs   //
  // =========== //
  
  import { secretsOutputType } from 'br/public:avm/utl/types/avm-common-types:>version<'
  @description('A hashtable of references to the secrets exported to the provided Key Vault. The key of each reference is each secret\'s name.')
  output exportedSecrets secretsOutputType = (secretsExportConfiguration != null)
    ? toObject(secretsExport.outputs.secretsSet, secret => last(split(secret.secretResourceId, '/')), secret => secret)
    : {}
  
  // =============== //
  //   Definitions   //
  // =============== //
  
  @export()
  type secretsExportConfigurationType = {
    @description('Required. The resource ID of the key vault where to store the secrets of this module.')
    keyVaultResourceId: string
  
    @description('Optional. The >secretToExport1< secret name to create.')
    >secretToExport1<Name: string?
  
    @description('Optional. The >secretToExport2< secret name to create.')
    >secretToExport2<Name: string?
  
    // (...)
  }

Which returns a JSON-formatted output like:

  {
    "exportedSecrets": {
      "Type": "Object",
      "Value": {
        ">secretToExportName1<": {
          "secretResourceId": "/subscriptions/<subId>/resourceGroups/<rgName>providers/Microsoft.KeyVault/vaults/<vaultName>/secrets/>secretToExportName1<",
          "secretUri": "https://<vaultName>.vault.azure.net/secrets/>secretToExportName1<"
        },
        ">secretToExportName2<": {
          "secretResourceId": "/subscriptions/<subId>/resourceGroups/<rgName>providers/Microsoft.KeyVault/vaults/<vaultName>/secrets/>secretToExportName2<",
          "secretUri": "https://<vaultName>.vault.azure.net/secrets/>secretToExportName2<"
        }
      }
    },
    "specificSecret": {
      "Type": "String",
      "Value": "/subscriptions/<subId>/resourceGroups/<rgName>providers/Microsoft.KeyVault/vaults/<vaultName>/secrets/>secretToExportName1<"
    },
    "exportedSecretResourceIds": {
      "Type": "Array",
      "Value": [
        "/subscriptions/<subId>/resourceGroups/<rgName>providers/Microsoft.KeyVault/vaults/<vaultName>/secrets/>secretToExportName1<",
        "/subscriptions/<subId>/resourceGroups/<rgName>providers/Microsoft.KeyVault/vaults/<vaultName>/secrets/>secretToExportName2<"
      ]
    }
  }

Azure Monitor Alerts

Note

This interface is a SHOULD instead of a MUST and therefore the AVM core team have not mandated a interface schema to use.

Zonal & zone-redundant resources

Many Azure resources can be deployed into specific availability zones. Depending on whether a resource is ‘zonal’ (i.e., deploys a single instance into a single zone) or ‘zone-redundant’ (i.e., spreads multiple of its instances across the configured zones), implementing a different interface is required. Simply put, the zone of a zonal resource must be a required parameter (but give the user the option to ‘opt-out’), while zone-redundant resources must span all available zones by default, but still give the user the option to ‘opt-out’. Please note that the support for Availability Zones may differ from region to region.

  // ============== //
  //   Parameters   //
  // ============== //
  
  @description('Required. If set to 1, 2 or 3, the availability zone is hardcoded to that value. If set to -1, no zone is defined. Note that the availability zone numbers here are the logical availability zone in your Azure subscription. Different subscriptions might have a different mapping of the physical zone and logical zone. To understand more, please refer to [Physical and logical availability zones](https://learn.microsoft.com/en-us/azure/reliability/availability-zones-overview?tabs=azure-cli#physical-and-logical-availability-zones).')
  @allowed([
    -1
    1
    2
    3
  ])
  param availabilityZone int
  
  // ============= //
  //   Resources   //
  // ============= //
  
  resource >singularMainResourceType< '>providerNamespace</>resourceType<@>apiVersion<' = {
    name: '>exampleResource<'
    properties: {
      ... // other properties
      zones: availabilityZone != -1 ? array(string(availabilityZone)) : null // If expecting an array
      // Or
      availabilityZone: availabilityZone != -1 ? string(availabilityZone) : null // If expecting a single value
    }
  }

  availabilityZone: -1 // Deploy into no zone
  availabilityZone: 1 // Deploy into zone 1

  // ============== //
  //   Parameters   //
  // ============== //
  
  @description('Optional. The list of Availability zones to use for the zone-redundant resources.')
  @allowed([
    1
    2
    3
  ])
  param availabilityZones int[] = [1, 2, 3]
  
  // ============= //
  //   Resources   //
  // ============= //
  
  resource >singularMainResourceType< '>providerNamespace</>resourceType<@>apiVersion<' = {
    name: '>exampleResource<'
    properties: {
      ... // other properties
      zones: map(availabilityZones, zone => '${zone}')
    }
  }

  availabilityZones: [] // Deploy into no zone
  availabilityZones: [1, 2] // Deploy into zone 1 & 2

Bicep Pattern Module Specifications

Contribution / Support

The content below is listed based on the following tags

Category-Contribution/SupportClass-PatternLanguage-Bicep

#	ID	Title	Severity	Persona	Lifecycle
1	SNFR8	Module Owner(s) GitHub	MUST	Owner	Initial
2	SNFR20	GitHub Teams Only	MUST	Owner	Initial
3	SNFR9	AVM & PG Teams GitHub Repo Permissions	MUST	Owner	Initial
4	SNFR10	MIT Licensing	MUST	Owner	Initial
5	SNFR11	Issues Response Times	MUST	OwnerContributor	BAU
6	SNFR12	Versions Supported	MUST	Owner	BAU
7	SNFR23	GitHub Repo Labels	MUST	Owner	BAU
8	BCPNFR15	AVM Module Issue template file	MUST	Owner	BAU

➕ See Specifications for this category

Name	Description	HEX
AZD 🧑‍💻	These modules are requested/used by the AZD team.	`E0BFFA`
Needs: Attention 👋	Reply has been added to issue, maintainer to review	`E99695`
Needs: Immediate Attention ‼️	Immediate attention of module owner / AVM team is needed	`FF0000`
Needs: Author Feedback 👂	Awaiting feedback from the issue/PR author	`F18A07`
Needs: External Changes ⚒️	When an issue/PR requires changes that are outside of the control of the module. e.g. to an RP.	`DE389D`
Needs: More Evidence ⚖	We are looking for more evidence to make a decision on this	`F64872`
Needs: Triage 🔍	Maintainers need to triage still	`FBCA04`
Needs: Module Owner 📣	In the AVM repository: this module needs an owner to develop or maintain it. In the BRM repository: the module owner needs to review a PR.	`FF0019`
Needs: Module Contributor 📣	This module needs secondary owner(s) or contributor(s) to develop or maintain it	`C95474`
Needs: Core Team 🧞‍♂️	This item needs the AVM Core Team to review it	`DB4503`
Status: Awaiting Release To Be Cut ✂️	This is fixed in the main branch but not in the latest release, will be fixed with next release cut	`800080`
Status: Do Not Merge ⛔	Do not merge PRs with this label attached as they are not ready or aligned to future direction etc.	`8B4513`
Status: External Contribution 🌍	This is being worked on by someone outside of the AVM module owners/contributors or AVM core team	`D8FA2C`
Status: Fixed ✅	Auto label applied when issue fixed by merged PR	`90EE90`
Status: Help Wanted 🆘	Extra attention is needed	`FF4500`
Status: In Triage 🔍	Picked up for triaging by an AVM core team member	`D4AF37`
Status: In PR 👉	This is when an issue is due to be fixed in an open PR	`EDEDED`
Status: Invalid ❌	This doesn't seem right	`E4E669`
Status: Long Term ⏳	We will do it, but will take a longer amount of time due to complexity/priorities	`B60205`
Status: No Recent Activity 💤	When an issue/PR has not been modified for X amount of days	`808080`
Status: Won't Fix 💔	This will not be worked on	`FFFFFF`
Status: Owners Identified 🤘	This module has its owners identified	`FBEF2A`
Status: Module Available 🟢	The module is published	`C8E6C9`
Status: Module Deprecated 🔴	This is a request to deprecate a module	`000000`
Status: Module Orphaned 🟡	The module has no owner and is therefore orphaned at this time	`F4A460`
Status: Ready For Repository Creation 📝	This module is approved and the owner is ready for the repository to be created (Terraform)	`136A41`
Status: Repository Created 📄	This module has had it's repository created and configured ready for owner contribution (Terraform)	`27AB03`
Status: Response Overdue 🚩	When an issue/PR has not been responded to for X amount of days	`850000`
Status: Looking For Assistance 🦆	This item is looking for anyone to help develop the code and submit a PR for resolution	`03FCC2`
Type: Bug 🐛	Something isn't working	`D73A4A`
Type: CI 🚀	This issue is related to the AVM CI	`74CFB0`
Type: Documentation 📄	Improvements or additions to documentation	`0075CA`
Type: Duplicate 🤲	This issue or pull request already exists	`CFD3D7`
Type: Feature Request ➕	New feature or request	`A2EEEF`
Type: Hygiene 🧹	things related to testing, issue triage etc.	`17016A`
Type: New Module Proposal 💡	A new module for AVM is being proposed	`ADD8E6`
Type: Question/Feedback 🙋‍♀️	Further information is requested or just some feedback	`CB6BA2`
Type: Security Bug 🔒	This is a security bug	`FFFF00`
Type: AVM 🅰️ ✌️ ⓜ️	This is an AVM related issue	`F0FFFF`
Language: Terraform 🌐	This is related to the Terraform IaC language	`7740B6`
Language: Bicep 💪	This is related to the Bicep IaC language	`1D73B3`
Class: Resource Module 📦	This is a resource module	`D3D3D3`
Class: Pattern Module 📦	This is a pattern module	`A9A9A9`
Class: Utility Module 📦	This is a utility module	`CAD1DE`
Class: Child Module 📦	This is a child module	`5E5186`

#	ID	Title	Severity	Persona	Lifecycle
1	SFR3	Deployment/Usage Telemetry	MUST	Owner	Initial
2	SFR4	Telemetry Enablement Flexibility	MUST	Owner	Initial
3	BCPFR4	Telemetry Enablement	MUST	OwnerContributor	BAU

#	ID	Title	Severity	Persona	Lifecycle
1	SFR1	Preview Services	MUST	Owner	BAU
2	SFR2	WAF Aligned	SHOULD	Owner	BAU
3	SFR5	Availability Zones	MUST	Owner	Initial
4	SFR6	Data Redundancy	MUST	Owner	Initial
5	SNFR25	Resource Naming	MUST	Owner	Initial
6	PMFR1	Resource Group Creation	MAY	OwnerContributor	BAU
7	PMNFR1	Module Naming	MUST	Owner	Initial
8	PMNFR2	Use Resource Modules to Build a Pattern Module	MUST	OwnerContributor	BAU
9	PMNFR3	Use other Pattern Modules to Build a Pattern Module	MUST	OwnerContributor	BAU
10	BCPFR1	Cross-Referencing Modules	MAY	OwnerContributor	BAU
11	BCPFR2	Role Assignments Role Definition Mapping	MUST	OwnerContributor	BAU
12	BCPFR6	Cross-Referencing Child-Modules	MUST	OwnerContributor	BAU
13	BCPNFR19	User-defined types - Naming	MUST	OwnerContributor	BAU
14	BCPNFR23	Module composition	MUST	OwnerContributor	BAU
15	BCPNFR5	Role Assignments Role Definition Mapping Limits	SHOULD	OwnerContributor	BAU
16	BCPNFR6	Role Assignments Role Definition Mapping Compulsory Roles	MUST	OwnerContributor	BAU
17	BCPNFR14	Versioning	MUST	OwnerContributor	BAU

#	ID	Title	Severity	Persona	Lifecycle
1	SNFR14	Data Types	SHOULD	OwnerContributor	BAU
2	SNFR22	Parameters/Variables for Resource IDs	MUST	OwnerContributor	BAU
3	SNFR26	Output - Parameters - Decorators	MUST	OwnerContributor	BAU
4	PMNFR5	Parameter/Variable Naming	SHOULD	OwnerContributor	BAU
5	BCPNFR1	Complex data types - General	MUST	OwnerContributor	BAU
6	BCPNFR9	Inputs - Decorators	MUST	OwnerContributor	BAU
7	BCPNFR18	User-defined types - Specification	MUST	OwnerContributor	BAU
8	BCPNFR19	User-defined types - Naming	MUST	OwnerContributor	BAU
9	BCPNFR20	User-defined types - Export	MUST	OwnerContributor	BAU
10	BCPNFR21	User-defined types - Decorators	MUST	OwnerContributor	BAU
11	BCPNFR7	Parameter Requirement Types	MUST	OwnerContributor	BAU

Parameter Requirement Type	Definition	Example Description Decorator
Required	The parameter value must be provided. The parameter does not have a default value and hence the module expects and requires an input.	`@description('Required. <PARAMETER DESCRIPTION HERE...>')`
Conditional	The parameter value can be optional or required based on a condition, mostly based on the value provided to other parameters. Should contain a sentence starting with ‘Required if (…).’ to explain the condition.	`@description('Conditional. <PARAMETER DESCRIPTION HERE...>')`
Optional	The parameter value is not mandatory. The module provides a default value for the parameter.	`@description('Optional. <PARAMETER DESCRIPTION HERE...>')`
Generated	The parameter value is generated within the module and should not be specified as input in most cases. A common example of this is the `utcNow()` function that is only supported as the input for a parameter value, and not inside a variable.	`@description('Generated. <PARAMETER DESCRIPTION HERE...>')`

#	ID	Title	Severity	Persona	Lifecycle
1	SNFR1	Prescribed Tests	MUST	OwnerContributor	BAU
2	SNFR2	E2E Testing	MUST	OwnerContributor	BAU
3	SNFR3	AVM Compliance Tests	MUST	OwnerContributor	Initial
4	SNFR4	Unit Tests	SHOULD	OwnerContributor	BAU
5	SNFR5	Upgrade Tests	SHOULD	OwnerContributor	BAU
6	SNFR6	Static Analysis/Linting Tests	MUST	OwnerContributor	BAU
7	SNFR7	Idempotency Tests	MUST	OwnerContributor	BAU
8	SNFR24	Testing Child, Extension & Interface Resources	MUST	OwnerContributor	BAU
9	BCPNFR10	Test Bicep File Naming	MUST	OwnerContributor	BAU
10	BCPNFR11	Test Tooling	MUST	OwnerContributor	BAU
11	BCPNFR12	Deployment Test Naming	MUST	OwnerContributor	BAU
12	BCPNFR13	Test file metadata	MUST	OwnerContributor	BAU
13	BCPNFR16	Post-deployment tests	MUST	OwnerContributor	BAU

#	ID	Title	Severity	Persona	Lifecycle
1	SNFR15	Automatic Documentation Generation	MUST	OwnerContributor	BAU
2	SNFR16	Examples/E2E	MUST	OwnerContributor	BAU
3	BCPNFR2	Module Documentation Generation	MUST	OwnerContributor	BAU
4	BCPNFR3	Usage Example formats	MUST	OwnerContributor	BAU
5	BCPNFR4	Parameter Input Examples	MAY	OwnerContributor	BAU

#	ID	Title	Severity	Persona	Lifecycle
1	SNFR17	Semantic Versioning	MUST	OwnerContributor	BAU
2	SNFR18	Breaking Changes	SHOULD	OwnerContributor	BAU
3	SNFR19	Registries Targeted	MUST	OwnerContributor	BAU
4	SNFR21	Cross Language Collaboration	SHOULD	OwnerContributor	BAU
5	BCPNFR22	Bicep Module Changelog	MUST	OwnerContributor	BAU

#	ID	Title	Severity	Persona	Lifecycle
1	BCPNFR8	Code Styling - lower camelCasing	SHOULD	OwnerContributor	BAU
2	BCPNFR17	Code Styling - Type casting	SHOULD	OwnerContributor	BAU

Optional Features/Extension Resources	Bicep Parameter Name	Terraform Variable Name	MUST/SHOULD
Diagnostic Settings	`diagnosticSettings`	`diagnostic_settings`	MUST
Role Assignments	`roleAssignments`	`role_assignments`	MUST
Resource Locks	`lock`	`lock`	MUST
Tags	`tags`	`tags`	MUST
Managed Identities (System / User Assigned)	`managedIdentities`	`managed_identities`	MUST
Private Endpoints	`privateEndpoints`	`private_endpoints`	MUST
Customer Managed Keys	`customerManagedKey`	`customer_managed_key`	MUST
Azure Monitor Alerts	`alerts`	`alerts`	SHOULD

Output	Bicep Output Name	Terraform Output Name
Resource Name	`name`	`name`
Resource ID	`resourceId`	`resource_id`
System Assigned Managed Identity Principal ID (if supported by module)	`systemAssignedMIPrincipalId`	`system_assigned_mi_principal_id`

#	ID	Title	Severity	Persona	Lifecycle
1	TFNFR6	Resource & Data Order	SHOULD	OwnerContributor	BAU
2	TFNFR7	Count & for_each Use	MUST	OwnerContributor	BAU
3	TFNFR8	Resource & Data Block Orders	SHOULD	OwnerContributor	BAU
4	TFNFR9	Module Block Order	SHOULD	OwnerContributor	BAU
5	TFNFR10	No Double Quotes in ignore_changes	MUST	OwnerContributor	BAU
6	TFNFR11	Null Comparison Toggle	SHOULD	OwnerContributor	BAU
7	TFNFR12	Dynamic for Optional Nested Objects	MUST	OwnerContributor	BAU
8	TFNFR13	Default Values with coalesce/try	SHOULD	OwnerContributor	BAU
9	TFNFR16	Variable Naming Rules	SHOULD	OwnerContributor	BAU
10	TFNFR17	Variables with Descriptions	SHOULD	OwnerContributor	BAU
11	TFNFR18	Variables with Types	MUST	OwnerContributor	BAU
12	TFNFR19	Sensitive Data Variables	SHOULD	OwnerContributor	BAU
13	TFNFR20	Non-Nullable Defaults for collection values	SHOULD	OwnerContributor	BAU
14	TFNFR21	Discourage Nullability by Default	MUST	OwnerContributor	BAU
15	TFNFR22	Avoid sensitive = false	MUST	OwnerContributor	BAU
16	TFNFR23	Sensitive Default Value Conditions	MUST	OwnerContributor	BAU
17	TFNFR24	Handling Deprecated Variables	MUST	OwnerContributor	BAU
18	TFNFR25	Verified Modules Requirements	MUST	OwnerContributor	BAU
19	TFNFR26	Providers in required_providers	MUST	OwnerContributor	BAU
20	TFNFR27	Provider Declarations in Modules	MUST	OwnerContributor	BAU
22	TFNFR30	Handling Deprecated Outputs	MUST	OwnerContributor	BAU
23	TFNFR31	locals.tf for Locals Only	MAY	OwnerContributor	BAU
25	TFNFR33	Precise Local Types	SHOULD	OwnerContributor	BAU
26	TFNFR34	Using Feature Toggles	MUST	OwnerContributor	BAU
27	TFNFR35	Reviewing Potential Breaking Changes	MUST	OwnerContributor	BAU
28	TFNFR36	Setting prevent_deletion_if_contains_resources	SHOULD	OwnerContributor	BAU
29	TFNFR37	Tool Usage by Module Owner	MAY	OwnerContributor	BAU

Azure Verified Modules

Introduction

Value Proposition

Modules

Next Steps

Subsections of Azure Verified Modules

Overview

Summary

Subsections of Overview

Introduction

What is Azure Verified Modules?

Definition of “Verified” Summary

Why Azure Verified Modules?

How will we create, support and enforce Azure Verified Modules?

Module Indexes

Summary

Subsections of Module Indexes

Bicep Modules

Summary

Status Badges

Subsections of Bicep

Bicep Resource Modules

Module catalog

Published modules - 🟢 & 🟡

Proposed modules - ⚪

Deprecated modules - 🔴

All modules - 📇

Module Publication History - 📅

Modules published in November 2025

Modules published in September 2025

Modules published in August 2025

Modules published in July 2025

Modules published in June 2025

Modules published in May 2025

Modules published in March 2025

Modules published in February 2025

Modules published in January 2025

Modules published in December 2024

Modules published in October 2024

Modules published in September 2024

Modules published in June 2024

Modules published in May 2024

Modules published in April 2024

Modules published in March 2024

Modules published in February 2024

Modules published in January 2024

Modules published in December 2023

Modules published in November 2023

Modules published in October 2023

Consistent Features & Extension Resources (Interfaces)

For Module Owners & Contributors

Module name, Telemetry ID prefix, GitHub Teams for Owners

Bicep Pattern Modules

Module catalog

Published modules - 🟢 & 🟡

Proposed modules - ⚪

Deprecated modules - 🔴

All modules - 📇

Module Publication History - 📅

Modules published in September 2025

Modules published in August 2025

Modules published in July 2025

Modules published in June 2025

Modules published in April 2025

Modules published in March 2025

Modules published in February 2025

Modules published in December 2024

Modules published in October 2024

Modules published in September 2024

Modules published in August 2024

Modules published in July 2024

Modules published in June 2024

Modules published in May 2024

Modules published in April 2024

For Module Owners & Contributors

Module name, Telemetry ID prefix, GitHub Teams for Owners

Bicep Utility Modules

Module catalog

Published modules - 🟢 & 🟡

Proposed modules - ⚪