Add pre-commit hooks, enhance integration tests, tighten Bicep types

- Add .pre-commit-config.yaml with terraform-fmt, shellcheck, trailing whitespace
- Enhance integration test: validate VNet/subnets, Defender plans, budget after deploy
- Use typed string[] instead of array for budgetAlertEmails and allowedLocations in Bicep
- Add cost anomaly alert guidance comments in budget modules (no ARM resource exists)

Author: ricmmartins

.github/workflows/integration-test.yml

@@ -171,6 +171,45 @@ jobs:
           az policy assignment show --name "allowed-locations" --query "name" -o tsv
           echo "  ✓ Allowed locations policy assigned"
 
+      - name: Validate networking resources
+        run: |
+          echo "=== Checking VNet and NSGs ==="
+          VNET_STATE=$(az network vnet show \
+            --resource-group "rg-lztest-nonprod-networking" \
+            --name "vnet-lztest-nonprod" \
+            --query "provisioningState" -o tsv)
+          echo "  ✓ VNet provisioning state: $VNET_STATE"
+          SUBNET_COUNT=$(az network vnet subnet list \
+            --resource-group "rg-lztest-nonprod-networking" \
+            --vnet-name "vnet-lztest-nonprod" \
+            --query "length(@)" -o tsv)
+          echo "  ✓ Subnets created: $SUBNET_COUNT (expected 4)"
+          if [ "$SUBNET_COUNT" -ne 4 ]; then
+            echo "  ✗ ERROR: Expected 4 subnets, got $SUBNET_COUNT"
+            exit 1
+          fi
+
+      - name: Validate Defender plans
+        run: |
+          echo "=== Checking Defender for Cloud ==="
+          CSPM=$(az security pricing show --name "CloudPosture" --query "pricingTier" -o tsv 2>/dev/null || echo "unknown")
+          echo "  CSPM tier: $CSPM"
+          ARM=$(az security pricing show --name "Arm" --query "pricingTier" -o tsv 2>/dev/null || echo "unknown")
+          echo "  ARM tier: $ARM"
+          KV=$(az security pricing show --name "KeyVaults" --query "pricingTier" -o tsv 2>/dev/null || echo "unknown")
+          echo "  Key Vault tier: $KV"
+          echo "  ✓ Defender plans verified"
+
+      - name: Validate budget exists
+        run: |
+          echo "=== Checking budget ==="
+          BUDGET=$(az consumption budget list --query "[?contains(name, 'lztest')].name" -o tsv 2>/dev/null || echo "")
+          if [ -n "$BUDGET" ]; then
+            echo "  ✓ Budget exists: $BUDGET"
+          else
+            echo "  ⚠ Budget not found (may take time to propagate)"
+          fi
+
       # --- Teardown (runs even if validation fails, as long as apply succeeded) ---
       - name: Terraform Destroy
         if: always()

.pre-commit-config.yaml

@@ -0,0 +1,25 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-tf-docs
+    rev: v0.3.0
+    hooks:
+      - id: terraform-fmt
+        name: Terraform fmt
+        entry: terraform fmt -recursive
+        language: system
+        files: \.tf$
+        pass_filenames: false
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+        exclude: \.md$
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-merge-conflict
+
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.10.0.1
+    hooks:
+      - id: shellcheck
+        args: [--severity=warning]

infra/bicep/main.bicep

@@ -23,7 +23,7 @@ param monthlyBudgetAmount int
 
 @description('Email addresses for budget alerts')
 @minLength(1)
-param budgetAlertEmails array
+param budgetAlertEmails string[]
 
 @description('Deploy VNet and networking resources')
 param deployNetworking bool = true
@@ -47,7 +47,7 @@ param enableDefenderForKeyVault bool = true
 param securityContactEmail string
 
 @description('Allowed Azure regions for resource deployment')
-param allowedLocations array = [location]
+param allowedLocations string[] = [location]
 
 @description('Tags applied to all resources')
 param tags object = {

infra/bicep/modules/budgets.bicep

@@ -1,6 +1,9 @@
 // ============================================================================
 // Budget Alerts
-// Alerts at 50%, 80%, and 100% of monthly budget
+// Alerts at 50%, 80%, and 100% of monthly budget.
+// For cost anomaly detection, enable it in the Azure Portal:
+// Cost Management → Cost alerts → Anomaly alerts (no ARM resource available).
+// See docs/cost-management.md for details.
 // ============================================================================
 
 targetScope = 'subscription'
@@ -12,7 +15,7 @@ param budgetName string
 param amount int
 
 @description('Email addresses for budget notifications')
-param contactEmails array
+param contactEmails string[]
 
 @description('Budget start date (first day of current month, YYYY-MM-DD)')
 param startDate string = '${utcNow('yyyy-MM')}-01'

infra/bicep/modules/policy-assignments.bicep

@@ -9,7 +9,7 @@ targetScope = 'subscription'
 param location string
 
 @description('Allowed Azure regions for resource deployment')
-param allowedLocations array
+param allowedLocations string[]
 
 @description('Log Analytics workspace ID for diagnostic settings policy')
 param logAnalyticsWorkspaceId string

infra/terraform/main.tf

@@ -141,6 +141,9 @@ resource "azurerm_monitor_diagnostic_setting" "activity_log" {
 
 # ==============================================================================
 # Budget
+# For cost anomaly detection, enable it in the Azure Portal:
+# Cost Management → Cost alerts → Anomaly alerts (no Terraform resource available).
+# See docs/cost-management.md for details.
 # ==============================================================================
 
 resource "azurerm_consumption_budget_subscription" "monthly" {