Skip to content

Using Bicep source#

PSRule for Azure discovers and analyzes Azure resources contained within Bicep files. To enable this feature, you need to:

  • Enable expansion.
  • For modules (if used):
    • Define a deployment.
    • Configure path exclusions.


This topic covers how you can validate Azure resources within .bicep files. To learn more about why this is important see Expanding source files.

Enabling expansion#

To expand Bicep deployments configure ps-rule.yaml with the AZURE_BICEP_FILE_EXPANSION option.

# YAML: Enable expansion for Bicep source files.

Setup Bicep#

To expand Azure resources for analysis from Bicep source files the Bicep CLI is required. The Bicep CLI is already installed on hosted runners and agents used by GitHub Actions and Azure Pipelines. For details on how to configure Bicep for PSRule for Azure see Setup Bicep.

Building files#

It's not nessecary to build .bicep files with bicep build or az bicep build. PSRule will automatically detect and build .bicep files. You may choose to pre-build .bicep files if the Bicep CLI is not available when PSRule is run.


If using this method, follow Using templates instead. Using bicep build transpiles Bicep code into an Azure template .json.

Testing Bicep modules#

Bicep allows you to separate out complex details into separate files called modules. To expand resources, any parameters must be resolved.

Two types of parameters exist, required (also called mandatory) and optional. An optional parameter is any parameter with a default value. Required parameters do not have a default value and must be specified.

Example modules/storage/main.bicep

// Required parameter
param name string

// Optional parameters
param location string = resourceGroup().location
param sku string = 'Standard_LRS'

To specify required parameters for a module, create a deployment or test that references the module.

Example deploy.bicep

// Deploy storage account to production subscription
module storageAccount './modules/storage/main.bicep' = {
  name: 'deploy-storage'
  params: {
    name: 'stpsrulebicep001'
    sku: 'Standard_GRS'

Example modules/storage/.tests/main.tests.bicep

// Test with only required parameters
module test_required_params '../main.bicep' = {
  name: 'test_required_params'
  params: {
    name: 'sttest001'

Configuring path exclusions#

Unless configured, PSRule will discover all .bicep files when expansion is enabled. Bicep module files with required parameters will not be able be expanded and should be excluded. Instead expand resources from deployments or tests.

To do this configure ps-rule.yaml with the input.pathIgnore option.

Example ps-rule.yaml

  # Enable expansion for Bicep source files.

  # Exclude module files
  - 'modules/**/*.bicep'
  # Include test files from modules
  - '!modules/**/*.tests.bicep'


In this example, Bicep files such as deploy.bicep in other directories will be expanded.

Last update: 2022-01-19