Infrastructure Whisperer — Copilot CLI Ideas

$ copilot --idea "Infrastructure Whisperer"

advanced ⏱ 2-4 hours Azure Projects

→ Convert legacy IaC to modern Bicep with security hardening and architecture diagrams

The Problem

Every organisation has that folder of ARM templates nobody wants to touch. Hundreds of lines of JSON, no modules, hardcoded values everywhere, and security practices from 2018. You know the ones.

What You'll Build

A complete infrastructure modernisation workflow using Copilot CLI that takes legacy ARM or Terraform and produces production-ready Bicep with:

- Modular structure following Azure Verified Modules patterns

- Security hardening (private endpoints, managed identity, no passwords)

- A Mermaid architecture diagram generated from the code

- Cost comparison between current and recommended SKUs

Step-by-Step Walkthrough

Phase 1: Analyse the Legacy Template

Start by dropping your ARM template or Terraform config into a repo and opening Copilot CLI:

$ "Analyse this ARM template. List every resource, its dependencies,

and any security concerns you can see"

Copilot will map the full resource graph and flag issues like:

• Public endpoints on databases

• Storage accounts with shared key access

• Missing network security groups

• Hardcoded connection strings instead of Key Vault references

Phase 2: Convert to Bicep Modules

$ "Convert this to Bicep with a modular structure.

Create separate modules for networking, compute, data, and security"

The general-purpose agent works best here — it maintains context across all the modules and ensures cross-references are correct.

Phase 3: Security Hardening

$ "Add private endpoints for every data service.

Replace all passwords with Key Vault references.

Add managed identity to all compute resources.

Disable public network access on SQL and storage."

Phase 4: Generate Architecture Diagram

$ "Generate a Mermaid diagram showing the network topology,

data flow, and security boundaries"

Phase 5: Cost Analysis

$ "Compare the current SKUs against the cheapest options

that still meet production requirements.

Show monthly cost for each option."

Pro Tips

• Launch explore agents in parallel — one per ARM template file — for large deployments

• Use the azure-compliance skill to validate your output against Azure best practices

• Run `az bicep build` after each conversion step to catch errors early

• Keep the original ARM as a reference — ask Copilot to generate a diff summary

What You'll Learn

• Bicep module patterns and best practices

• Azure networking and private endpoint architecture

• Infrastructure security hardening techniques

• How to use Copilot CLI agents for complex multi-file tasks