Experimental bicep deploy, bicep what-if and bicep teardown commands (#18041)

Changes:
* New experimental feature flag `deployCommands` - all new functionality
requires this to be enabled
* New CLI command `bicep deploy <path_to_params_file>` - runs a
deployment or deployment stack, and displays progress
* New CLI command `bicep what-if <path_to_params_file>` - runs a what-if
for a deployment
* New CLI command `bicep teardown <path_to_params_file>` - deletes a
deployment stack
* Optional `with` syntax clause on a `using` statement in a
`.bicepparam` file.
    * Can either be used with deployments:
        ```bicep
        using 'main.bicep' with {
          mode: 'deployment'
scope:
'/subscriptions/56db6eae-3609-4194-aedc-f919a5ffc162/resourceGroups/test-rg'
        }
        ```
    * Or with deployment stacks:
        ```bicep
        using 'main.bicep' with {
          mode: 'stack'
scope:
'/subscriptions/56db6eae-3609-4194-aedc-f919a5ffc162/resourceGroups/test-rg'
          actionOnUnmanage: {
            resources: 'delete'
          }
          denySettings: {
            mode: 'denyDelete'
          }
        }
        ```
* Ability to read an environment variable at deploy time using
`externalInput('sys.envVar', '<name_of_var>')`. For example:
    ```sh
    export MY_ENV=foo
    bicep deploy main.bicepparam
    ```
* Ability to read a custom CLI argument at deploy time using
`externalInput('sys.cliArg', '<name_of_arg>')`. For example:
    ```sh
    bicep deploy main.bicepparam --arg-my-env foo
    ```

See [Using the Deploy
Commands](https://github.com/Azure/bicep/blob/ant/poc_cli/docs/experimental/deploy-commands.md)
for additional information and code samples.

Related to #17949 - note that I haven't yet gone over the feedback and
addressed the points raised there.


https://github.com/user-attachments/assets/da64f3a3-3c11-411b-94b6-6324f79af107

###### Microsoft Reviewers: [Open in
CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/18041)

Author: anthony-c-martin

.github/workflows/build.yml

@@ -746,7 +746,7 @@ jobs:
     name: Check secret access
     runs-on: ubuntu-latest
     outputs:
-      access_verified: ${{ steps.check-access.outputs.verified && !(github.event_name == 'workflow_dispatch' && github.ref != 'refs/head/main') }}
+      access_verified: ${{ steps.check-access.outputs.verified && (github.base_ref == 'refs/head/main' || github.ref == 'refs/head/main') }}
 
     steps:
       - id: check-access

docs/experimental-features.md

@@ -13,6 +13,10 @@ The following features can be optionally enabled through your `bicepconfig.json`
 
 Should be enabled in tandem with `testFramework` experimental feature flag for expected functionality. Allows you to author boolean assertions using the `assert` keyword comparing the actual value of a parameter, variable, or resource name to an expected value. Assert statements can only be written directly within the Bicep file whose resources they reference. For more information, see [Bicep Experimental Test Framework](https://github.com/Azure/bicep/issues/11967).
 
+### `deployCommands`
+
+Enables `deploy`, `what-if` and `teardown` command groups, as well as the `with` syntax in a `.bicepparam` file. For more information, see [Using the Deploy Commands](./experimental/deploy-commands.md).
+
 ### `desiredStateConfiguration`
 
 Allows you to author configuration documents for [Microsoft's Desired State Configuration platform](https://github.com/PowerShell/DSC) using `targetScope = 'desiredStateConfiguration'`. If enabled, the file must only contain DSC resource instances. The built file is a valid configuration document to be used with the CLI. For example, `dsc.exe config test --file example.json`. This feature is in early development.

docs/experimental/deploy-commands-samples/bicepconfig.json

@@ -0,0 +1,5 @@
+{
+  "experimentalFeaturesEnabled": {
+    "deployCommands": true
+  }
+}

docs/experimental/deploy-commands-samples/script/containergroups.bicep

@@ -0,0 +1,77 @@
+param name string
+
+@description('Specify which type of dev environment to deploy')
+@allowed(['AzureCLI', 'AzurePowerShell'])
+param type string = 'AzureCLI'
+
+@description('Use to override the version to use for Azure CLI or AzurePowerShell')
+param toolVersion string = ''
+
+@description('This is the path in the container instance where it\'s mounted to the file share.')
+param mountPath string = '/mnt/azscripts/azscriptinput'
+
+@description('Time in second before the container instance is suspended')
+param sessionTime string = '1800'
+
+param fileShareName string
+param storageName string
+param storageId string
+param location string = resourceGroup().location
+
+// Specifies which version to use if no specific toolVersion is provided (Azure CLI latest or Azure PowerShell 5.6)
+var version = (type == 'AzureCLI' && toolVersion == ''
+  ? 'latest'
+  : type == 'AzurePowerShell' && toolVersion == '' ? '5.6' : toolVersion)
+
+var azcliImage = 'mcr.microsoft.com/azure-cli:${version}'
+var azpwshImage = 'mcr.microsoft.com/azuredeploymentscripts-powershell:az${version}'
+
+var azpwshCommand = ['/bin/sh', '-c', 'pwsh -c \'Start-Sleep -Seconds ${sessionTime}\'']
+
+var azcliCommand = ['/bin/bash', '-c', 'echo hello; sleep ${sessionTime}']
+
+resource containerGroupName 'Microsoft.ContainerInstance/containerGroups@2019-12-01' = {
+  name: name
+  location: location
+  properties: {
+    containers: [
+      {
+        name: '${name}cg'
+        properties: {
+          image: type == 'AzureCLI' ? azcliImage : type == 'AzurePowerShell' ? azpwshImage : ''
+          resources: {
+            requests: {
+              cpu: 1
+              memoryInGB: 2
+            }
+          }
+          ports: [
+            {
+              protocol: 'TCP'
+              port: 80
+            }
+          ]
+          volumeMounts: [
+            {
+              name: 'filesharevolume'
+              mountPath: mountPath
+            }
+          ]
+          command: type == 'AzureCLI' ? azcliCommand : type == 'AzurePowerShell' ? azpwshCommand : null
+        }
+      }
+    ]
+    osType: 'Linux'
+    volumes: [
+      {
+        name: 'filesharevolume'
+        azureFile: {
+          readOnly: false
+          shareName: fileShareName
+          storageAccountName: storageName
+          storageAccountKey: listKeys(storageId, '2019-06-01').keys[0].value
+        }
+      }
+    ]
+  }
+}

docs/experimental/deploy-commands-samples/script/env_vars.bicepparam

@@ -0,0 +1,10 @@
+var subscriptionId = readEnvVar('AZURE_SUBSCRIPTION_ID')
+var resourceGroup = readEnvVar('AZURE_RESOURCE_GROUP')
+
+using 'main.bicep' with {
+  mode: 'deployment'
+  scope: '/subscriptions/${subscriptionId}/resourceGroups/${resourceGroup}'
+}
+
+param containerName = 'foo'
+

docs/experimental/deploy-commands-samples/script/main.bicep

@@ -0,0 +1,30 @@
+param storageName string = toLower('${take('deployscript${uniqueString(resourceGroup().id)}', 22)}st')
+param containerName string = toLower('${take('deployscript${uniqueString(resourceGroup().id)}', 22)}ci')
+
+@description('Specify which type of dev environment to deploy')
+@allowed(['AzureCLI', 'AzurePowerShell'])
+param type string = 'AzureCLI'
+
+@description('Use to specify the version to use for Azure CLI or AzurePowerShell, if no version is specified latest will be used for AzCLI and 5.6 for AzPwsh')
+param toolVersion string = ''
+
+param location string = resourceGroup().location
+
+module storage './storage.bicep' = {
+  params: {
+    name: storageName
+    location: location
+  }
+}
+
+module container './containergroups.bicep' = {
+  params: {
+    name: containerName
+    location: location
+    storageName: storage.outputs.storageName
+    storageId: storage.outputs.resourceId
+    fileShareName: storage.outputs.fileShareName
+    type: type
+    toolVersion: toolVersion
+  }
+}

docs/experimental/deploy-commands-samples/script/main.bicepparam

@@ -0,0 +1,10 @@
+var subscriptionId = readCliArg('subscription-id')
+var resourceGroup = readCliArg('resource-group')
+
+using 'main.bicep' with {
+  mode: 'deployment'
+  // TODO improve on this
+  scope: '/subscriptions/${subscriptionId}/resourceGroups/${resourceGroup}'
+}
+
+param containerName = 'foo'

docs/experimental/deploy-commands-samples/script/stack.bicepparam

@@ -0,0 +1,15 @@
+var subscriptionId = readEnvVar('AZURE_SUBSCRIPTION_ID')
+var resourceGroup = readEnvVar('AZURE_RESOURCE_GROUP')
+
+using 'main.bicep' with {
+  mode: 'stack'
+  scope: '/subscriptions/${subscriptionId}/resourceGroups/${resourceGroup}'
+  actionOnUnmanage: {
+    resources: 'delete'
+  }
+  denySettings: {
+    mode: 'denyDelete'
+  }
+}
+
+param containerName = 'foo'

docs/experimental/deploy-commands-samples/script/storage.bicep

@@ -0,0 +1,41 @@
+param name string
+
+@allowed([
+  'Standard_LRS'
+  'Standard_GRS'
+  'Standard_RAGRS'
+  'Standard_ZRS'
+  'Premium_LRS'
+  'Premium_ZRS'
+  'Standard_GZRS'
+  'Standard_RAGZRS'
+])
+param sku string = 'Standard_LRS'
+
+@allowed(['Storage', 'StorageV2', 'BlobStorage', 'FileStorage', 'BlockBlobStorage'])
+param kind string = 'StorageV2'
+
+@allowed(['Hot', 'Cool'])
+param accessTier string = 'Hot'
+param fileShareName string = 'deployscript'
+param location string = resourceGroup().id
+
+resource storage 'Microsoft.Storage/storageAccounts@2019-06-01' = {
+  name: name
+  location: location
+  sku: {
+    name: sku
+  }
+  kind: kind
+  properties: {
+    accessTier: accessTier
+  }
+}
+
+resource fileshare 'Microsoft.Storage/storageAccounts/fileServices/shares@2019-06-01' = {
+  name: '${storage.name}/default/${fileShareName}'
+}
+
+output resourceId string = storage.id
+output storageName string = storage.name
+output fileShareName string = fileShareName

docs/experimental/deploy-commands.md

@@ -0,0 +1,82 @@
+# Using the Deploy Commands
+
+## Goals
+
+1. Allow users to model all properties of the deployment (including scope, stacks configuration) in one place
+2. Add support for "teardown" functionality for cleaning up a Stack resource
+
+## Demo
+
+https://github.com/user-attachments/assets/da64f3a3-3c11-411b-94b6-6324f79af107
+
+## Running Samples
+
+### Script
+
+Pre-reqs:
+1. Download samples [here](https://download-directory.github.io/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fbicep%2Ftree%2Fmain%2Fdocs%2Fexperimental%2Fdeploy-commands-samples)
+1. Unzip
+1. Cd to the unzipped directory
+
+#### CLI args
+```sh
+# what-if
+bicep what-if --arg-subscription-id d08e1a72-8180-4ed3-8125-9dff7376b0bd --arg-resource-group ant-test script/main.bicepparam
+
+# deploy
+bicep deploy --arg-subscription-id d08e1a72-8180-4ed3-8125-9dff7376b0bd --arg-resource-group ant-test script/main.bicepparam
+```
+
+#### Env vars
+Linux/Mac
+```sh
+export AZURE_SUBSCRIPTION_ID=d08e1a72-8180-4ed3-8125-9dff7376b0bd
+export AZURE_RESOURCE_GROUP=ant-test
+
+# what-if
+bicep what-if script/env_vars.bicepparam
+
+# deploy
+bicep deploy script/env_vars.bicepparam
+```
+
+Windows
+```powershell
+$env:AZURE_SUBSCRIPTION_ID = "d08e1a72-8180-4ed3-8125-9dff7376b0bd"
+$env:AZURE_RESOURCE_GROUP = "ant-test"
+
+# what-if
+bicep what-if script/env_vars.bicepparam
+
+# deploy
+bicep deploy script/env_vars.bicepparam
+```
+
+#### Stacks
+Linux/Mac
+```sh
+export AZURE_SUBSCRIPTION_ID=d08e1a72-8180-4ed3-8125-9dff7376b0bd
+export AZURE_RESOURCE_GROUP=ant-test
+
+# what-if not currently supported
+
+# deploy
+bicep deploy script/stack.bicepparam
+
+# teardown
+bicep teardown script/stack.bicepparam
+```
+
+Windows
+```powershell
+$env:AZURE_SUBSCRIPTION_ID = "d08e1a72-8180-4ed3-8125-9dff7376b0bd"
+$env:AZURE_RESOURCE_GROUP = "ant-test"
+
+# what-if not currently supported
+
+# deploy
+bicep deploy script/stack.bicepparam
+
+# teardown
+bicep teardown script/stack.bicepparam
+```