Agentic InfraOps for Azure

Agentic InfraOps transforms Azure infrastructure requirements into deploy-ready Bicep code using coordinated AI agents, aligned with Azure Well-Architected Framework (WAF) and Azure Verified Modules (AVM).

What This Skill Does

This skill orchestrates a multi-agent workflow that converts infrastructure requirements into validated, production-ready Azure deployments. Each agent specializes in a specific phase—requirements gathering, architecture assessment, design artifacts, implementation planning, code generation, deployment, and documentation—with outputs passed through structured artifact handoffs.

Agent Workflow (7 Steps)

Execute agents sequentially, coordinating through artifact handoffs via `.github/agents/*.agent.md`:

Step 1: Requirements Gathering

**Agent**: `requirements`

1. Activate the requirements agent via `Ctrl+Shift+A` → Select `requirements.agent.md`

2. Gather comprehensive infrastructure needs covering:

- Project overview and functional requirements

- Non-functional requirements (performance, availability, security)

- Compliance and regulatory constraints

- Budget limitations and cost targets

- Operational requirements and regional preferences

3. Save output as `agent-output/{project}/01-requirements.md`

4. Follow template structure from `.github/templates/01-requirements.template.md`

5. Include attribution footer: `> Generated by requirements agent | {YYYY-MM-DD}`

6. Hand off to architect agent for WAF assessment

Step 2: Architecture Assessment

**Agent**: `architect`

1. Activate architect agent and reference `01-requirements.md`

2. Perform Azure Well-Architected Framework assessment across 5 pillars:

- **Reliability**: Availability targets, disaster recovery, fault tolerance

- **Security**: Identity, data protection, network security

- **Cost Optimization**: SKU selection, resource sizing, pricing estimates

- **Operational Excellence**: Monitoring, automation, deployment strategy

- **Performance Efficiency**: Scaling, throughput, latency requirements

3. Integrate Azure Pricing MCP server for real-time cost estimates

4. Generate `agent-output/{project}/02-architecture-assessment.md` with:

- Requirements validation summary

- Executive summary with key recommendations

- Per-pillar assessment with scoring

- SKU recommendations with cost justifications

- Architectural decisions with trade-offs

5. Optional handoff to diagram/adr agents for design artifacts, or proceed to bicep-plan

Step 3: Design Artifacts (Optional)

**Agents**: `diagram`, `adr`

**Diagram Agent**:

1. Generate Python architecture diagram using `diagrams` library

2. Create `agent-output/{project}/03-des-diagram.py`

3. Render PNG visualization showing Azure resources and relationships

4. Follow naming conventions: resource types, regions, connections

**ADR Agent**:

1. Document significant architecture decisions as formal ADRs

2. Create `agent-output/{project}/03-des-adr-{number}.md` per decision

3. Include context, decision, consequences, WAF trade-offs

4. Follow Nygard ADR format

Step 4: Implementation Planning

**Agent**: `bicep-plan`

1. Activate bicep-plan agent with architecture assessment context

2. Discover Azure Policy governance constraints:

- Required tags (Environment, ManagedBy, Project, Owner)

- Allowed resource types and locations

- Security policies (TLS versions, public access, authentication)

- Cost management constraints

3. Generate `agent-output/{project}/04-implementation-plan.md` with:

- Resource inventory mapped to Azure resource types

- Module structure for Bicep templates

- Implementation tasks with dependencies

- Naming conventions using CAF patterns

- Security baseline configurations

4. Generate `agent-output/{project}/04-governance-constraints.md` documenting compliance requirements

5. Hand off to bicep-code agent for implementation

Step 5: Bicep Code Generation

**Agent**: `bicep-code`

1. Activate bicep-code agent with implementation plan

2. Generate Bicep templates in `infra/bicep/{project}/`:

```

infra/bicep/{project}/

├── main.bicep # Entry point, generates uniqueSuffix

├── parameters/

│ ├── dev.bicepparam

│ ├── staging.bicepparam

│ └── prod.bicepparam

└── modules/

├── networking.bicep

├── compute.bicep

├── data.bicep

└── monitoring.bicep

```

3. **Follow critical patterns**:

- **AVM-first**: Use Azure Verified Modules from `br/public:avm/*` registry

- **Unique naming**: Generate `uniqueSuffix = uniqueString(resourceGroup().id)` in main.bicep, pass to all modules

- **Required tags**: Apply Environment, ManagedBy, Project, Owner to all resources

- **Security defaults**: TLS 1.2+, HTTPS-only, Azure AD auth, managed identities

4. **Naming conventions**:

- Key Vault: `kv-{short}-{env}-{suffix}` (≤24 chars)

- Storage Account: `st{short}{env}{suffix}` (lowercase+numbers, ≤24 chars)

- SQL Server: Azure AD-only authentication (`azureADOnlyAuthentication: true`)

5. **Default region**: `swedencentral` (EU GDPR-compliant)

6. Validate with:

```bash

bicep build infra/bicep/{project}/main.bicep

bicep lint infra/bicep/{project}/main.bicep

```

7. Generate `agent-output/{project}/05-implementation-reference.md` with module descriptions and validation status

8. Hand off to deploy agent

Step 6: Deployment

**Agent**: `deploy`

1. Activate deploy agent with Bicep templates path

2. Authenticate to Azure:

```bash

az login

az account set --subscription "<subscription-id>"

```

3. Execute what-if analysis:

```bash

az deployment group what-if \

--resource-group <rg-name> \

--template-file infra/bicep/{project}/main.bicep \

--parameters @infra/bicep/{project}/parameters/dev.bicepparam

```

4. Review what-if output for unexpected changes

5. Execute deployment:

```bash

az deployment group create \

--resource-group <rg-name> \

--template-file infra/bicep/{project}/main.bicep \

--parameters @infra/bicep/{project}/parameters/dev.bicepparam

```

6. Validate deployed resources:

```bash

az resource list --resource-group <rg-name> --output table

```

7. Generate `agent-output/{project}/06-deployment-summary.md` with:

- Deployment timestamp and duration

- List of created resources with IDs

- Configuration validation checklist

- Post-deployment verification steps

8. Hand off to documentation agents for as-built artifacts

Step 7: As-Built Documentation

**Agents**: `diagram`, `adr`, `docs`

**Diagram Agent**:

1. Generate as-built architecture diagram reflecting deployed resources

2. Query Azure for actual resource configurations

3. Create `agent-output/{project}/07-ab-diagram.py` and render PNG

**ADR Agent**:

1. Document any runtime decisions or deviations from design

2. Create `agent-output/{project}/07-ab-adr-{number}.md` for deployment-specific decisions

**Docs Agent**:

1. Generate comprehensive workload documentation:

- `07-design-document.md`: Architecture overview, component descriptions

- `07-operations-runbook.md`: Monitoring, incident response, maintenance procedures

- `07-cost-summary.md`: Actual vs estimated costs, optimization recommendations

- `07-compliance-matrix.md`: Policy compliance verification

- `07-backup-dr-plan.md`: Backup schedules, recovery procedures, RTO/RPO

2. Include operational details:

- Resource naming conventions used

- Access control configurations

- Monitoring dashboards and alerts

- Scaling policies

- Disaster recovery procedures

Critical Configuration Defaults

All agents must adhere to defaults defined in `.github/agents/_shared/defaults.md`:

| Setting | Value | Notes |

|---------|-------|-------|

| **Default Region** | `swedencentral` | EU GDPR-compliant; alt: `germanywestcentral` |

| **Required Tags** | Environment, ManagedBy, Project, Owner | All resources must include |

| **Unique Suffix** | `uniqueString(resourceGroup().id)` | Generate once in main.bicep |

| **Key Vault Name** | `kv-{short}-{env}-{suffix}` | ≤24 chars |

| **Storage Account** | `st{short}{env}{suffix}` | ≤24 chars, lowercase+numbers |

| **SQL Server Auth** | Azure AD-only | No SQL auth |

| **Zone Redundancy** | P1v4+ App Service Plans | Not S1/P1v2 |

| **TLS Version** | TLS 1.2 minimum | All services |

| **Public Access** | Disabled by default | Storage, Key Vault |

Azure Verified Modules (AVM) Standards

**ALWAYS prefer AVM modules over raw Bicep resources.**

Common AVM modules:

```bicep

// Key Vault

module keyVault 'br/public:avm/res/key-vault/vault:0.11.0' = {

params: { name: kvName, location: location }

}

// Virtual Network

module vnet 'br/public:avm/res/network/virtual-network:0.5.0' = {

params: { name: vnetName, addressSpace: ['10.0.0.0/16'] }

}

// Storage Account

module storage 'br/public:avm/res/storage/storage-account:0.14.0' = {

params: { name: storageAccountName, location: location }

}

// App Service

module appService 'br/public:avm/res/web/site:0.12.0' = {

params: { name: appName, serverFarmResourceId: planId }

}

// SQL Server

module sqlServer 'br/public:avm/res/sql/server:0.10.0' = {

params: {

name: sqlServerName

azureADOnlyAuthentication: true

}

}

```

Full AVM index: https://aka.ms/avm/index

Artifact Output Structure

All agent outputs follow strict template structure from `.github/templates/`:

1. **Load template**: Read `.github/templates/{artifact}.template.md`

2. **Match H2 headings**: Use exact text and order from template

3. **Anchor rule**: Add custom sections only AFTER the last required H2

4. **Attribution**: Include `> Generated by {agent} agent | {YYYY-MM-DD}`

Validation enforced via `scripts/validate-artifact-templates.mjs` in CI.

File-Specific Instruction Rules

Applied via `.gitattributes` to enforce standards:

| File Pattern | Instruction File | Key Rules |

|--------------|------------------|-----------|

| `**/*.bicep` | `bicep-code-best-practices.instructions.md` | AVM-first, uniqueSuffix, required tags |

| `**/*.md` | `markdown.instructions.md` | Formatting, link style, structure |

| `**/*.agent.md` | `agents-definitions.instructions.md` | Front matter, tools, handoffs |

| `**/agent-output/**/07-*.md` | `workload-documentation.instructions.md` | As-built documentation |

Validation Commands

Run after each code generation step:

```bash

Bicep validation

bicep build infra/bicep/{project}/main.bicep

bicep lint infra/bicep/{project}/main.bicep

Artifact template validation

npm run validate

Markdown linting

npm run lint:md

What-if analysis

az deployment group what-if \

--resource-group <rg-name> \

--template-file infra/bicep/{project}/main.bicep \

--parameters @infra/bicep/{project}/parameters/dev.bicepparam

```

Azure Policy Compliance Patterns

Common policy requirements and solutions:

| Policy Requirement | Bicep Implementation |

|-------------------|---------------------|

| SQL Azure AD-only auth | `azureADOnlyAuthentication: true` |

| Zone redundancy | Use P1v4+ SKU (not Standard) |

| Storage shared key access | Disable; use managed identities |

| Required tags | Include Environment, ManagedBy, Project, Owner |

| TLS version | `minimumTlsVersion: 'TLS1_2'` |

| HTTPS-only | `supportsHttpsTrafficOnly: true` |

| Public blob access | `allowBlobPublicAccess: false` |

MCP Integration

Azure Pricing MCP server (`.mcp/azure-pricing-mcp/`) provides real-time SKU pricing:

Example Usage

**Scenario**: Deploy a secure web application with database backend

1. **Requirements Agent**: "Gather requirements for a web application with SQL database, requiring high availability and EU data residency"

2. **Architect Agent**: "Assess the requirements using Azure Well-Architected Framework and provide cost estimates"

3. **Bicep Plan Agent**: "Create an implementation plan for App Service + SQL Database with zone redundancy"

4. **Bicep Code Agent**: "Generate Bicep templates using AVM modules for App Service, SQL Server, Key Vault, and Virtual Network"

5. **Deploy Agent**: "Execute what-if analysis and deploy to dev resource group"

6. **Docs Agent**: "Generate operations runbook and backup/DR plan for the deployed infrastructure"

Important Constraints

Key Files & Directories

| Path | Purpose |

|------|---------|

| `.github/agents/*.agent.md` | Agent definitions (requirements, architect, bicep-plan, bicep-code, deploy, diagram, adr, docs, diagnose) |

| `.github/agents/_shared/defaults.md` | Shared config: regions, tags, naming, security |

| `.github/instructions/` | File-type rules applied via .gitattributes |

| `.github/templates/` | H2 skeleton files for artifact generation |

| `agent-output/{project}/` | All agent-generated artifacts (01-07) |

| `infra/bicep/{project}/` | Bicep templates (main.bicep + modules/) |

| `.mcp/azure-pricing-mcp/` | Azure Pricing MCP server |

| `.vscode/mcp.json` | MCP server configuration |

| `scripts/validate-artifact-templates.mjs` | CI validation of artifact structure |

Tech Stack

---

**Mission**: Azure infrastructure engineered by agents—from requirements to deployed templates, aligned with Well-Architected best practices and Azure Verified Modules.