🚀 Introducing az-bootstrap

Unveiled at Global Azure 2025 over the weekend, az-bootstrap is an open-source PowerShell module designed to kickstart your Infrastructure-as-Code (IaC) projects - quickly and securely.

Why? I built this because I often spin up small demos and internal projects, and wanted a simple, automated way to wire up deployments from GitHub.

Built to compliment the capability of Azure Developer CLI, it will:

• Create a Resource Group, and Managed Identities with federated credentials for OIDC-based GitHub deployments
• Scaffold a GitHub repo from the specified template & clone it locally.
• Set GitHub Environment secrets (Tenant ID, Subscription ID, and Client ID).
• Apply branch protection rules to your default branch
• Configure reviewers for your “apply” environment stage

Use it to bootstrap demo projects, or as a lightweight alternative to full subscription vending.

What You’ll Need

• Az CLI and GitHub CLI, installed and authenticated
• Permission to create Azure resources and GitHub repositories
• A template repository (you can use mine to get started)

🤔 How to Use It

The minimal usage assumes a few defaults and looks like this:

1
2
3
4
5
6
7

Install-Module Az-Bootstrap -Scope CurrentUser
$params = {
  TemplateRepoUrl = "https: //github.com/kewalaka/terraform-azure-starter-template"
  TargetRepoName  = "my-new-demo"
  Location        = "newzealandnorth"
}
Invoke-AzBootstrap @params

This will make some assumptions:

• Copy the template and clone it locally (to “./my-new-project”)
• Create a resource group (rg-my-new-project-dev)
• Set up two managed identities (mi-my-new-project-dev-plan & -apply)
• Create two GitHub environments (dev-iac-plan and dev-iac-apply)
• Add you as a reviewer for the apply stage

Want more control? Pass additional parameters as shown in the README.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

$name = "my-new-demo"
$params = {
  TemplateRepoUrl          = "https: //github.com/kewalaka/terraform-azure-starter-template"
  TargetRepoName           = "$name"
  ResourceGroupName        = "rg-$name-dev-nzn-01"
  PlanManagedIdentityName  = "mi-$name-dev-nzn-01-plan"
  ApplyManagedIdentityName = "mi-$name-dev-nzn-01-apply"
  Location                 = "newzealandnorth"
}
Invoke-AzBootstrap @params

In the above example, we specify names for the resource group, plan and apply identities.

Here it is running - you can see this on the ReadMe, too:

What’s New in v0.3?

Just released in v0.3 - the module now uses Bicep AVM modules to provision Azure resources!

Why the change? This lays the groundwork for extensibility — so you (or your team) can bring your own Bicep modules and customize the bootstrap process.

v0.3 further introduces separate identities for the plan and apply stage, which aligns with least privilege guidance from Microsoft.

🔭 What’s Next?

Some ideas I’m exploring:

• An interactive installer for pre-requisites
• Bring-your-own-Bicep support (perhaps - integrate with Bicep’s AVM Sub Vending pattern module when it supports RGs & MIs?)
• Real-world examples using Bicep
• A preferences file (~/.az-bootstrap) to remember your favourite repo URLs and settings

Learn More

• GitHub: kewalaka/az-bootstrap
• PowerShell Gallery | az-bootstrap

🙌 I’d love your feedback—try it out and let me know what you think!