Deploy with Bicep¶
Bicep is the recommended deployment method. It compiles to ARM templates, has full Azure type-checking, and has the best IDE support of all four methods.
One-command deploy
Jump straight to One-Command Deploy if you just want to get running.
Prerequisites¶
- Azure CLI with Bicep extension:
- PowerShell 7+ with Az module:
- ServiceNow instance or PDI (admin access for Business Rule setup)
One-Command Deploy¶
.\deploy\scripts\Deploy-Solution.ps1 `
-ResourceGroupName rg-azure-monitor-itsm `
-Location eastus `
-SnowInstanceUrl https://dev123456.service-now.com `
-SnowUsername azure_monitor_svc `
-DeploymentMethod Bicep
Pass -SnowPassword (ConvertTo-SecureString $env:SNOW_PW -AsPlainText -Force) for unattended / CI runs.
Pass -SkipTest to skip the end-to-end smoke test.
The orchestrator runs all steps below automatically.
Manual Step-by-Step¶
If you prefer to run each step individually (useful for troubleshooting or understanding what happens):
# 1. Create prerequisites: resource group, MI, RBAC, KV API connection
.\deploy\scripts\New-Prerequisites.ps1 -ResourceGroupName rg-azure-monitor-itsm -Location eastus
# 2. Create Key Vault and store SNOW credentials
.\deploy\scripts\Set-KeyVaultSecrets.ps1 `
-ResourceGroupName rg-azure-monitor-itsm `
-SnowInstanceUrl https://dev123456.service-now.com `
-SnowUsername azure_monitor_svc
# (prompted for SNOW password)
# 3. Deploy resources via Bicep
az deployment group create \
--resource-group rg-azure-monitor-itsm \
--template-file deploy/bicep/main.bicep \
--parameters deploy/bicep/main.bicepparam
# 4. Restrict Key Vault firewall to Logic App outbound IPs only
.\deploy\scripts\Set-KeyVaultFirewall.ps1 -ResourceGroupName rg-azure-monitor-itsm
# 5. Create Action Group
.\deploy\scripts\New-ActionGroup.ps1 -ResourceGroupName rg-azure-monitor-itsm
# 6. Enable both Logic Apps
.\deploy\scripts\Enable-LogicApps.ps1 -ResourceGroupName rg-azure-monitor-itsm
Logic Apps deploy disabled
Both Logic Apps deploy in Disabled state. They remain disabled until you explicitly run Enable-LogicApps.ps1 after all configuration is complete. This is John Joyner's zero-trust design.
Key Vault connection name
The API connection itsm-keyvault-connection-mi is referenced by name inside the Logic App ARM templates. Do not rename it — the Logic Apps will fail to resolve Key Vault secrets if this name changes.
Bicep Parameter Reference¶
Parameters are set in deploy/bicep/main.bicepparam. Key parameters:
| Parameter | Default | Description |
|---|---|---|
resourceGroupName |
rg-azure-monitor-itsm |
Resource group to deploy into |
location |
eastus |
Azure region |
managedIdentityName |
ITSM-MI |
User-assigned managed identity name |
keyVaultName |
itsm-kv |
Key Vault name (must be globally unique) |
kvConnectionName |
itsm-keyvault-connection-mi |
API connection name — do not change |
alertLogicAppName |
Azure-Monitor-Alert-ITSM-HTTP-API |
Alert Logic App name |
closeLogicAppName |
Azure-Monitor-Close-ITSM-HTTP-API |
Close Logic App name |
actionGroupName |
ag-azure-monitor-itsm |
Action Group name |
Verify¶
Next Steps¶
- Customize SNOW fields in the Logic App designer (company, assignment_group, caller_id) — see Step 8–9 in John Joyner's Guide
- Configure SNOW Business Rule — see Step 13 in John Joyner's Guide (manual SNOW-side step)
- Enable Secure Inputs/Outputs and Access Control — see Step 14
- Associate Action Group with alert rules — see the Deployment Overview