πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-400 Domain 3
Domain 3 β€” Module 11 of 13 85%
17 of 25 overall

AZ-400 Study Guide

Domain 1: Design and Implement Processes and Communications

  • Work Item Tracking: Boards, GitHub & Flow
  • DevOps Metrics: Dashboards That Drive Decisions
  • Collaboration: Wikis, Teams & Release Notes

Domain 2: Design and Implement a Source Control Strategy

  • Branching Strategies: Trunk-Based, Feature & Release
  • Pull Requests: Policies, Protections & Merge Rules
  • Repository Management: LFS, Permissions & Recovery

Domain 3: Design and Implement Build and Release Pipelines

  • Package Management: Feeds, Versioning & Upstream
  • Testing Strategy: Quality Gates & Release Gates
  • Test Implementation: Code Coverage & Pipeline Tests
  • Azure Pipelines: YAML from Scratch Free
  • GitHub Actions: Workflows from Scratch Free
  • Pipeline Agents: Self-Hosted, Hybrid & VM Templates
  • Multi-Stage Pipelines: Templates, Variables & Approvals
  • Deployment Strategies: Blue-Green, Canary & Ring Free
  • Safe Rollouts: Slots, Dependencies & Hotfix Paths
  • Deployment Implementations: Containers, Scripts & Databases
  • Infrastructure as Code: ARM vs Bicep vs Terraform
  • IaC in Practice: Desired State & Deployment Environments
  • Pipeline Maintenance: Health, Migration & Retention

Domain 4: Develop a Security and Compliance Plan

  • Pipeline Identity: Service Principals, Managed IDs & OIDC Free
  • Authorization & Access: GitHub Roles & Azure DevOps Security
  • Secrets & Secure Pipelines: Key Vault & Workload Federation
  • Security Scanning: GHAS, Defender & Dependabot

Domain 5: Implement an Instrumentation Strategy

  • Monitoring for DevOps: Azure Monitor & App Insights
  • Metrics & KQL: Analysing Telemetry & Traces

AZ-400 Study Guide

Domain 1: Design and Implement Processes and Communications

  • Work Item Tracking: Boards, GitHub & Flow
  • DevOps Metrics: Dashboards That Drive Decisions
  • Collaboration: Wikis, Teams & Release Notes

Domain 2: Design and Implement a Source Control Strategy

  • Branching Strategies: Trunk-Based, Feature & Release
  • Pull Requests: Policies, Protections & Merge Rules
  • Repository Management: LFS, Permissions & Recovery

Domain 3: Design and Implement Build and Release Pipelines

  • Package Management: Feeds, Versioning & Upstream
  • Testing Strategy: Quality Gates & Release Gates
  • Test Implementation: Code Coverage & Pipeline Tests
  • Azure Pipelines: YAML from Scratch Free
  • GitHub Actions: Workflows from Scratch Free
  • Pipeline Agents: Self-Hosted, Hybrid & VM Templates
  • Multi-Stage Pipelines: Templates, Variables & Approvals
  • Deployment Strategies: Blue-Green, Canary & Ring Free
  • Safe Rollouts: Slots, Dependencies & Hotfix Paths
  • Deployment Implementations: Containers, Scripts & Databases
  • Infrastructure as Code: ARM vs Bicep vs Terraform
  • IaC in Practice: Desired State & Deployment Environments
  • Pipeline Maintenance: Health, Migration & Retention

Domain 4: Develop a Security and Compliance Plan

  • Pipeline Identity: Service Principals, Managed IDs & OIDC Free
  • Authorization & Access: GitHub Roles & Azure DevOps Security
  • Secrets & Secure Pipelines: Key Vault & Workload Federation
  • Security Scanning: GHAS, Defender & Dependabot

Domain 5: Implement an Instrumentation Strategy

  • Monitoring for DevOps: Azure Monitor & App Insights
  • Metrics & KQL: Analysing Telemetry & Traces
Domain 3: Design and Implement Build and Release Pipelines Premium ⏱ ~14 min read

Infrastructure as Code: ARM vs Bicep vs Terraform

Choose and implement the right IaC tool. Compare ARM templates, Bicep, and Terraform for Azure infrastructure. Define IaC strategy including source control, testing, and configuration management.

Why Infrastructure as Code?

β˜• Simple explanation

Think of building with LEGO instructions vs freestyling.

If you build a spaceship from LEGO instructions, you can rebuild it identically every time. If your friend follows the same instructions, they get the exact same spaceship. If you freestyle, every build is slightly different β€” and when it breaks, nobody knows how to fix it because there are no instructions.

Infrastructure as Code means writing instructions (code) for your cloud resources instead of clicking through the Azure portal. The code is your LEGO instructions β€” repeatable, shareable, version-controlled, and testable.

Infrastructure as Code (IaC) treats infrastructure provisioning as a software development practice. Instead of manual portal clicks or ad-hoc scripts, you define your desired infrastructure state in declarative templates that are version-controlled, peer-reviewed, tested, and deployed through pipelines. For the AZ-400 exam, you must compare ARM templates, Bicep, and Terraform, recommend the right tool for a scenario, and design an end-to-end IaC strategy covering source control, testing, and pipeline deployment.

The Three IaC Tools for Azure

ARM Templates

Azure Resource Manager (ARM) templates are the native Azure IaC format β€” JSON files that define resources declaratively. Every Azure resource supports ARM because ARM is the underlying deployment engine.

// Simplified example β€” not complete
"resources": [
  {
    "type": "Microsoft.Web/sites",
    "apiVersion": "2022-09-01",
    "name": "claims-api",
    "location": "[resourceGroup().location]",
    "properties": {
      "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'claims-plan')]"
    }
  }
]

ARM templates are verbose but universally supported. Every Azure resource type is available on day one because ARM is the deployment layer itself.

Bicep

Bicep is a domain-specific language (DSL) that compiles to ARM JSON. It provides a cleaner, more readable syntax while producing the same ARM deployment.

resource appService 'Microsoft.Web/sites@2022-09-01' = {
  name: 'claims-api'
  location: resourceGroup().location
  properties: {
    serverFarmId: plan.id
  }
}

Bicep is not a separate deployment engine β€” it transpiles to ARM. This means every ARM feature is available in Bicep, and Bicep inherits ARM’s same-day resource support.

Terraform (with AzureRM Provider)

Terraform by HashiCorp is a multi-cloud IaC tool. The AzureRM provider enables Azure resource management using HCL (HashiCorp Configuration Language).

resource "azurerm_linux_web_app" "claims" {
  name                = "claims-api"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  service_plan_id     = azurerm_service_plan.main.id
}

Terraform manages state in a state file that maps declared resources to real Azure resources. This state file is critical β€” lose it and Terraform cannot manage your existing infrastructure.

ARM vs Bicep vs Terraform

Bicep is recommended for new Azure-only projects. Terraform when multi-cloud is a requirement.
CapabilityARM TemplatesBicepTerraform
LanguageJSONBicep DSL (compiles to ARM JSON)HCL (HashiCorp Configuration Language)
Cloud supportAzure onlyAzure onlyMulti-cloud (Azure, AWS, GCP, 3000+ providers)
State managementAzure handles state (no state file)Azure handles state (no state file)External state file required (local, Azure Blob, Terraform Cloud)
New resource supportDay-one for all Azure resourcesDay-one (compiles to ARM)Depends on provider update cycle (can lag days to weeks)
ReadabilityLow β€” verbose JSON, repetitiveHigh β€” clean syntax, type safetyHigh β€” declarative HCL, familiar to multi-cloud teams
ModularityLinked/nested templates (complex)Modules with typed parametersModules with input/output variables
What-if / Planaz deployment what-ifaz deployment what-if (same as ARM)terraform plan (detailed diff output)
Secret handlingsecureString parameter typeDecorated with @secure()sensitive = true hides from CLI output; values still stored in state file β€” encrypt and restrict access
ToolingVS Code ARM extensionVS Code Bicep extension (IntelliSense, linting)VS Code Terraform extension, TFLint, Checkov
Learning curveSteep (JSON verbosity, expression syntax)Gentle (if you know ARM concepts)Moderate (new language, state concepts)
Destroy supportComplete deployment mode (dangerous)Complete deployment mode (dangerous)terraform destroy (shows plan first, supports -target)
Best forLegacy templates, maximum compatibilityAzure-only teams wanting clean syntaxMulti-cloud or teams already invested in Terraform
Question

Why does Bicep have day-one support for new Azure resources but Terraform sometimes lags?

Click or press Enter to reveal answer

Answer

Bicep compiles to ARM JSON β€” it IS the ARM deployment engine with friendlier syntax. Any resource ARM supports, Bicep supports immediately. Terraform uses a separate AzureRM provider maintained by HashiCorp and Microsoft. New resource types require a provider update, which can lag by days or weeks after ARM adds support.

Click to flip back
Question

What happens if you lose the Terraform state file?

Click or press Enter to reveal answer

Answer

Terraform cannot determine which real Azure resources correspond to your HCL declarations. It may attempt to create duplicate resources or fail entirely. To recover, you must import existing resources into a new state file one by one (terraform import). Best practice: store state remotely in Azure Blob Storage with locking (via lease) and enable versioning for state recovery.

Click to flip back

Terraform State Management

Terraform state is the most critical operational concern when using Terraform:

  • Remote backend β€” store state in Azure Blob Storage (encrypted at rest, versioning for recovery)
  • State locking β€” use blob lease locking to prevent concurrent modifications
  • State encryption β€” Azure Blob Storage encrypts at rest; for additional security, use customer-managed keys
  • State file contents β€” contains resource IDs, attributes, and potentially sensitive outputs. Treat it as confidential.
terraform {
  backend "azurerm" {
    resource_group_name  = "tfstate-rg"
    storage_account_name = "tfstatestorage"
    container_name       = "tfstate"
    key                  = "prod.terraform.tfstate"
  }
}
πŸ’‘ Scenario: Jordan selects the right IaC tool

☁️ Jordan at Cloudstream Media faces a common decision. The company runs:

  • Core platform β€” Azure-only (App Services, SQL, Redis, Storage)
  • CDN and edge β€” Cloudflare (not Azure)
  • Video processing β€” some AWS Lambda functions (legacy)

Jordan recommends a split strategy:

  • Bicep for all Azure-only infrastructure (App Services, databases, networking) β€” cleaner syntax, day-one support, no state file to manage
  • Terraform for the cross-cloud pieces (Cloudflare DNS, AWS Lambda) β€” multi-provider support in a single tool

For the exam, remember: if the scenario is Azure-only, recommend Bicep. If multi-cloud is involved, recommend Terraform. If maintaining legacy templates, ARM is acceptable but suggest migrating to Bicep.

IaC Strategy: Source Control, Testing, and Deployment

Source Control for IaC

  • Store IaC templates in the same repository as application code (monorepo) or a dedicated infrastructure repository (if infra team is separate)
  • Use pull requests for all IaC changes β€” peer review catches resource misconfigurations before deployment
  • Branch protection β€” require at least one reviewer and passing CI checks before merging
  • Tag releases for infrastructure versions (e.g., infra-v2.4.0)

Testing IaC

Test TypeWhat It ValidatesTool
LintingSyntax, style, best practicesBicep linter, TFLint, ARM-TTK
Static analysisSecurity and compliance rulesCheckov, tfsec, PSRule for Azure
What-If / PlanPreview changes before applyingaz deployment what-if, terraform plan
Policy validationAzure Policy complianceAzure Policy (deny effect), OPA/Conftest
Integration testingDeploy to ephemeral environment, validate, destroyTerratest (Go), Pester (PowerShell)

Pipeline Deployment Pattern

Lint β†’ Static Analysis β†’ What-If/Plan β†’ Manual Approval β†’ Deploy β†’ Smoke Test

For Bicep:

- task: AzureCLI@2
  inputs:
    azureSubscription: 'MyAzureConnection'
    scriptType: 'bash'
    inlineScript: |
      az deployment group what-if \
        --resource-group myRG \
        --template-file main.bicep \
        --parameters @params.json

For Terraform:

- script: |
    terraform init
    terraform plan -out=tfplan
  displayName: 'Terraform Plan'
- script: terraform apply tfplan
  displayName: 'Terraform Apply'
Question

What is the purpose of az deployment what-if for Bicep/ARM?

Click or press Enter to reveal answer

Answer

what-if previews the changes a deployment would make WITHOUT actually deploying. It shows resources that would be created, modified, deleted, or left unchanged. This is the Bicep/ARM equivalent of terraform plan. Use it in pipelines as a validation step before manual approval and actual deployment.

Click to flip back
Question

What is Checkov and why is it important for IaC pipelines?

Click or press Enter to reveal answer

Answer

Checkov is an open-source static analysis tool that scans Terraform, Bicep, ARM, and CloudFormation templates for security misconfigurations (e.g., storage account without HTTPS enforcement, database without encryption, public IP on a VM). It runs in CI/CD pipelines as a quality gate β€” failing the build if security policies are violated. Over 1,000 built-in policies.

Click to flip back
πŸ’‘ Exam tip: When to recommend which IaC tool

The exam presents scenarios and expects you to select the right tool:

ScenarioRecommend
Azure-only, new project, clean startBicep
Multi-cloud (Azure + AWS or GCP)Terraform
Existing ARM templates, no migration budgetARM Templates (suggest Bicep migration roadmap)
Team already uses Terraform for other cloudsTerraform (consistency across clouds)
Need day-one support for preview Azure resourcesBicep (Terraform provider may lag)
Want to avoid managing state filesBicep (ARM handles state)
Government/regulated requiring strict version control of infra stateTerraform (explicit state enables drift detection)
Configuration management of OS-level settingsNeither β€” use Azure Machine Configuration or Automation DSC (covered in Module 18)
Knowledge Check

Jordan's team manages infrastructure across Azure and AWS. They want a single IaC tool with consistent workflow across both clouds. Which tool should Jordan recommend?
Knowledge Check

A team using Terraform accidentally deletes the state file from their local machine. They have real Azure resources running in production. What is the impact and recovery path?
Knowledge Check

Which IaC testing approach validates that a Bicep template will not create resources that violate organisational security policies (e.g., storage accounts must enforce HTTPS)?

🎬 Video coming soon

ARM vs Bicep vs Terraform

Next up: IaC in Practice: Desired State and Deployment Environments

← Previous

Deployment Implementations: Containers, Scripts & Databases

Next β†’

IaC in Practice: Desired State & Deployment Environments

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.