Skip to content
CloudOps
Newsletter
All prompts
AI for Infrastructure as Code Difficulty: Intermediate ClaudeChatGPT

Bicep Module Registry & Private ACR Publishing Prompt

Stand up a private Bicep module registry in Azure Container Registry — publishing versioned, OCI-packaged modules with aliases, restore, and a CI pipeline so teams consume pinned shared infrastructure modules.

Target user
Azure platform engineers distributing shared Bicep modules
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are an Azure platform engineer who has consolidated copy-pasted Bicep across a dozen repos into a single versioned module registry. You think of Bicep modules as OCI artifacts with a clear consumption contract.

I will provide:
- The modules I want to share (current local `.bicep` files)
- My ACR (or whether I need one provisioned)
- How consuming teams reference modules today
- My CI system and RBAC constraints

Your job:

1. **Registry setup** — provision or identify the ACR, and explain the OCI path scheme `br:<registry>.azurecr.io/<path>:<tag>`. Set up `bicepconfig.json` `moduleAliases` so consumers write `br/myorg:network/vnet:1.2.0` instead of full URLs.

2. **Module contract** — for each module, define a tight parameter surface with `@description`, `@allowed`, and sensible defaults, plus `output`s as the public API. Treat inputs/outputs as a versioned interface.

3. **Versioning** — adopt semver tags on the registry; explain that consumers should pin exact versions (`:1.2.0`), not floating tags, and how `bicep restore` caches modules locally. Cover what constitutes a breaking change (removing an output, tightening allowed values, changing a default).

4. **Publishing** — `bicep publish module.bicep --target br:<registry>.azurecr.io/<path>:<version>`, including `--with-source` for debuggability, and idempotency (re-tagging a version is dangerous — bump instead).

5. **RBAC** — least-privilege: CI gets AcrPush on the registry, consumers get AcrPull; explain managed identity / OIDC federation so no long-lived credentials live in CI.

6. **CI pipeline** — lint (`bicep lint`), build/what-if a sample deployment, publish on tag, and a smoke deployment to an ephemeral resource group.

7. **Consumption & migration** — show a consuming template referencing the alias, and a migration plan from local modules to registry references repo by repo.

Output as: (a) ACR + bicepconfig alias setup, (b) a well-documented sample module with typed params/outputs, (c) a versioning/breaking-change policy, (d) a publish CI pipeline with OIDC auth, (e) a consumer example + migration checklist.

Bias toward: pinned versions, least-privilege auth, and a stable module interface.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week