Add Azure Bicep IaC for Windows Server VM with networking infrastructure

[Copilot]

Implements subscription-scoped Bicep deployment for Windows Server 2022 VM with complete networking stack in Sweden Central region.

Architecture

main.bicep (subscription scope)
├── Resource Group
└── modules/
    ├── nsg.bicep      → Network Security Group with parameterized RDP source restriction
    ├── vnet.bicep     → VNet (10.0.0.0/16) + Subnet (10.0.0.0/24)
    ├── publicip.bicep → Standard SKU, static allocation
    ├── nic.bicep      → NIC binding
    └── vm.bicep       → Windows Server 2022, Standard_B2s

Key Implementation Details

• Public IP: Standard SKU with static allocation (Basic SKU deprecated Sept 2025)
• Security: rdpSourceAddressPrefix parameter enables CIDR-based source IP restriction for NSG rule; @secure() decorated password parameter never persisted in parameter files
• Resource naming: uniqueString() suffix prevents collisions across deployments
• Build artifacts: .gitignore pattern infra/bicep/**/*.json excludes ARM templates from version control

Usage

az deployment sub create \
  --location swedencentral \
  --template-file main.bicep \
  --parameters main.bicepparam \
  --parameters adminPassword='...' \
  --parameters rdpSourceAddressPrefix='203.0.113.0/24'  # Optional hardening

Deployment cost: ~$45/mo for demo configuration (Standard_B2s VM, Standard LRS disk).

Documentation includes prerequisites, deployment steps, security hardening recommendations, and architecture diagram.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Demo IaC Generator: Azure VM + Network</issue_title>
<issue_description>You are generating demo IaC for Azure for infrastructure engineers/DevOps personas.

Parameters

IaC Language: Bicep

Requirements

• Use Azure Bicep for the IaC
• Create a virtual machine and associated resources:
  • Azure region: Sweden Central
  • Operating System: Windows Server
  • Virtual Network + Subnet: Use default address spaces
  • VM Size: Use a common, low-cost size suitable for demo
  • Network Security Group (NSG) with default rules
  • Network Interface (NIC)
  • Managed OS Disk
  • Public IP (for demo access)
• Keep defaults low-cost and demo-friendly.
• Do not output secrets or keys.
• Assume deployment scope is subscription (include resource group creation).
• Update the README.md in the IaC language folder to document how to deploy the generated IaC code.
• Create a .bicepparam file with example parameter values (no secrets).
• Ensure the IaC is deployable by verifying lint errors are resolved, and validation passes.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Demo IaC Generator: Azure VM + Network #7

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

Adds a subscription-scoped Azure Bicep deployment under infra/bicep/ to provision a demo Windows Server VM in Sweden Central, including the supporting network stack (VNet/Subnet, NSG, NIC, Public IP) plus documentation and parameter examples.

Changes:

• Introduces main.bicep (subscription scope) to create a resource group and deploy modular network/compute components.
• Adds reusable Bicep modules for NSG, VNet/Subnet, Public IP, NIC, and VM.
• Adds deployment documentation (infra/bicep/README.md), an example .bicepparam, and ignores compiled ARM JSON outputs via .gitignore.

Reviewed changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
infra/bicep/main.bicep	Subscription-scope orchestrator that creates the RG and wires together network + VM modules.
infra/bicep/main.bicepparam	Example parameter values for demo deployments (no secrets).
infra/bicep/modules/nsg.bicep	NSG with parameterized RDP source restriction.
infra/bicep/modules/vnet.bicep	VNet + subnet creation and outputs consumed by NIC module.
infra/bicep/modules/publicip.bicep	Standard SKU, static Public IP for VM access.
infra/bicep/modules/nic.bicep	NIC connected to subnet and Public IP.
infra/bicep/modules/vm.bicep	Windows Server 2022 VM definition using the NIC.
infra/bicep/README.md	End-to-end deployment, security guidance, and architecture documentation.
.gitignore	Ignores compiled Bicep ARM JSON artifacts under infra/bicep/**/*.json.

[Copilot]

The architecture diagram labels the Public IP as “(Dynamic)”, but the deployed Public IP resource is configured as Static allocation. Update the diagram to avoid contradicting the actual template and the later note about static allocation.

Suggested change

	│ │ │ (Dynamic) │ │ │
	│ │ │ (Static) │ │ │

[Copilot]

Cost section lists “Public IP (Dynamic)”, but the Public IP module uses Standard SKU with Static allocation. Align the cost breakdown wording with the actual configuration (and update any cost assumptions if they differ for Static).

Suggested change

	- Public IP (Dynamic): ~$3/month
	- Public IP (Standard, Static): ~$3/month

[Copilot]

subnetId/subnetName outputs are derived via virtualNetwork.properties.subnets[0], which is brittle if the module is ever extended to multiple subnets or the order changes. Prefer outputting by declaring the subnet as an explicit child resource (or otherwise referencing the subnet by name) so consumers don’t depend on array ordering.

Suggested change

	subnets: [
	{
	name: subnetName
	properties: {
	addressPrefix: subnetAddressPrefix
	networkSecurityGroup: {
	id: nsgId
	}
	}
	}
	]
	}
	}
	output vnetId string = virtualNetwork.id
	output vnetName string = virtualNetwork.name
	output subnetId string = virtualNetwork.properties.subnets[0].id
	output subnetName string = virtualNetwork.properties.subnets[0].name
	}
	// Subnet child resource within the virtual network
	resource subnet 'subnets' = {
	name: subnetName
	properties: {
	addressPrefix: subnetAddressPrefix
	networkSecurityGroup: {
	id: nsgId
	}
	}
	}
	}
	output vnetId string = virtualNetwork.id
	output vnetName string = virtualNetwork.name
	output subnetId string = subnet.id
	output subnetName string = subnet.name

[Copilot]

For Windows VMs, osProfile.computerName is limited to 15 characters (NetBIOS). Using vmName here will likely exceed that (e.g., with the uniqueString suffix) and cause deployment to fail. Use a separate, constrained computer name (e.g., parameter with @maxlength(15) or a shortened derived name) instead of reusing vmName.