Skip to content
APEX

Step 5 — IaC Code

Purpose

Section titled “Purpose”

Generate the IaC templates that realise the Step 4 plan, following Azure Verified Modules (AVM) standards. The agent emits track-specific code plus an 05-implementation-reference.md that maps each AVM module to the plan’s resource graph.

Agents

Section titled “Agents”

Track-routed via decisions.iac_tool:

Invocation

Section titled “Invocation”
Bicep:     Invoke → 06b-Bicep CodeGen
           Output  infra/bicep/{project}/main.bicep + modules/
Terraform: Invoke → 06t-Terraform CodeGen
           Output  infra/terraform/{project}/main.tf + modules/
Shared:    agent-output/{project}/05-implementation-reference.md

Standards (both tracks)

Section titled “Standards (both tracks)”
  • AVM-first composition; never re-derive resources by hand when an AVM module exists.
  • Unique-suffix pattern for globally-named resources.
  • Required tags enforced by tag_contract from Step 3.5.
  • Security baseline: TLS 1.2, HTTPS-only, no public blob, managed identity, Entra-only SQL.
  • Step 3.5 (governance) compliance mapping wired into module inputs.

Preflight validation

Section titled “Preflight validation”
Bicep subagentTerraform subagentValidation
bicep-validate-subagentterraform-validate-subagentLint + AVM code review

Review

Section titled “Review”

Opt-in by default. decisions.review_depth = "deep" or an explicit 10-Challenger invocation triggers an adversarial code review.

Hand-off

Section titled “Hand-off”

The Orchestrator routes context to Step 6 — Deploy.