Quickstart: Create an Azure Attestation provider with a Bicep file

Microsoft Azure Attestation is a solution for attesting Trusted Execution Environments (TEEs). This quickstart focuses on the process of deploying a Bicep file to create a Microsoft Azure Attestation policy.

Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.

Prerequisites

If you don't have an Azure subscription, create a free account before you begin.

Review the Bicep file

The Bicep file used in this quickstart is from Azure Quickstart Templates.

@description('Name of the Attestation provider. Must be between 3 and 24 characters in length and use numbers and lower-case letters only.')
param attestationProviderName string = uniqueString(resourceGroup().name)

@description('Location for all resources.')
param location string = resourceGroup().location

param policySigningCertificates string = ''

var PolicySigningCertificates = {
  PolicySigningCertificates: {
    keys: [
      {
        kty: 'RSA'
        use: 'sig'
        x5c: [
          policySigningCertificates
        ]
      }
    ]
  }
}

resource attestationProvider 'Microsoft.Attestation/attestationProviders@2021-06-01' = {
  name: attestationProviderName
  location: location
  properties: (empty(policySigningCertificates) ? json('{}') : PolicySigningCertificates)
}

output attestationName string = attestationProvider.id
output location string = location
output resourceGroupName string = resourceGroup().name
output resourceId string = attestationProvider.id

Azure resources defined in the Bicep file:

• Microsoft.Attestation/attestationProviders

Deploy the Bicep file

1. Save the Bicep file as main.bicep to your local computer.

2. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

   CLI

   az group create --name exampleRG --location eastus
   
   az deployment group create --resource-group exampleRG --template-file main.bicep
   

   PowerShell

   New-AzResourceGroup -Name exampleRG -Location eastus
   
   New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep
   

   When the deployment finishes, you should see a message indicating the deployment succeeded.

Validate the deployment

Use the Azure portal, Azure CLI, or Azure PowerShell to verify the resource group and server resource were created.

CLI

az resource list --resource-group exampleRG

PowerShell

Get-AzResource -ResourceGroupName exampleRG

Clean up resources

Other Azure Attestation build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you may wish to leave these resources in place.

When no longer needed, delete the resource group, which deletes the Attestation resource. To delete the resource group by using Azure CLI or Azure PowerShell:

CLI

az group delete --name exampleRG

PowerShell

Remove-AzResourceGroup -Name exampleRG

Next steps

In this quickstart, you created an attestation resource using a Bicep file, and validated the deployment. To learn more about Azure Attestation, see Overview of Azure Attestation.