This guide explains how to set up a local development environment, test changes, and contribute to the CDM Starter Kit.
Before you start, ensure you have the following installed:
-
Azure CLI (v2.50+)
- Installation Guide
- Verify:
az --version
-
Bicep CLI (v0.20+)
- Installed with Azure CLI by default, or:
az bicep install- Verify:
az bicep --version
-
Git
-
PowerShell (v7+) or Bash
- For running deployment scripts
- PowerShell Core
-
Visual Studio Code
-
Azure Storage Explorer
- For testing storage account connectivity
git clone https://github.com/microsoft/cdm-starter-kit.git
cd cdm-starter-kitaz login
az account set --subscription <your-subscription-id>Verify authentication:
az account showaz bicep version
bicep --versionBefore committing or submitting a PR, validate your Bicep files:
# Validate a single file
az bicep build --file bicep/main.bicep
# Validate all Bicep files in a directory
for file in bicep/*.bicep; do
echo "Validating $file..."
az bicep build --file "$file"
doneExpected output: No errors, generated ARM template in same directory as .json
The repository uses bicepconfig.json for linting standards. Errors block deployment; warnings are advisory.
Check linting rules:
# bicepconfig.json is in the repo root
# Rules are automatically applied when you run bicep build
az bicep build --file bicep/main.bicepCommon errors you'll see:
adminusername-should-not-be-literal- Don't hardcode admin usernamesoutputs-should-not-contain-secrets- Never output secretspassword-properties-should-be-secure- Use@secure()for passwordssecure-secrets-in-params- No secrets in parameter files
Generate ARM templates (for testing/understanding):
az bicep build --file bicep/main.bicep --outdir ./build/Output: bicep/main.json (generated ARM template)
Before validating or deploying, confirm the following in the target subscription and region:
- Required resource providers are registered
- Subscription quotas are sufficient for the planned deployment
- Selected SKUs are available in the target region
- Regional capacity or service restrictions do not block deployment
- Required permissions exist on the subscription and resource group
Test Bicep syntax and permissions without creating resources:
az deployment group validate \
--subscription <subscription-id> \
--resource-group <resource-group-name> \
--template-file bicep/main.bicep \
--parameters @parameters.jsonExpected output: No errors if template and parameters are valid
See what resources will be created/modified without deploying:
az deployment group what-if \
--subscription <subscription-id> \
--resource-group <resource-group-name> \
--template-file bicep/main.bicep \
--parameters @parameters.jsonReview the output to ensure expected resources are listed.
Deploy to your test resource group:
az deployment group create \
--subscription <subscription-id> \
--resource-group <resource-group-name> \
--template-file bicep/main.bicep \
--parameters @parameters.jsonAfter deployment: Review Azure Portal to verify resources created successfully.
Delete test resources:
az group delete \
--resource-group <resource-group-name> \
--yesCreate parameters.test.json (NOT tracked in git):
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"projectName": {
"value": "cdmtest"
},
"environment": {
"value": "dev"
},
"location": {
"value": "eastus"
}
}
}Important:
- Never commit actual credentials or subscription IDs
- Use
.gitignoreto excludeparameters.*.local.jsonfiles - Use parameterized values for all sensitive inputs
git checkout -b feature/your-feature-nameBranch naming conventions:
feature/new-module- New Bicep modulesfix/bug-description- Bug fixesdocs/documentation-topic- Documentation updates
Edit Bicep files in bicep/ or documentation files.
# Validate Bicep syntax
az bicep build --file bicep/your-file.bicep
# Test deployment (if infrastructure changes)
az deployment group validate \
--resource-group <test-rg> \
--template-file bicep/your-file.bicep \
--parameters @parameters.test.json
# Check for secrets (visual scan)
grep -r "password\|secret\|key\|token" bicep/git add .
git commit -m "feat: description of your change"Commit message format:
feat:for new featuresfix:for bug fixesdocs:for documentationchore:for tooling/config updatesrefactor:for non-breaking code restructuring
git push origin feature/your-feature-nameThen open a PR on GitHub. See CONTRIBUTING.md for PR requirements.
Before submitting a PR, verify:
-
✅ Bicep files validate without errors
az bicep build --file bicep/*.bicep -
✅ No hardcoded secrets, credentials, or tenant IDs
grep -ri "password\|secret\|key\|token\|subscription\|tenant" bicep/ -
✅ Parameters are properly parameterized
- No hardcoded values for environment-specific settings
-
✅ RBAC assignments use proper role names
- Avoid hardcoded role GUIDs; use role display names where possible
-
✅ Deployment tested with
what-if- Review expected resource changes
-
✅ Documentation updated
- Updated README.md, docs/architecture.md, or CHANGELOG.md if needed
-
✅ No breaking changes (or clearly documented)
- Parameter names unchanged
- Resource naming conventions consistent
Error: adminusername-should-not-be-literal
Fix: Don't hardcode the admin username; use a parameter:
// ❌ Wrong
param adminUsername string = 'azureuser'
// ✅ Correct
param adminUsername stringError: Insufficient privileges to complete the operation
Fix:
# Ensure you have Contributor or Owner role
az role assignment list --assignee $(az account show --query user.name -o tsv)
# If needed, request access from subscription ownerProblem: Deployment would create/modify unexpected resources
Fix:
- Review parameter values in your
.jsonfile - Check Bicep variable mappings
- Verify resource naming conventions
- Run locally and review ARM template:
az bicep build --file bicep/main.bicep --outdir ./build/
Problem: Local validation works, but CI fails
Fix:
- Ensure Azure CLI and Bicep versions match:
az --version az bicep version
- Update tools:
az upgrade az bicep upgrade
- CONTRIBUTING.md - PR submission guidelines
- docs/architecture.md - Architecture overview
- SECURITY.md - Security reporting
- Check docs/faq.md for common questions
- Search existing issues
- Review GitHub Discussions
- For security concerns, see SECURITY.md
Happy developing!