{"kind":"Skill","metadata":{"namespace":"community","name":"azure-deployment-preflight","version":"0.1.0"},"spec":{"description":"Performs comprehensive preflight validation of Bicep deployments to Azure, including template syntax validation, what-if analysis, and permission checks. Use this skill before any deployment to Azure to preview changes, identify potential issues, and ensure the deployment will succeed. Activate when users mention deploying to Azure, validating Bicep files, checking deployment permissions, previewing infrastructure changes, running what-if, or preparing for azd provision.","files":{"SKILL.md":"---\nname: azure-deployment-preflight\ndescription: 'Performs comprehensive preflight validation of Bicep deployments to Azure, including template syntax validation, what-if analysis, and permission checks. Use this skill before any deployment to Azure to preview changes, identify potential issues, and ensure the deployment will succeed. Activate when users mention deploying to Azure, validating Bicep files, checking deployment permissions, previewing infrastructure changes, running what-if, or preparing for azd provision.'\n---\n\n# Azure Deployment Preflight Validation\n\nThis skill validates Bicep deployments before execution, supporting both Azure CLI (`az`) and Azure Developer CLI (`azd`) workflows.\n\n## When to Use This Skill\n\n- Before deploying infrastructure to Azure\n- When preparing or reviewing Bicep files\n- To preview what changes a deployment will make\n- To verify permissions are sufficient for deployment\n- Before running `azd up`, `azd provision`, or `az deployment` commands\n\n## Validation Process\n\nFollow these steps in order. Continue to the next step even if a previous step fails—capture all issues in the final report.\n\n### Step 1: Detect Project Type\n\nDetermine the deployment workflow by checking for project indicators:\n\n1. **Check for azd project**: Look for `azure.yaml` in the project root\n   - If found → Use **azd workflow**\n   - If not found → Use **az CLI workflow**\n\n2. **Locate Bicep files**: Find all `.bicep` files to validate\n   - For azd projects: Check `infra/` directory first, then project root\n   - For standalone: Use the file specified by the user or search common locations (`infra/`, `deploy/`, project root)\n\n3. **Auto-detect parameter files**: For each Bicep file, look for matching parameter files:\n   - `\u003cfilename\u003e.bicepparam` (Bicep parameters - preferred)\n   - `\u003cfilename\u003e.parameters.json` (JSON parameters)\n   - `parameters.json` or `parameters/\u003cenv\u003e.json` in same directory\n\n### Step 2: Validate Bicep Syntax\n\nRun Bicep CLI to check template syntax before attempting deployment validation:\n\n```bash\nbicep build \u003cbicep-file\u003e --stdout\n```\n\n**What to capture:**\n- Syntax errors with line/column numbers\n- Warning messages\n- Build success/failure status\n\n**If Bicep CLI is not installed:**\n- Note the issue in the report\n- Continue to Step 3 (Azure will validate syntax during what-if)\n\n### Step 3: Run Preflight Validation\n\nChoose the appropriate validation based on project type detected in Step 1.\n\n#### For azd Projects (azure.yaml exists)\n\nUse `azd provision --preview` to validate the deployment:\n\n```bash\nazd provision --preview\n```\n\nIf an environment is specified or multiple environments exist:\n```bash\nazd provision --preview --environment \u003cenv-name\u003e\n```\n\n#### For Standalone Bicep (no azure.yaml)\n\nDetermine the deployment scope from the Bicep file's `targetScope` declaration:\n\n| Target Scope | Command |\n|--------------|---------|\n| `resourceGroup` (default) | `az deployment group what-if` |\n| `subscription` | `az deployment sub what-if` |\n| `managementGroup` | `az deployment mg what-if` |\n| `tenant` | `az deployment tenant what-if` |\n\n**Run with Provider validation level first:**\n\n```bash\n# Resource Group scope (most common)\naz deployment group what-if \\\n  --resource-group \u003crg-name\u003e \\\n  --template-file \u003cbicep-file\u003e \\\n  --parameters \u003cparam-file\u003e \\\n  --validation-level Provider\n\n# Subscription scope\naz deployment sub what-if \\\n  --location \u003clocation\u003e \\\n  --template-file \u003cbicep-file\u003e \\\n  --parameters \u003cparam-file\u003e \\\n  --validation-level Provider\n\n# Management Group scope\naz deployment mg what-if \\\n  --location \u003clocation\u003e \\\n  --management-group-id \u003cmg-id\u003e \\\n  --template-file \u003cbicep-file\u003e \\\n  --parameters \u003cparam-file\u003e \\\n  --validation-level Provider\n\n# Tenant scope\naz deployment tenant what-if \\\n  --location \u003clocation\u003e \\\n  --template-file \u003cbicep-file\u003e \\\n  --parameters \u003cparam-file\u003e \\\n  --validation-level Provider\n```\n\n**Fallback Strategy:**\n\nIf `--validation-level Provider` fails with permission errors (RBAC), retry with `ProviderNoRbac`:\n\n```bash\naz deployment group what-if \\\n  --resource-group \u003crg-name\u003e \\\n  --template-file \u003cbicep-file\u003e \\\n  --validation-level ProviderNoRbac\n```\n\nNote the fallback in the report—the user may lack full deployment permissions.\n\n### Step 4: Capture What-If Results\n\nParse the what-if output to categorize resource changes:\n\n| Change Type | Symbol | Meaning |\n|-------------|--------|---------|\n| Create | `+` | New resource will be created |\n| Delete | `-` | Resource will be deleted |\n| Modify | `~` | Resource properties will change |\n| NoChange | `=` | Resource unchanged |\n| Ignore | `*` | Resource not analyzed (limits reached) |\n| Deploy | `!` | Resource will be deployed (changes unknown) |\n\nFor modified resources, capture the specific property changes.\n\n### Step 5: Generate Report\n\nCreate a Markdown report file in the **project root** named:\n- `preflight-report.md`\n\nUse the template structure from [references/REPORT-TEMPLATE.md](references/REPORT-TEMPLATE.md).\n\n**Report sections:**\n1. **Summary** - Overall status, timestamp, files validated, target scope\n2. **Tools Executed** - Commands run, versions, validation levels used\n3. **Issues** - All errors and warnings with severity and remediation\n4. **What-If Results** - Resources to create/modify/delete/unchanged\n5. **Recommendations** - Actionable next steps\n\n## Required Information\n\nBefore running validation, gather:\n\n| Information | Required For | How to Obtain |\n|-------------|--------------|---------------|\n| Resource Group | `az deployment group` | Ask user or check existing `.azure/` config |\n| Subscription | All deployments | `az account show` or ask user |\n| Location | Sub/MG/Tenant scope | Ask user or use default from config |\n| Environment | azd projects | `azd env list` or ask user |\n\nIf required information is missing, prompt the user before proceeding.\n\n## Error Handling\n\nSee [references/ERROR-HANDLING.md](references/ERROR-HANDLING.md) for detailed error handling guidance.\n\n**Key principle:** Continue validation even when errors occur. Capture all issues in the final report.\n\n| Error Type | Action |\n|------------|--------|\n| Not logged in | Note in report, suggest `az login` or `azd auth login` |\n| Permission denied | Fall back to `ProviderNoRbac`, note in report |\n| Bicep syntax error | Include all errors, continue to other files |\n| Tool not installed | Note in report, skip that validation step |\n| Resource group not found | Note in report, suggest creating it |\n\n## Tool Requirements\n\nThis skill uses the following tools:\n\n- **Azure CLI** (`az`) - Version 2.76.0+ recommended for `--validation-level`\n- **Azure Developer CLI** (`azd`) - For projects with `azure.yaml`\n- **Bicep CLI** (`bicep`) - For syntax validation\n- **Azure MCP Tools** - For documentation lookups and best practices\n\nCheck tool availability before starting:\n```bash\naz --version\nazd version\nbicep --version\n```\n\n## Example Workflow\n\n1. User: \"Validate my Bicep deployment before I run it\"\n2. Agent detects `azure.yaml` → azd project\n3. Agent finds `infra/main.bicep` and `infra/main.bicepparam`\n4. Agent runs `bicep build infra/main.bicep --stdout`\n5. Agent runs `azd provision --preview`\n6. Agent generates `preflight-report.md` in project root\n7. Agent summarizes findings to user\n\n## Reference Documentation\n\n- [Validation Commands Reference](references/VALIDATION-COMMANDS.md)\n- [Report Template](references/REPORT-TEMPLATE.md)\n- [Error Handling Guide](references/ERROR-HANDLING.md)\n","references/ERROR-HANDLING.md":"# Error Handling Guide\n\nThis reference documents common errors during preflight validation and how to handle them.\n\n## Core Principle\n\n**Continue on failure.** Capture all issues in the final report rather than stopping at the first error. This gives users a complete picture of what needs to be fixed.\n\n---\n\n## Authentication Errors\n\n### Not Logged In (Azure CLI)\n\n**Detection:**\n```\nERROR: Please run 'az login' to setup account.\nERROR: AADSTS700082: The refresh token has expired\n```\n\n**Exit Codes:** Non-zero\n\n**Handling:**\n1. Note the error in the report\n2. Include remediation steps\n3. Skip remaining Azure CLI commands\n4. Continue with other validation steps if possible\n\n**Report Entry:**\n```markdown\n#### ❌ Azure CLI Authentication Required\n\n- **Severity:** Error\n- **Source:** az cli\n- **Message:** Not logged in to Azure CLI\n- **Remediation:** Run `az login` to authenticate, then re-run preflight validation\n- **Documentation:** https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli\n```\n\n### Not Logged In (azd)\n\n**Detection:**\n```\nERROR: not logged in, run `azd auth login` to login\n```\n\n**Handling:**\n1. Note the error in the report\n2. Skip azd commands\n3. Suggest `azd auth login`\n\n**Report Entry:**\n```markdown\n#### ❌ Azure Developer CLI Authentication Required\n\n- **Severity:** Error\n- **Source:** azd\n- **Message:** Not logged in to Azure Developer CLI\n- **Remediation:** Run `azd auth login` to authenticate, then re-run preflight validation\n```\n\n### Token Expired\n\n**Detection:**\n```\nAADSTS700024: Client assertion is not within its valid time range\nAADSTS50173: The provided grant has expired\n```\n\n**Handling:**\n1. Note the error\n2. Suggest re-authentication\n3. Skip Azure operations\n\n---\n\n## Permission Errors\n\n### Insufficient RBAC Permissions\n\n**Detection:**\n```\nAuthorizationFailed: The client '...' with object id '...' does not have authorization \nto perform action '...' over scope '...'\n```\n\n**Handling:**\n1. **First attempt:** Retry with `--validation-level ProviderNoRbac`\n2. Note the permission limitation in the report\n3. If ProviderNoRbac also fails, report the specific missing permission\n\n**Report Entry:**\n```markdown\n#### ⚠️ Limited Permission Validation\n\n- **Severity:** Warning\n- **Source:** what-if\n- **Message:** Full RBAC validation failed; using read-only validation\n- **Detail:** Missing permission: `Microsoft.Resources/deployments/write` on scope `/subscriptions/xxx`\n- **Recommendation:** Request Contributor role on the target resource group, or verify deployment permissions with your administrator\n```\n\n### Resource Group Not Found\n\n**Detection:**\n```\nResourceGroupNotFound: Resource group 'xxx' could not be found.\n```\n\n**Handling:**\n1. Note in report\n2. Suggest creating the resource group\n3. Skip what-if for this scope\n\n**Report Entry:**\n```markdown\n#### ❌ Resource Group Does Not Exist\n\n- **Severity:** Error\n- **Source:** what-if\n- **Message:** Resource group 'my-rg' does not exist\n- **Remediation:** Create the resource group before deployment:\n  ```bash\n  az group create --name my-rg --location eastus\n  ```\n```\n\n### Subscription Access Denied\n\n**Detection:**\n```\nSubscriptionNotFound: The subscription 'xxx' could not be found.\nInvalidSubscriptionId: Subscription '...' is not valid\n```\n\n**Handling:**\n1. Note in report\n2. Suggest checking subscription ID\n3. List available subscriptions\n\n---\n\n## Bicep Syntax Errors\n\n### Compilation Errors\n\n**Detection:**\n```\n/path/main.bicep(22,51) : Error BCP064: Found unexpected tokens\n/path/main.bicep(10,5) : Error BCP018: Expected the \"=\" character at this location\n```\n\n**Handling:**\n1. Parse error output for line/column numbers\n2. Include all errors in report (don't stop at first)\n3. Continue to what-if (may provide additional context)\n\n**Report Entry:**\n```markdown\n#### ❌ Bicep Syntax Error\n\n- **Severity:** Error\n- **Source:** bicep build\n- **Location:** `main.bicep:22:51`\n- **Code:** BCP064\n- **Message:** Found unexpected tokens in interpolated expression\n- **Remediation:** Check the string interpolation syntax at line 22\n- **Documentation:** https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/diagnostics/bcp064\n```\n\n### Module Not Found\n\n**Detection:**\n```\nError BCP091: An error occurred reading file. Could not find file '...'\nError BCP190: The module is not valid\n```\n\n**Handling:**\n1. Note missing module\n2. Check if `bicep restore` is needed\n3. Verify module path\n\n### Parameter File Issues\n\n**Detection:**\n```\nError BCP032: The value must be a compile-time constant\nError BCP035: The specified object is missing required properties\n```\n\n**Handling:**\n1. Note parameter issues\n2. Indicate which parameters are problematic\n3. Suggest fixes\n\n---\n\n## Tool Not Installed\n\n### Azure CLI Not Found\n\n**Detection:**\n```\n'az' is not recognized as an internal or external command\naz: command not found\n```\n\n**Handling:**\n1. Note in report\n2. Provide installation instructions.\n  - If available use the Azure MCP `extension_cli_install` tool to get installation instructions.\n  - Otherwise look for instructions at https://learn.microsoft.com/en-us/cli/azure/install-azure-cli.\n3. Skip az commands\n\n**Report Entry:**\n```markdown\n#### ⏭️ Azure CLI Not Installed\n\n- **Severity:** Warning\n- **Source:** environment\n- **Message:** Azure CLI (az) is not installed or not in PATH\n- **Remediation:** Install the Azure CLI \u003cADD INSTALLATION INSTRUCTIONS HERE\u003e\n- **Impact:** What-if validation using az commands was skipped\n```\n\n### Bicep CLI Not Found\n\n**Detection:**\n```\n'bicep' is not recognized as an internal or external command\nbicep: command not found\n```\n\n**Handling:**\n1. Note in report\n2. Azure CLI may have built-in Bicep - try `az bicep build`\n3. Provide installation link\n\n**Report Entry:**\n```markdown\n#### ⏭️ Bicep CLI Not Installed\n\n- **Severity:** Warning\n- **Source:** environment\n- **Message:** Bicep CLI is not installed\n- **Remediation:** Install Bicep CLI: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install\n- **Impact:** Syntax validation was skipped; Azure will validate during what-if\n```\n\n### Azure Developer CLI Not Found\n\n**Detection:**\n```\n'azd' is not recognized as an internal or external command\nazd: command not found\n```\n\n**Handling:**\n1. If `azure.yaml` exists, this is required\n2. Fall back to az CLI commands if possible\n3. Note in report\n\n---\n\n## What-If Specific Errors\n\n### Nested Template Limits\n\n**Detection:**\n```\nThe deployment exceeded the nested template limit of 500\n```\n\n**Handling:**\n1. Note as warning (not error)\n2. Explain affected resources show as \"Ignore\"\n3. Suggest manual review\n\n### Template Link Not Supported\n\n**Detection:**\n```\ntemplateLink references in nested deployments won't be visible in what-if\n```\n\n**Handling:**\n1. Note as warning\n2. Explain limitation\n3. Resources will be verified during actual deployment\n\n### Unevaluated Expressions\n\n**Detection:** Properties showing function names like `[utcNow()]` instead of values\n\n**Handling:**\n1. Note as informational\n2. Explain these are evaluated at deployment time\n3. Not an error\n\n---\n\n## Network Errors\n\n### Timeout\n\n**Detection:**\n```\nConnection timed out\nRequest timed out\n```\n\n**Handling:**\n1. Suggest retry\n2. Check network connectivity\n3. May indicate Azure service issues\n\n### SSL/TLS Errors\n\n**Detection:**\n```\nSSL: CERTIFICATE_VERIFY_FAILED\nunable to get local issuer certificate\n```\n\n**Handling:**\n1. Note in report\n2. May indicate proxy or corporate firewall\n3. Suggest checking SSL settings\n\n---\n\n## Fallback Strategy\n\nWhen primary validation fails, attempt fallbacks in order:\n\n```\nProvider (full RBAC validation)\n    ↓ fails with permission error\nProviderNoRbac (validation without write permission check)\n    ↓ fails\nTemplate (static syntax only)\n    ↓ fails\nReport all failures and skip what-if analysis\n```\n\n**Always continue to generate the report**, even if all validation steps fail.\n\n---\n\n## Error Report Aggregation\n\nWhen multiple errors occur, aggregate them logically:\n\n1. **Group by source** (bicep, what-if, permissions)\n2. **Order by severity** (errors before warnings)\n3. **Deduplicate** similar errors\n4. **Provide summary count** at the top\n\nExample:\n```markdown\n## Issues\n\nFound **3 errors** and **2 warnings**\n\n### Errors (3)\n\n1. [Bicep Syntax Error - main.bicep:22:51](#error-1)\n2. [Bicep Syntax Error - main.bicep:45:10](#error-2)\n3. [Resource Group Not Found](#error-3)\n\n### Warnings (2)\n\n1. [Limited Permission Validation](#warning-1)\n2. [Nested Template Limit Reached](#warning-2)\n```\n\n---\n\n## Exit Code Reference\n\n| Tool | Exit Code | Meaning |\n|------|-----------|---------|\n| az | 0 | Success |\n| az | 1 | General error |\n| az | 2 | Command not found |\n| az | 3 | Required argument missing |\n| azd | 0 | Success |\n| azd | 1 | Error |\n| bicep | 0 | Build succeeded |\n| bicep | 1 | Build failed (errors) |\n| bicep | 2 | Build succeeded with warnings |\n","references/REPORT-TEMPLATE.md":"# Preflight Report Template\n\nUse this template structure when generating `preflight-report.md` in the project root.\n\n---\n\n## Template\n\n```markdown\n# Azure Deployment Preflight Report\n\n**Generated:** {timestamp}\n**Status:** {overall-status}\n\n---\n\n## Summary\n\n| Property | Value |\n|----------|-------|\n| **Template File(s)** | {bicep-files} |\n| **Parameter File(s)** | {param-files-or-none} |\n| **Project Type** | {azd-project | standalone-bicep} |\n| **Deployment Scope** | {resourceGroup | subscription | managementGroup | tenant} |\n| **Target** | {resource-group-name | subscription-name | mg-id} |\n| **Validation Level** | {Provider | ProviderNoRbac} |\n\n### Validation Results\n\n| Check | Status | Details |\n|-------|--------|---------|\n| Bicep Syntax | {✅ Pass | ❌ Fail | ⚠️ Warnings | ⏭️ Skipped} | {details} |\n| What-If Analysis | {✅ Pass | ❌ Fail | ⏭️ Skipped} | {details} |\n| Permission Check | {✅ Pass | ⚠️ Limited | ❌ Fail} | {details} |\n\n---\n\n## Tools Executed\n\n### Commands Run\n\n| Step | Command | Exit Code | Duration |\n|------|---------|-----------|----------|\n| 1 | `{command}` | {0 | non-zero} | {duration} |\n| 2 | `{command}` | {0 | non-zero} | {duration} |\n\n### Tool Versions\n\n| Tool | Version |\n|------|---------|\n| Azure CLI | {version} |\n| Bicep CLI | {version} |\n| Azure Developer CLI | {version-or-n/a} |\n\n---\n\n## Issues\n\n{if-no-issues}\n✅ **No issues found.** The deployment is ready to proceed.\n{end-if}\n\n{if-issues-exist}\n### Errors\n\n{for-each-error}\n#### ❌ {error-title}\n\n- **Severity:** Error\n- **Source:** {bicep-build | what-if | permissions}\n- **Location:** {file-path}:{line}:{column} (if applicable)\n- **Message:** {error-message}\n- **Remediation:** {suggested-fix}\n- **Documentation:** {link-if-available}\n\n{end-for-each}\n\n### Warnings\n\n{for-each-warning}\n#### ⚠️ {warning-title}\n\n- **Severity:** Warning\n- **Source:** {source}\n- **Message:** {warning-message}\n- **Recommendation:** {suggested-action}\n\n{end-for-each}\n{end-if}\n\n---\n\n## What-If Results\n\n{if-what-if-succeeded}\n\n### Change Summary\n\n| Change Type | Count |\n|-------------|-------|\n| 🆕 Create | {count} |\n| 📝 Modify | {count} |\n| 🗑️ Delete | {count} |\n| ✓ No Change | {count} |\n| ⚠️ Ignore | {count} |\n\n### Resources to Create\n\n{if-resources-to-create}\n| Resource Type | Resource Name |\n|---------------|---------------|\n| {type} | {name} |\n{end-if}\n\n{if-no-resources-to-create}\n*No resources will be created.*\n{end-if}\n\n### Resources to Modify\n\n{if-resources-to-modify}\n#### {resource-type}/{resource-name}\n\n| Property | Current Value | New Value |\n|----------|---------------|-----------|\n| {property-path} | {current} | {new} |\n\n{end-if}\n\n{if-no-resources-to-modify}\n*No resources will be modified.*\n{end-if}\n\n### Resources to Delete\n\n{if-resources-to-delete}\n| Resource Type | Resource Name |\n|---------------|---------------|\n| {type} | {name} |\n\n\u003e ⚠️ **Warning:** Resources listed for deletion will be permanently removed.\n{end-if}\n\n{if-no-resources-to-delete}\n*No resources will be deleted.*\n{end-if}\n\n{end-if-what-if-succeeded}\n\n{if-what-if-failed}\n### What-If Analysis Failed\n\nThe what-if operation could not complete. See the Issues section for details.\n{end-if}\n\n---\n\n## Recommendations\n\n{generate-based-on-findings}\n\n1. {recommendation-1}\n2. {recommendation-2}\n3. {recommendation-3}\n\n---\n\n## Next Steps\n\n{if-all-passed}\nThe preflight validation passed. You can proceed with deployment:\n\n**For azd projects:**\n```bash\nazd provision\n# or\nazd up\n```\n\n**For standalone Bicep:**\n```bash\naz deployment group create \\\n  --resource-group {rg-name} \\\n  --template-file {bicep-file} \\\n  --parameters {param-file}\n```\n{end-if}\n\n{if-issues-exist}\nPlease resolve the issues listed above before deploying. After fixes:\n\n1. Re-run preflight validation to verify fixes\n2. Proceed with deployment once all checks pass\n{end-if}\n\n---\n\n*Report generated by Azure Deployment Preflight Skill*\n```\n\n---\n\n## Status Values\n\n### Overall Status\n\n| Status | Meaning | Visual |\n|--------|---------|--------|\n| **Pass** | All checks succeeded, safe to deploy | ✅ |\n| **Pass with Warnings** | Checks succeeded but review warnings | ⚠️ |\n| **Fail** | One or more checks failed | ❌ |\n\n### Individual Check Status\n\n| Status | Meaning |\n|--------|---------|\n| ✅ Pass | Check completed successfully |\n| ❌ Fail | Check found errors |\n| ⚠️ Warnings | Check passed with warnings |\n| ⏭️ Skipped | Check was skipped (tool unavailable, etc.) |\n\n---\n\n## Example Report\n\n```markdown\n# Azure Deployment Preflight Report\n\n**Generated:** 2026-01-16T14:32:00Z\n**Status:** ⚠️ Pass with Warnings\n\n---\n\n## Summary\n\n| Property | Value |\n|----------|-------|\n| **Template File(s)** | `infra/main.bicep` |\n| **Parameter File(s)** | `infra/main.bicepparam` |\n| **Project Type** | azd project |\n| **Deployment Scope** | subscription |\n| **Target** | my-subscription |\n| **Validation Level** | Provider |\n\n### Validation Results\n\n| Check | Status | Details |\n|-------|--------|---------|\n| Bicep Syntax | ✅ Pass | No errors found |\n| What-If Analysis | ⚠️ Warnings | 1 resource ignored due to nested template limits |\n| Permission Check | ✅ Pass | Full deployment permissions verified |\n\n---\n\n## Tools Executed\n\n### Commands Run\n\n| Step | Command | Exit Code | Duration |\n|------|---------|-----------|----------|\n| 1 | `bicep build infra/main.bicep --stdout` | 0 | 1.2s |\n| 2 | `azd provision --preview --environment dev` | 0 | 8.4s |\n\n### Tool Versions\n\n| Tool | Version |\n|------|---------|\n| Azure CLI | 2.76.0 |\n| Bicep CLI | 0.25.3 |\n| Azure Developer CLI | 1.9.0 |\n\n---\n\n## Issues\n\n### Warnings\n\n#### ⚠️ Nested Template Limit Reached\n\n- **Severity:** Warning\n- **Source:** what-if\n- **Message:** 1 resource was ignored because nested template expansion limits were reached\n- **Recommendation:** Review the ignored resource manually after deployment\n\n---\n\n## What-If Results\n\n### Change Summary\n\n| Change Type | Count |\n|-------------|-------|\n| 🆕 Create | 3 |\n| 📝 Modify | 1 |\n| 🗑️ Delete | 0 |\n| ✓ No Change | 2 |\n| ⚠️ Ignore | 1 |\n\n### Resources to Create\n\n| Resource Type | Resource Name |\n|---------------|---------------|\n| Microsoft.Resources/resourceGroups | rg-myapp-dev |\n| Microsoft.Storage/storageAccounts | stmyappdev |\n| Microsoft.Web/sites | app-myapp-dev |\n\n### Resources to Modify\n\n#### Microsoft.KeyVault/vaults/kv-myapp-dev\n\n| Property | Current Value | New Value |\n|----------|---------------|-----------|\n| properties.sku.name | standard | premium |\n| tags.environment | staging | dev |\n\n### Resources to Delete\n\n*No resources will be deleted.*\n\n---\n\n## Recommendations\n\n1. Review the storage account name `stmyappdev` to ensure it meets naming requirements\n2. Confirm the Key Vault SKU upgrade from standard to premium is intentional\n3. The ignored nested template resource should be verified after deployment\n\n---\n\n## Next Steps\n\nThe preflight validation passed with warnings. Review the warnings above, then proceed:\n\n```bash\nazd provision --environment dev\n```\n\n---\n\n*Report generated by Azure Deployment Preflight Skill*\n```\n\n---\n\n## Formatting Guidelines\n\n1. **Use consistent emoji** for visual scanning\n2. **Include line numbers** when referencing Bicep errors\n3. **Provide actionable remediation** for each issue\n4. **Link to documentation** when available\n5. **Order issues by severity** (errors first, then warnings)\n6. **Include command examples** in Next Steps\n","references/VALIDATION-COMMANDS.md":"# Validation Commands Reference\n\nThis reference documents all commands used for Azure deployment preflight validation.\n\n## Azure Developer CLI (azd)\n\n### azd provision --preview\n\nPreview infrastructure changes for azd projects without deploying.\n\n```bash\nazd provision --preview [options]\n```\n\n**Options:**\n| Option | Description |\n|--------|-------------|\n| `--environment`, `-e` | Name of the environment to use |\n| `--no-prompt` | Accept defaults without prompting |\n| `--debug` | Enable debug logging |\n| `--cwd` | Set working directory |\n\n**Examples:**\n\n```bash\n# Preview with default environment\nazd provision --preview\n\n# Preview specific environment\nazd provision --preview --environment dev\n\n# Preview without prompts (CI/CD)\nazd provision --preview --no-prompt\n```\n\n**Output:** Shows resources that will be created, modified, or deleted.\n\n### azd auth login\n\nAuthenticate to Azure for azd operations.\n\n```bash\nazd auth login [options]\n```\n\n**Options:**\n| Option | Description |\n|--------|-------------|\n| `--check-status` | Check login status without logging in |\n| `--use-device-code` | Use device code flow |\n| `--tenant-id` | Specify tenant |\n| `--client-id` | Service principal client ID |\n\n### azd env list\n\nList available environments.\n\n```bash\nazd env list\n```\n\n---\n\n## Azure CLI (az)\n\n### az deployment group what-if\n\nPreview changes for resource group deployments.\n\n```bash\naz deployment group what-if \\\n  --resource-group \u003crg-name\u003e \\\n  --template-file \u003cbicep-file\u003e \\\n  [options]\n```\n\n**Required Parameters:**\n| Parameter | Description |\n|-----------|-------------|\n| `--resource-group`, `-g` | Target resource group name |\n| `--template-file`, `-f` | Path to Bicep file |\n\n**Optional Parameters:**\n| Parameter | Description |\n|-----------|-------------|\n| `--parameters`, `-p` | Parameter file or inline values |\n| `--validation-level` | `Provider` (default), `ProviderNoRbac`, or `Template` |\n| `--result-format` | `FullResourcePayloads` (default) or `ResourceIdOnly` |\n| `--no-pretty-print` | Output raw JSON for parsing |\n| `--name`, `-n` | Deployment name |\n| `--exclude-change-types` | Exclude specific change types from output |\n\n**Validation Levels:**\n| Level | Description | Use Case |\n|-------|-------------|----------|\n| `Provider` | Full validation with RBAC checks | Default, most thorough |\n| `ProviderNoRbac` | Full validation, read permissions only | When lacking deploy permissions |\n| `Template` | Static syntax validation only | Quick syntax check |\n\n**Examples:**\n\n```bash\n# Basic what-if\naz deployment group what-if \\\n  --resource-group my-rg \\\n  --template-file main.bicep\n\n# With parameters and full validation\naz deployment group what-if \\\n  --resource-group my-rg \\\n  --template-file main.bicep \\\n  --parameters main.bicepparam \\\n  --validation-level Provider\n\n# Fallback without RBAC checks\naz deployment group what-if \\\n  --resource-group my-rg \\\n  --template-file main.bicep \\\n  --validation-level ProviderNoRbac\n\n# JSON output for parsing\naz deployment group what-if \\\n  --resource-group my-rg \\\n  --template-file main.bicep \\\n  --no-pretty-print\n```\n\n### az deployment sub what-if\n\nPreview changes for subscription-level deployments.\n\n```bash\naz deployment sub what-if \\\n  --location \u003clocation\u003e \\\n  --template-file \u003cbicep-file\u003e \\\n  [options]\n```\n\n**Required Parameters:**\n| Parameter | Description |\n|-----------|-------------|\n| `--location`, `-l` | Location for deployment metadata |\n| `--template-file`, `-f` | Path to Bicep file |\n\n**Examples:**\n\n```bash\naz deployment sub what-if \\\n  --location eastus \\\n  --template-file main.bicep \\\n  --parameters main.bicepparam \\\n  --validation-level Provider\n```\n\n### az deployment mg what-if\n\nPreview changes for management group deployments.\n\n```bash\naz deployment mg what-if \\\n  --location \u003clocation\u003e \\\n  --management-group-id \u003cmg-id\u003e \\\n  --template-file \u003cbicep-file\u003e \\\n  [options]\n```\n\n**Required Parameters:**\n| Parameter | Description |\n|-----------|-------------|\n| `--location`, `-l` | Location for deployment metadata |\n| `--management-group-id`, `-m` | Target management group ID |\n| `--template-file`, `-f` | Path to Bicep file |\n\n### az deployment tenant what-if\n\nPreview changes for tenant-level deployments.\n\n```bash\naz deployment tenant what-if \\\n  --location \u003clocation\u003e \\\n  --template-file \u003cbicep-file\u003e \\\n  [options]\n```\n\n**Required Parameters:**\n| Parameter | Description |\n|-----------|-------------|\n| `--location`, `-l` | Location for deployment metadata |\n| `--template-file`, `-f` | Path to Bicep file |\n\n### az login\n\nAuthenticate to Azure CLI.\n\n```bash\naz login [options]\n```\n\n**Options:**\n| Option | Description |\n|--------|-------------|\n| `--tenant`, `-t` | Tenant ID or domain |\n| `--use-device-code` | Use device code flow |\n| `--service-principal` | Login as service principal |\n\n### az account show\n\nDisplay current subscription context.\n\n```bash\naz account show\n```\n\n### az group exists\n\nCheck if resource group exists.\n\n```bash\naz group exists --name \u003crg-name\u003e\n```\n\n---\n\n## Bicep CLI\n\n### bicep build\n\nCompile Bicep to ARM JSON and validate syntax.\n\n```bash\nbicep build \u003cbicep-file\u003e [options]\n```\n\n**Options:**\n| Option | Description |\n|--------|-------------|\n| `--stdout` | Output to stdout instead of file |\n| `--outdir` | Output directory |\n| `--outfile` | Output file path |\n| `--no-restore` | Skip module restore |\n\n**Examples:**\n\n```bash\n# Validate syntax (output to stdout, no file created)\nbicep build main.bicep --stdout \u003e /dev/null\n\n# Build to specific directory\nbicep build main.bicep --outdir ./build\n\n# Validate multiple files\nfor f in *.bicep; do bicep build \"$f\" --stdout; done\n```\n\n**Error Output Format:**\n```\n/path/to/file.bicep(22,51) : Error BCP064: Found unexpected tokens in interpolated expression.\n/path/to/file.bicep(22,51) : Error BCP004: The string at this location is not terminated.\n```\n\nFormat: `\u003cfile\u003e(\u003cline\u003e,\u003ccolumn\u003e) : \u003cseverity\u003e \u003ccode\u003e: \u003cmessage\u003e`\n\n### bicep --version\n\nCheck Bicep CLI version.\n\n```bash\nbicep --version\n```\n\n---\n\n## Parameter File Detection\n\n### Bicep Parameters (.bicepparam)\n\nModern Bicep parameter files (recommended):\n\n```bicep\nusing './main.bicep'\n\nparam location = 'eastus'\nparam environment = 'dev'\nparam tags = {\n  environment: 'dev'\n  project: 'myapp'\n}\n```\n\n**Detection pattern:** `\u003ctemplate-name\u003e.bicepparam`\n\n### JSON Parameters (.parameters.json)\n\nTraditional ARM parameter files:\n\n```json\n{\n  \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#\",\n  \"contentVersion\": \"1.0.0.0\",\n  \"parameters\": {\n    \"location\": { \"value\": \"eastus\" },\n    \"environment\": { \"value\": \"dev\" }\n  }\n}\n```\n\n**Detection patterns:**\n- `\u003ctemplate-name\u003e.parameters.json`\n- `parameters.json`\n- `parameters/\u003cenv\u003e.json`\n\n### Using Parameters with Commands\n\n```bash\n# Bicep parameters file\naz deployment group what-if \\\n  --resource-group my-rg \\\n  --template-file main.bicep \\\n  --parameters main.bicepparam\n\n# JSON parameters file\naz deployment group what-if \\\n  --resource-group my-rg \\\n  --template-file main.bicep \\\n  --parameters @parameters.json\n\n# Inline parameter overrides\naz deployment group what-if \\\n  --resource-group my-rg \\\n  --template-file main.bicep \\\n  --parameters main.bicepparam \\\n  --parameters location=westus\n```\n\n---\n\n## Determining Deployment Scope\n\nCheck the Bicep file's `targetScope` declaration:\n\n```bicep\n// Resource Group (default if not specified)\ntargetScope = 'resourceGroup'\n\n// Subscription\ntargetScope = 'subscription'\n\n// Management Group\ntargetScope = 'managementGroup'\n\n// Tenant\ntargetScope = 'tenant'\n```\n\n**Scope to Command Mapping:**\n\n| targetScope | Command | Required Parameters |\n|-------------|---------|---------------------|\n| `resourceGroup` | `az deployment group what-if` | `--resource-group` |\n| `subscription` | `az deployment sub what-if` | `--location` |\n| `managementGroup` | `az deployment mg what-if` | `--location`, `--management-group-id` |\n| `tenant` | `az deployment tenant what-if` | `--location` |\n\n---\n\n## Version Requirements\n\n| Tool | Minimum Version | Recommended Version | Key Features |\n|------|-----------------|---------------------|--------------|\n| Azure CLI | 2.14.0 | 2.76.0+ | `--validation-level` switch |\n| Azure Developer CLI | 1.0.0 | Latest | `--preview` flag |\n| Bicep CLI | 0.4.0 | Latest | Best error messages |\n\n**Check versions:**\n```bash\naz --version\nazd version\nbicep --version\n```\n"},"import":{"commit_sha":"541b7819d8c3545c6df122491af4fa1eae415779","imported_at":"2026-05-18T20:07:09Z","license_text":"MIT License\n\nCopyright GitHub, Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","owner":"github","repo":"github/awesome-copilot","source_url":"https://github.com/github/awesome-copilot/tree/541b7819d8c3545c6df122491af4fa1eae415779/skills/azure-deployment-preflight"}},"content_hash":[202,64,141,21,86,171,40,13,53,144,123,33,30,193,194,185,114,242,119,164,121,138,221,156,230,239,144,71,5,163,186,134],"trust_level":"unsigned","yanked":false}