Infrastructure as Code: Bicep and Terraform (azurerm)#

Clicking around in the portal does not scale and is not auditable. Infrastructure as Code (IaC) describes infrastructure in text files in a repository — which gives you versioning, code review and repeatability. In Azure, two tools rule: Bicep and Terraform.

Bicep — Azure's native language#

Bicep is a declarative DSL from Microsoft, compiled to ARM templates. Its advantage is native support for new services on launch day and no separate state — the source of truth is Azure itself.

param location string = resourceGroup().location

resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: 'stzeusiac01'
  location: location
  sku: { name: 'Standard_LRS' }
  kind: 'StorageV2'
  properties: {
    minimumTlsVersion: 'TLS1_2'
    allowBlobPublicAccess: false
  }
}

Deployment:

az deployment group create \
  --resource-group rg-zeus-iac \
  --template-file main.bicep \
  --parameters location=westeurope

Terraform — the cross-platform standard#

Terraform (HashiCorp) uses the azurerm provider. It is the choice when you manage multiple clouds (Azure + AWS + GCP) with one tool and one language (HCL). It requires managing a state file — ideally remotely, e.g. in a storage account.

terraform {
  required_providers {
    azurerm = { source = "hashicorp/azurerm", version = "~> 3.0" }
  }
}

provider "azurerm" {
  features {}
}

resource "azurerm_storage_account" "zeus" {
  name                            = "stzeusiac02"
  resource_group_name             = azurerm_resource_group.zeus.name
  location                        = "westeurope"
  account_tier                    = "Standard"
  account_replication_type        = "LRS"
  min_tls_version                 = "TLS1_2"
  allow_nested_items_to_be_public = false
}

terraform init
terraform plan -out tfplan
terraform apply tfplan

Which to choose?#

Criterion	Bicep	Terraform
Reach	Azure only	multi-cloud
State management	none (ARM)	required (state)
New Azure services	immediate	with a delay
Language	Bicep DSL	HCL
Module ecosystem	growing	very large

Tip: at ProfessNet we apply the rule "Bicep for pure-Azure projects, Terraform when more than one cloud is in play." Regardless of the choice — IaC always goes through a pipeline with code review, never apply from a laptop.

How ZEUS sees it#

ZEUS scans IaC repositories (Bicep, Terraform) before deployment — this is shift-left. It detects misconfigurations in code (e.g. allowBlobPublicAccess: true, open NSGs) before they reach production. After deployment, ZEUS compares the actual state with the state declared in IaC and reports drift — the divergence between the code and what is actually running in the cloud.

In the next lesson: security and Microsoft Defender for Cloud.