AZ
azure-infra-review
Reviews Bicep modules, azure.yaml, and infrastructure changes for the KB Agent project. Checks naming, RBAC, module wiring, and doc sync. Use when working on infra/ or reviewing infrastructure PRs.
Install
mkdir -p .claude/skills/azure-infra-review && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16631" && unzip -o skill.zip -d .claude/skills/azure-infra-review && rm skill.zipInstalls to .claude/skills/azure-infra-review
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Reviews Bicep modules, azure.yaml, and infrastructure changes for the KB Agent project. Checks naming, RBAC, module wiring, and doc sync. Use when working on infra/ or reviewing infrastructure PRs.197 chars✓ has a “when” trigger
About this skill
Azure Infrastructure Review
Review infrastructure changes for correctness, convention compliance, and documentation sync.
Module Structure
infra/
├── azure/
│ ├── azure.yaml # AZD project definition
│ ├── hooks/ # AZD pre/post-provision hooks
│ └── infra/
│ ├── main.bicep # Orchestration — wires all modules + role assignments
│ ├── main.parameters.json # AZD parameter file
│ └── modules/
│ ├── monitoring.bicep # Log Analytics + Application Insights
│ ├── storage.bicep # Storage account with containers + RBAC
│ ├── ai-services.bicep # AI Services + model deployments + RBAC
│ ├── search.bicep # AI Search service + RBAC
│ ├── foundry-project.bicep # Foundry project
│ ├── cosmos-db.bicep # Cosmos DB NoSQL (serverless)
│ ├── cosmos-db-role.bicep # Cosmos DB native RBAC role
│ ├── function-app.bicep # Functions on Container Apps (Docker)
│ ├── container-registry.bicep # Azure Container Registry
│ ├── container-app.bicep # Container Apps Environment + web app
│ ├── container-apps-env.bicep # Container Apps Environment
│ ├── agent-container-app.bicep # Agent Container App
│ ├── apim.bicep # API Management
│ └── apim-agent-api.bicep # APIM agent API definition
└── docker/
├── docker-compose.dev-infra.yml
└── docker-compose.dev-services.yml
Review Checklist
Naming & Conventions
- Resource names follow
{type}-{projectName}-{env}pattern - Module file names are descriptive and kebab-case
- Parameters have descriptions and appropriate defaults
- Region: East US 2 (unless specific service requires otherwise)
RBAC & Security
- All role assignments defined in
infra/azure/infra/main.bicep— not in individual modules - Cosmos DB uses native RBAC via
cosmos-db-role.bicep— no connection strings - Managed identity used for all service-to-service auth
- No secrets or keys in module outputs
- No secrets in app settings — use managed identity references
Module Wiring
- New modules called from
infra/azure/infra/main.bicep - Module outputs consumed by dependent modules
- Role assignments connect the right identities to the right resources
- Dependencies expressed via module references (not
dependsOnstrings)
Service Definitions
-
infra/azure/azure.yamllists all 6 services with correct paths and hosts:agent→ Container App (Docker, port 8088)func-convert-cu→ Container App (Docker)func-convert-mistral→ Container App (Docker)func-convert-markitdown→ Container App (Docker)func-index→ Container App (Docker)web-app→ Container App (Docker)
- Docker contexts and Dockerfiles referenced correctly
Documentation Sync
-
docs/specs/infrastructure.mdupdated to reflect any resource changes - New resources documented with their purpose, SKU, and connectivity
Validation
- Bicep compiles:
az bicep build --file infra/azure/infra/main.bicep - Parameters file is valid JSON with correct structure
- No hardcoded subscription IDs, resource group names, or tenant IDs