CtrlK
BlogDocsLog inGet started
Tessl Logo

azure-defaults

Azure infrastructure defaults: regions, tags, naming (CAF), AVM-first policy, security baseline, unique suffix patterns. USE FOR: any agent generating or planning Azure resources. DO NOT USE FOR: artifact template structures (use azure-artifacts), pricing lookups (read references/pricing-guidance.md on demand).

89

Quality

86%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Azure Defaults Skill

Single source of truth for Azure infrastructure configuration. Deep-dive content lives in references/ — load on demand.

Quick Reference (Load First)

Default Regions

ServiceDefault RegionReason
All resourcesswedencentralEU GDPR-compliant
Static Web AppswesteuropeNot available in swedencentral
FailovergermanywestcentralEU paired alternative

Required Tags (Azure Policy Enforced)

These 4 tags are the MINIMUM baseline. Always defer to 04-governance-constraints.md for the actual required tag list.

TagRequiredExample Values
EnvironmentYesdev, staging, prod
ManagedByYesBicep or Terraform
ProjectYesProject identifier
OwnerYesTeam or individual name

Tag Casing Rule: Use PascalCase exactly as shown above (Environment, ManagedBy, Project, Owner). Never emit both owner and Owner or environment and Environment in the same template — Azure Policy treats case-variant tag keys as ambiguous evaluation paths (AmbiguousPolicyEvaluationPaths error).

Unique Suffix Pattern

Generate ONCE, pass to ALL modules:

var uniqueSuffix = uniqueString(resourceGroup().id)

Security Baseline (5-Line Summary)

SettingValueApplies To
HTTPS-onlytrueStorage, all
TLS minimum'TLS1_2'All services
Public blob accessfalseStorage
Public network (prod)'Disabled'Data services
AuthenticationManaged IdentityPrefer over keys

For AVM pitfalls and deprecation patterns, read references/security-baseline-full.md.

Deprecated Services (Do NOT Recommend for Greenfield)

Deprecated ServiceReplacementSinceNotes
Azure AD B2CMicrosoft Entra External IDMay 2025Not available for new tenants
Redis Enterprise E50Azure Managed Redis (Enterprise)March 2027Plan migration before EOL
CDN WAF (classic)Front Door Standard/Premium WAF2025CDN WAF creation blocked
App Gateway v1App Gateway v2April 2026Classic SKU retiring
CDN Standard MicrosoftFront Door Standard2027Migration required

Rule: Never recommend deprecated services for greenfield projects. Before recommending any service with a multi-year RI commitment, verify the service retirement timeline extends beyond the commitment period. Check Microsoft Learn deprecation announcements.

CAF Naming Conventions

ResourceAbbrPatternMax
Resource Grouprgrg-{project}-{env}90
Virtual Networkvnetvnet-{project}-{env}64
Subnetsnetsnet-{purpose}-{env}80
NSGnsgnsg-{purpose}-{env}80
Key Vaultkvkv-{short}-{env}-{suffix}24
Storage Accountstst{short}{env}{suffix}24
App Service Planaspasp-{project}-{env}40
App Serviceappapp-{project}-{env}60
SQL Serversqlsql-{project}-{env}63
SQL Databasesqldbsqldb-{project}-{env}128
Static Web Appstappstapp-{project}-{env}40
Log Analyticsloglog-{project}-{env}63
App Insightsappiappi-{project}-{env}255

For extended abbreviations and length-constraint examples, read references/naming-full-examples.md.

Azure Verified Modules (AVM)

  1. ALWAYS check AVM availability first
  2. Use AVM defaults for SKUs when available
  3. NEVER write raw Bicep/TF for a resource that has an AVM module

For the full Bicep + Terraform AVM module registry, read references/avm-modules.md.

Template-First Output Rules

RuleRequirement
Exact textUse template H2 text verbatim
Exact orderRequired H2s in template-defined order
Anchor ruleExtra sections only AFTER last required H2
No omissionsAll template H2s must appear in output
Attribution> Generated by {agent} agent | {YYYY-MM-DD}

Validation Checklist

  • Output saved to agent-output/{project}/
  • All required H2 headings present and correctly ordered
  • All 4 required tags included in resource definitions
  • Unique suffix used for globally unique names
  • Security baseline settings applied
  • Region defaults correct

Gotchas

  • Tag casing is case-sensitive — Use PascalCase exactly: Environment, ManagedBy, Project, Owner. Never emit both owner and Owner in the same template — Azure Policy treats case-variant keys as ambiguous → AmbiguousPolicyEvaluationPaths error.
  • Never recommend deprecated services for greenfield — Azure AD B2C (retired May 2025), CDN WAF classic, App Gateway v1, etc. Check the Deprecated Services list in Quick Reference.
  • AVM-first is non-negotiable — NEVER write raw Bicep/Terraform for a resource that has an AVM module available.

Reference Index

Load these on demand — do NOT read all at once:

ReferenceWhen to Load
references/naming-full-examples.mdGenerating names for length-constrained resources
references/avm-modules.mdLooking up AVM module paths or versions
references/security-baseline-full.mdDebugging AVM parameter issues or checking deprecations
references/pricing-guidance.mdRunning cost estimates with Azure Pricing MCP
references/service-matrices.mdMapping user requirements to Azure service tiers
references/waf-criteria.mdScoring WAF pillar assessments
references/governance-discovery.mdDiscovering Azure Policy constraints
references/policy-effect-decision-tree.mdTranslating policy effects into plan/code actions
references/adversarial-review-protocol.mdRunning challenger-review-subagent passes
references/azure-cli-auth-validation.mdValidating Azure CLI auth before deployments
references/terraform-conventions.mdGenerating Terraform (HCL) code
references/research-workflow.mdFollowing the standard 4-step research pattern
Repository
jonathan-vella/azure-agentic-infraops
Commit

ec7b8ff

Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill