Update project metadata

frasermolyneux · frasermolyneux · commit 751bae286aeb · 2026-02-11T06:08:33.000-08:00
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -0,0 +1,19 @@
+# Copilot Instructions
+
+- **Purpose**: Catalog of reusable Azure Bicep modules published to ACR `acrty7og2i6qpv3s` under `bicep/modules/{module}`; registry is provisioned by the platform-strategic-services project.
+- **Layout**: Each module lives in `modules/<name>/` with `main.bicep` plus `metadata.json` carrying `version.major|minor|revision`. Publishing fails if either file is missing.
+- **Versioning behavior**: Non-main builds publish `V{major}.{minor}.{revision}-preview` only. Main builds also push `V{major}.x`, `V{major}.{minor}.x`, and `latest` when the full version tag is new.
+- **Publish script**: [Publish-BicepModuleToAcr.ps1](../.azure-pipelines/scripts/Publish-BicepModuleToAcr.ps1) drives tagging; it skips publishing when the `V{major}.{minor}.{revision}` tag already exists. Repository prefix defaults to `bicep/modules`.
+- **Pipelines**: [devops-secure-scanning](../.azure-pipelines/devops-secure-scanning.yml) runs weekly and on PRs to main using `jobs/devops-secure-scanning.yml` from the `ado-pipeline-templates` repo. [release-to-production](../.azure-pipelines/release-to-production.yml) builds with `bicep-lint-code` then loops modules to publish via service connection `spn-bicep-modules-production`; scheduled weekly and on main.
+- **Local workflow**: Update `metadata.json` when changing `main.bicep`; validate with `az bicep build --file modules/<name>/main.bicep`. Manual publish example:
+  ```powershell
+  pwsh ./.azure-pipelines/scripts/Publish-BicepModuleToAcr.ps1 `
+    -moduleName keyvault `
+    -modulesRootPath ./modules `
+    -acrName acrty7og2i6qpv3s `
+    -previewRelease $true
+  ```
+  Requires `az login` and rights to the registry.
+- **Module catalogue**: modules include `apiManagementLogger`, `apiManagementSubscription`, `appConfigurationStore`, `appInsights`, `frontDoorCNAME`, `frontDoorEndpoint`, `keyVault`, `keyVaultAccessPolicy`, `keyVaultRoleAssignment`, `keyVaultSecret`, `sqlDatabase`, `storageAccount`, `webTest`.
+- **Dependencies**: Pipelines consume templates from the `ado-pipeline-templates` GitHub repo and require Azure CLI with Bicep installed.
+- **Docs**: See [docs/overview.md](../docs/overview.md) and [docs/development-workflows.md](../docs/development-workflows.md) for module layout and pipeline details.
diff --git a/README.md b/README.md
@@ -1,57 +1,20 @@
 # Bicep Modules
 
-[![Build Status](https://dev.azure.com/frasermolyneux/Personal-Public/_apis/build/status%2fbicep-modules.DevOpsSecureScanning?branchName=main)](https://dev.azure.com/frasermolyneux/Personal-Public/_build/latest?definitionId=209&branchName=main)
-[![Build Status](https://dev.azure.com/frasermolyneux/Personal-Public/_apis/build/status%2fbicep-modules.OnePipeline?repoName=frasermolyneux%2fbicep-modules&branchName=main&stageName=Build)](https://dev.azure.com/frasermolyneux/Personal-Public/_build/latest?definitionId=175&repoName=frasermolyneux%2fbicep-modules&branchName=main)
-[![Build Status](https://dev.azure.com/frasermolyneux/Personal-Public/_apis/build/status%2fbicep-modules.OnePipeline?repoName=frasermolyneux%2fbicep-modules&branchName=main&stageName=Deploy)](https://dev.azure.com/frasermolyneux/Personal-Public/_build/latest?definitionId=175&repoName=frasermolyneux%2fbicep-modules&branchName=main)
+[![DevOps Secure Scanning](https://dev.azure.com/frasermolyneux/Personal-Public/_apis/build/status%2fbicep-modules.DevOpsSecureScanning?branchName=main)](https://dev.azure.com/frasermolyneux/Personal-Public/_build/latest?definitionId=209&branchName=main)
+[![Pipeline Build](https://dev.azure.com/frasermolyneux/Personal-Public/_apis/build/status%2fbicep-modules.OnePipeline?repoName=frasermolyneux%2fbicep-modules&branchName=main&stageName=Build)](https://dev.azure.com/frasermolyneux/Personal-Public/_build/latest?definitionId=175&repoName=frasermolyneux%2fbicep-modules&branchName=main)
+[![Pipeline Deploy](https://dev.azure.com/frasermolyneux/Personal-Public/_apis/build/status%2fbicep-modules.OnePipeline?repoName=frasermolyneux%2fbicep-modules&branchName=main&stageName=Deploy)](https://dev.azure.com/frasermolyneux/Personal-Public/_build/latest?definitionId=175&repoName=frasermolyneux%2fbicep-modules&branchName=main)
 
----
+## Documentation
+- [Overview](docs/overview.md) - Module layout, catalogue, and registry dependencies
+- [Development Workflows](docs/development-workflows.md) - Pipelines, local validation, and publish guidance
 
 ## Overview
-
-This repository contains common Bicep modules and associated Azure DevOps pipelines for the validation and deployment of them to an Azure Container Registry.
-
-The Azure Container Registry is deployed by the `platform-strategic-services` project and therefore a dependency.
-
----
-
-## Related Projects
-
-* [frasermolyneux/platform-strategic-services](https://github.com/frasermolyneux/platform-strategic-services) - The Azure Container Registry is deployed by this project.
-* [frasermolyneux/azure-landing-zones](https://github.com/frasermolyneux/azure-landing-zones) - The deploy service principal is managed by this project.
-
----
-
-## Solution
-
-The included Bicep modules have been extracted out of a series of projects that I have worked on through my learning and development. They are largely focused on Azure Integration Services such as API Management, Azure Functions, App Services and Key Vault.
-
-### Versioning
-
-Each module within the solution has a metadata `.json` file that is within the `metadata` folder. Currently this contains a JSON payload that simply has a version object containing `major`, `minor` and `revision` properties - there is the future potential to add additional metadata here such as tagging, author and description. For each module file there *must* be a metadata file and for a new version to be pushed the metadata file must be updated.
-
-If the build is running from any branch other than `main` then a *-preview* suffix is added to the tag and the `.x` and `latest` tags will not be pushed.
-
-As such, for a new version to be pushed the metadata file is required to be updated. There is no automation at present as it is not warranted.
-
----
-
-## Pipelines
-
-The `one-pipeline` is within the `.azure-pipelines` folder and output is visible on the [frasermolyneux/Personal-Public](https://dev.azure.com/frasermolyneux/Personal-Public/_build?definitionId=175) Azure DevOps project.
-
-The [Publish-BicepModuleToAcr.ps1](/.azure-pipelines/scripts/Publish-BicepModuleToAcr.ps1) script is executed per module and uses the following rules to publish:
-
-* Will only push a new version if the `major.minor.revision` tag does not already exist
-* When pushing a new version will also push that version using the a `.x` and `latest` tag
-
----
+Reusable Azure Bicep modules for Integration Services workloads, published to `acrty7og2i6qpv3s` under `bicep/modules/{module}`. Modules ship with per-folder metadata for versioning and are linted/published through Azure DevOps using templates from `ado-pipeline-templates`. The registry itself is deployed by the `platform-strategic-services` project.
 
 ## Contributing
 
 Please read the [contributing](CONTRIBUTING.md) guidance; this is a learning and development project.
 
----
-
 ## Security
 
 Please read the [security](SECURITY.md) guidance; I am always open to security feedback through email or opening an issue.
diff --git a/docs/development-workflows.md b/docs/development-workflows.md
@@ -0,0 +1,19 @@
+# Development Workflows
+
+## Pipelines
+- `devops-secure-scanning` runs weekly (Thu 02:00 UTC) and on PRs to main using the `ado-pipeline-templates` security scanning job.
+- `release-to-production` runs on main and weekly (Thu 03:00 UTC). Stage `Build` runs `bicep-lint-code` against `modules/`. Stage `Deploy` loops through each module folder and calls `Publish-BicepModuleToAcr.ps1` against ACR `acrty7og2i6qpv3s` using service connection `spn-bicep-modules-production`.
+
+## Local changes
+- Edit `modules/<name>/main.bicep` and bump `modules/<name>/metadata.json` version before publishing.
+- Validate locally with `az bicep build --file modules/<name>/main.bicep` (or `bicep build`).
+- Optional manual publish (requires `az login` and rights to the registry):
+  ```powershell
+  pwsh ./.azure-pipelines/scripts/Publish-BicepModuleToAcr.ps1 `
+    -moduleName keyvault `
+    -modulesRootPath ./modules `
+    -acrName acrty7og2i6qpv3s `
+    -previewRelease $true
+  ```
+  Set `-previewRelease $false` to mirror main-branch behavior, which also pushes `V{major}.x`, `V{major}.{minor}.x`, and `latest` tags when creating a new version.
+- The publish script only pushes a new version when the tag does not already exist; reruns skip existing tags with a warning.
diff --git a/docs/overview.md b/docs/overview.md
@@ -0,0 +1,22 @@
+# Overview
+
+This repository collects reusable Bicep modules for Azure resources and publishes them to the `acrty7og2i6qpv3s` container registry under the `bicep/modules/{module}` repositories. Modules were extracted from practical projects and focus on Integration Services workloads such as API Management, App Service, Functions, Key Vault, Storage, and Front Door.
+
+## Module layout
+- Each module lives in `modules/<name>/` with `main.bicep` and a `metadata.json` containing `version.major`, `version.minor`, and `version.revision`.
+- When the release pipeline runs on non-main branches, tags get a `-preview` suffix and no `.x` or `latest` tags are pushed.
+- On main, the `Publish-BicepModuleToAcr.ps1` script also pushes `V{major}.x`, `V{major}.{minor}.x`, and `latest` tags when a new full version is published.
+
+## Module catalogue
+- `apiManagementLogger` / `apiManagementSubscription` for APIM logging and subscription setup
+- `appConfigurationStore` for App Configuration instances
+- `appInsights` for Application Insights instances
+- `frontDoorCNAME` and `frontDoorEndpoint` for Front Door DNS and endpoint plumbing
+- `keyVault`, `keyVaultAccessPolicy`, `keyVaultRoleAssignment`, `keyVaultSecret` for Key Vault primitives
+- `sqlDatabase` for SQL Database
+- `storageAccount` for Storage Accounts
+- `webTest` for Application Insights availability tests
+
+## Dependencies
+- The container registry used for publish lives in the `platform-strategic-services` project.
+- Azure CLI with Bicep CLI installed is required locally; pipelines run via Azure DevOps using the `ado-pipeline-templates` repository.
