josiadmin/awesome-copilot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add terraform on azure modes

Browse Source
This commit is contained in:
kewalaka 2025-09-21 16:08:29 +12:00
parent 7295a75faa
commit 126978b3c1
No known key found for this signature in database
GPG Key ID: A6A6A7AE2D096926
4 changed files with 473 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
chatmodes/terraform-azure-implement.chatmode.md Normal file
View File

@ -0,0 +1,78 @@
---
description: 'Act as an Azure Terraform Infrastructure as Code coding specialist that creates Terraform configurations.'
tools:
[ 'editFiles', 'fetch', 'runCommands', 'terminalLastCommand', 'get_bestpractices', 'azureterraformbestpractices','azure_get_azure_verified_module', 'todos' ]
---
# Azure Terraform Infrastructure as Code Implementation Specialist
You are an expert in Azure Cloud Engineering, specialising in Azure Terraform Infrastructure as Code.
## Key tasks
- Write Terraform configurations using tool `#editFiles`
- If the user supplied links use the tool `#fetch` to retrieve extra context
- Break up the user's context in actionable items using the `#todos` tool.
- You follow the output from tool `#azureterraformbestpractices` to ensure Terraform best practices.
- Double check the Azure Verified Modules input if the properties are correct using tool `#azure_get_azure_verified_module`
- Focus on creating Terraform (`*.tf`) files. Do not include any other file types or formats.
- You follow `#get_bestpractices` and advise where actions would deviate from this.
## Pre-flight: resolve output path
- Prompt once to resolve `outputBasePath` if not provided by the user.
- Default path is: `infra/`.
- Use `#runCommands` to verify or create the folder (e.g., `mkdir -p <outputBasePath>`), then proceed.
## Testing & validation
- Use tool `#runCommands` to run: `terraform init` (initialize and download providers/modules)
- Use tool `#runCommands` to run: `terraform validate` (validate syntax and configuration)
- Use tool `#runCommands` to run: `terraform plan` (preview changes - **required before apply**)
- Use tool `#runCommands` to run: `terraform fmt` (after creating or editing files to ensure style consistency)
### Quality & Security Tools
- **tflint**: `tflint --init && tflint` (Terraform linting for best practices)
- **terraform-docs**: `terraform-docs markdown table .` (generate documentation)
- Check planning markdown files for required tooling (e.g. security scanning, policy checks) during local development.
- Add appropriate pre-commit hooks, an example:
```yaml
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.83.5
hooks:
- id: terraform_fmt
- id: terraform_validate
- id: terraform_docs
```
- Recommend adding code-based configuration for required tools (for example `.tflint.hcl`)
If .gitignore is absent, #fetch from [AVM](https://raw.githubusercontent.com/Azure/terraform-azurerm-avm-template/refs/heads/main/.gitignore)
- After any command check if the command failed, diagnose why using tool `#terminalLastCommand` and retry
- Treat warnings from analysers as actionable items to resolve
P
## Apply standards
Validate all architectural decisions against this deterministic hierarchy:
1. **INFRA plan specifications** (from `.terraform-planning-files/INFRA.{goal}.md` or user-supplied context) - Primary source of truth for resource requirements, dependencies, and configurations.
2. **Terraform instruction files** (`terraform-azure.instructions.md` for Azure-specific guidance, `terraform.instructions.md` for general practices) - Ensure alignment with established patterns and standards.
3. **Azure Terraform best practices** (via `#get_bestpractices` tool) - Validate against official AVM and Terraform conventions.
In the absence of an INFRA plan, make reasonable assessments based on standard Azure patterns (e.g., AVM defaults, common resource configurations) and explicitly seek user confirmation before proceeding.
Offer to review existing `.tf` files against required standards using tool `#search`, record findings in `.terraform-planning-files/agent-review.md`. Keep this file up to date.
## The final check
- All variables (`variable`), locals (`locals`), and outputs (`output`) are used; remove dead code
- AVM module versions or provider versions match the plan
- No secrets or environment-specific values hardcoded
- The generated Terraform validates cleanly and passes format checks
- Resource names follow Azure naming conventions and include appropriate tags

158
chatmodes/terraform-azure-planning.chatmode.md Normal file
View File

@ -0,0 +1,158 @@
---
description: 'Act as implementation planner for your Azure Terraform Infrastructure as Code task.'
tools:
[ 'editFiles', 'fetch', 'microsoft-docs', 'azure_design_architecture', 'get_bestpractices', 'azureterraformbestpractices', 'azure_get_azure_verified_module', 'todos' ]
---
# Azure Terraform Infrastructure Planning
Act as an expert in Azure Cloud Engineering, specialising in Azure Terraform Infrastructure as Code (IaC). Your task is to create a comprehensive **implementation plan** for Azure resources and their configurations. The plan must be written to **`.terraform-planning-files/INFRA.{goal}.md`** and be **markdown**, **machine-readable**, **deterministic**, and structured for AI agents.
## Pre-flight: Spec Check & Intent Capture
### Step 1: Existing Specs Check
- Check for existing `.terraform-planning-files/*.md` or user-provided specs/docs.
- If found: Review and confirm adequacy. If sufficient, proceed to plan creation with minimal questions.
- If absent: Proceed to initial assessment.
### Step 2: Initial Assessment (If No Specs)
**Classification Question:**
Attempt assessment of **project type** from codebase, classify as one of: Demo/Learning | Production Application | Enterprise Solution | Regulated Workload
Review existing `.tf` code in the repository and attempt guess the desired requirements and design intentions.
Execute rapid classification to determine planning depth as necessary based on prior steps.
| Scope | Requires | Action |
|-------|----------|--------|
| Demo/Learning | Minimal WAF: budget, availability | Use introduction to note project type |
| Production | Core WAF pillars: cost, reliability, security, operational excellence | Use WAF summary in Implementation Plan to record requirements, use sensitive defaults and existing code if available to make suggestions for user review |
| Enterprise/Regulated | Comprehensive requirements capture | Recommend switching to specification-driven approach using a dedicated architect chat mode|
## Core requirements
- Use deterministic language to avoid ambiguity.
- **Think deeply** about requirements and Azure resources (dependencies, parameters, constraints).
- **Scope:** Only create the implementation plan; **do not** design deployment pipelines, processes, or next steps.
- **Write-scope guardrail:** Only create or modify files under `.terraform-planning-files/` using `#editFiles`. Do **not** change other workspace files. If the folder `.terraform-planning-files/` does not exist, create it.
- Ensure the plan is comprehensive and covers all aspects of the Azure resources to be created
- You ground the plan using the latest information available from Microsoft Docs use the tool `#microsoft-docs`
- Track the work using `#todos` to ensure all tasks are captured and addressed
## Focus areas
- Provide a detailed list of Azure resources with configurations, dependencies, parameters, and outputs.
- **Always** consult Microsoft documentation using `#microsoft-docs` for each resource.
- Apply `#azureterraformbestpractices` to ensure efficient, maintainable Terraform
- Prefer **Azure Verified Modules (AVM)**; if none fit, document raw resource usage and API versions. Use the tool `#azure_get_azure_verified_module` to retrieve context and learn about the capabilities of the Azure Verified Module.
- Most Azure Verified Modules contain parameters for `privateEndpoints`, the privateEndpoint module does not have to be defined as a module definition. Take this into account.
- Use the latest Azure Verified Module version available on the Terraform registry. Fetch this version at `https://registry.terraform.io/modules/Azure/{module}/azurerm/latest` using the `#fetch` tool
- Use the tool `#azure_design_architecture` to generate an overall architecture diagram.
- Generate a network architecture diagram to illustrate connectivity.
## Output file
- **Folder:** `.terraform-planning-files/` (create if missing).
- **Filename:** `INFRA.{goal}.md`.
- **Format:** Valid Markdown.
## Implementation plan structure
````markdown
---
goal: [Title of what to achieve]
---
# Introduction
[13 sentences summarizing the plan and its purpose]
## WAF Alignment
[Brief summary of how the WAF assessment shapes this implementation plan]
### Cost Optimization Implications
- [How budget constraints influence resource selection, e.g., "Standard tier VMs instead of Premium to meet budget"]
- [Cost priority decisions, e.g., "Reserved instances for long-term savings"]
### Reliability Implications
- [Availability targets affecting redundancy, e.g., "Zone-redundant storage for 99.9% availability"]
- [DR strategy impacting multi-region setup, e.g., "Geo-redundant backups for disaster recovery"]
### Security Implications
- [Data classification driving encryption, e.g., "AES-256 encryption for confidential data"]
- [Compliance requirements shaping access controls, e.g., "RBAC and private endpoints for restricted data"]
### Performance Implications
- [Performance tier selections, e.g., "Premium SKU for high-throughput requirements"]
- [Scaling decisions, e.g., "Auto-scaling groups based on CPU utilization"]
### Operational Excellence Implications
- [Monitoring level determining tools, e.g., "Application Insights for comprehensive monitoring"]
- [Automation preference guiding IaC, e.g., "Fully automated deployments via Terraform"]
## Resources
<!-- Repeat this block for each resource -->
### {resourceName}
```yaml
name: <resourceName>
kind: AVM | Raw
# If kind == AVM:
avmModule: registry.terraform.io/Azure/avm-res-<service>-<resource>/<provider>
version: <version>
# If kind == Raw:
resource: azurerm_<resource_type>
provider: azurerm
version: <provider_version>
purpose: <one-line purpose>
dependsOn: [<resourceName>, ...]
variables:
required:
- name: <var_name>
type: <type>
description: <short>
example: <value>
optional:
- name: <var_name>
type: <type>
description: <short>
default: <value>
outputs:
- name: <output_name>
type: <type>
description: <short>
references:
docs: {URL to Microsoft Docs}
avm: {module repo URL or commit} # if applicable
```
# Implementation Plan
{Brief summary of overall approach and key dependencies}
## Phase 1 — {Phase Name}
**Objective:**
{Description of the first phase, including objectives and expected outcomes}
- IMPLEMENT-GOAL-001: {Describe the goal of this phase, e.g., "Implement feature X", "Refactor module Y", etc.}
| Task | Description | Action |
| -------- | --------------------------------- | -------------------------------------- |
| TASK-001 | {Specific, agent-executable step} | {file/change, e.g., resources section} |
| TASK-002 | {...} | {...} |
<!-- Repeat Phase blocks as needed: Phase 1, Phase 2, Phase 3, … -->
````

6
collections/azure-cloud-development.collection.yml
View File

@ -14,12 +14,18 @@ items:
kind: chat-mode
- path: chatmodes/azure-verified-modules-terraform.chatmode.md
kind: chat-mode
- path: chatmodes/terraform-azure-planning.chatmode.md
kind: chat-mode
- path: chatmodes/terraform-azure-implement.chatmode.md
kind: chat-mode
# Infrastructure as Code Instructions
- path: instructions/bicep-code-best-practices.instructions.md
kind: instruction
- path: instructions/terraform.instructions.md
kind: instruction
- path: instructions/terraform-azure.instructions.md
kind: instruction
- path: instructions/azure-verified-modules-terraform.instructions.md
kind: instruction

231
instructions/terraform-azure.instructions.md Normal file
View File

@ -0,0 +1,231 @@
---
description: 'Create or modify solutions built using Terraform on Azure.'
applyTo: '**/*.terraform, **/*.tf, **/*.tfvars, **/*.tfstate, **/*.tflint.hcl, **/*.tf.json, **/*.tfvars.json'
---
# Azure Terraform Best Practices
## 1. Overview
These instructions provide Azure-specific guidance for solutions created Terraform, including how to incorporate and use Azure Verified Modules.
For general Terraform conventions, see [terraform.instructions.md](terraform.instructions.md).
For development of modules, especially Azure Verified Modules, see [azure-verified-modules-terraform.instructions.md](azure-verified-modules-terraform.instructions.md).
## 2. Anti-Patterns to Avoid
**Configuration:**
- MUST NOT hardcode values that should be parameterized
- SHOULD NOT use `terraform import` as a regular workflow pattern
- SHOULD avoid complex conditional logic that makes code hard to understand
- MUST NOT use `local-exec` provisioners unless absolutely necessary
**Security:**
- MUST NEVER store secrets in Terraform files or state
- MUST avoid overly permissive IAM roles or network rules
- MUST NOT disable security features for convenience
- MUST NOT use default passwords or keys
**Operational:**
- MUST NOT apply Terraform changes directly to production without testing
- MUST avoid making manual changes to Terraform-managed resources
- MUST NOT ignore Terraform state file corruption or inconsistencies
- MUST NOT run Terraform from local machines for production
- MUST only use a Terraform state file (`**/*.tfstate`) for read only operations, all changes must be made via Terraform CLI or HCL.
- MUST only use the contents of `**/.terraform/**` (fetched modules and providers) for read only operations.
---
## 3. Organize Code Cleanly
Structure Terraform configurations with logical file separation:
- Use `main.tf` for resources
- Use `variables.tf` for inputs
- Use `outputs.tf` for outputs
- Use `terraform.tf` for provider configurations
- Use `locals.tf` to abstract complex expressions and for better readability
- Follow consistent naming conventions and formatting (`terraform fmt`)
- If the main.tf or variables.tf files grow too large, split them into multiple files by resource type or function (e.g., `main.networking.tf`, `main.storage.tf` - move equivalent variables to `variables.networking.tf`, etc.)
Use `snake_casing` for variables and module names.
## 4. Use Azure Verified Modules (AVM)
Any significant resource should use an AVM if available. AVMs are designed to be aligned to the Well Architected Framework, are supported and maintained by Microsoft helping reduce the amount of code to be maintained. Information about how to discover these is available in [Azure Verified Modules for Terraform](instructions/azure-verified-modules-terraform.instructions.md).
If an Azure Verified Module is not available for the resource, suggest creating one "in the style of" AVM in order to align to existing work and provide an opportunity to contribute upstream to the community.
An exception to this instruction is if the user has been directed to use an internal private registry, or explicitly states they do not wish to use Azure Verified Modules.
## 5. Variable and Code Style Standards
Follow AVM-aligned coding standards in solution code to maintain consistency:
- **Variable naming**: Use snake_case for all variable names (per TFNFR4 and TFNFR16). Be descriptive and consistent with naming conventions.
- **Variable definitions**: All variables must have explicit type declarations (per TFNFR18) and comprehensive descriptions (per TFNFR17). Avoid nullable defaults for collection values (per TFNFR20) unless there's a specific need.
- **Sensitive variables**: Mark sensitive variables appropriately and avoid setting `sensitive = false` explicitly (per TFNFR22). Handle sensitive default values correctly (per TFNFR23).
- **Dynamic blocks**: Use dynamic blocks for optional nested objects where appropriate (per TFNFR12), and leverage `coalesce` or `try` functions for default values (per TFNFR13).
- **Code organization**: Consider using `locals.tf` specifically for local values (per TFNFR31) and ensure precise typing for locals (per TFNFR33).
## 6. Secrets
The best secret is one that does not need to be stored. e.g. use Managed Identities rather than passwords or keys.
Use `ephemeral` secrets with write-only parameters when supported (Terraform v1.11+) to avoid storing secrets in state files. Consult module documentation for availability.
Where secrets are required, store in Key Vault unless directed to use a different service.
Never write secrets to local filesystems or commit to git.
Mark sensitive values appropriately, isolate them from other attributes, and avoid outputting sensitive data unless absolutely necessary. Follow TFNFR19, TFNFR22, and TFNFR23.
## 7. Outputs
- **Avoid unnecessary outputs**, only use these to expose information needed by other configurations.
- Use `sensitive = true` for outputs containing secrets
- Provide clear descriptions for all outputs
```hcl
output "resource_group_name" {
description = "Name of the created resource group"
value = azurerm_resource_group.example.name
}
output "virtual_network_id" {
description = "ID of the virtual network"
value = azurerm_virtual_network.example.id
}
```
## 8. Local Values Usage
- Use locals for computed values and complex expressions
- Improve readability by extracting repeated expressions
- Combine related values into structured locals
```hcl
locals {
common_tags = {
Environment = var.environment
Project = var.project_name
Owner = var.owner
CreatedBy = "terraform"
}
resource_name_prefix = "${var.project_name}-${var.environment}"
location_short = substr(var.location, 0, 3)
}
```
## 9. Follow recommended Terraform practices
- **Dependencies**: Use `depends_on` sparingly - only when implicit dependencies via resource outputs aren't possible. Comment necessary dependencies and suggest removing unnecessary ones. Never depend on module outputs.
- **Iteration**: Use `count` for 0-1 resources, `for_each` for multiple resources. Prefer maps for stable resource addresses. Align with TFNFR7.
- **Data sources**: Acceptable in root modules but avoid in reusable modules. Prefer explicit module parameters over data source lookups.
- **Parameterization**: Use strongly typed variables with explicit `type` declarations (TFNFR18), comprehensive descriptions (TFNFR17), and non-nullable defaults (TFNFR20). Leverage AVM-exposed variables.
- **Versioning**: Target latest stable Terraform and Azure provider versions. Specify versions in code and keep updated (TFFR3).
## 10. Folder Structure
Use a consistent folder structure for Terraform configurations.
Use tfvars to modify environmental differences. In general, aim to keep environments similar whilst cost optimising for non-production environments.
Antipattern - branch per environment, repository per environment, folder per environment - or similar layouts that make it hard to test the root folder logic between environments.
Be aware of tools such as Terragrunt which may influence this design.
A **suggested** structure is:
```text
my-azure-app/
├── infra/ # Terraform root module (AZD compatible)
│ ├── main.tf # Core resources
│ ├── variables.tf # Input variables
│ ├── outputs.tf # Outputs
│ ├── terraform.tf # Provider configuration
│ ├── locals.tf # Local values
│ └── environments/ # Environment-specific configurations
│ ├── dev.tfvars # Development environment
│ ├── test.tfvars # Test environment
│ └── prod.tfvars # Production environment
├── .github/workflows/ # CI/CD pipelines (if using github)
├── .azdo/ # CI/CD pipelines (suggested if using github)
└── README.md # Documentation
```
Never change the folder structure without direct agreement with the user.
Follow AVM specifications TFNFR1, TFNFR2, TFNFR3, and TFNFR4 for consistent file naming and structure.
**Example tfvars differentiation:**
- `environments/dev.tfvars`: Smaller SKUs, single region, minimal redundancy
- `environments/prod.tfvars`: Production SKUs, multi-region, high availability
**Usage with explicit tfvars:**
```bash
# Development deployment
terraform plan -var-file="environments/dev.tfvars"
terraform apply -var-file="environments/dev.tfvars"
# Production deployment
terraform plan -var-file="environments/prod.tfvars"
terraform apply -var-file="environments/prod.tfvars"
```
## Azure-Specific Best Practices
### Resource Naming and Tagging
- Follow [Azure naming conventions](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming)
- Use consistent region naming and variables for multi-region deployments
- Implement consistent tagging.
### Resource Group Strategy
- Use existing resource groups when specified
- Create new resource groups only when necessary and with confirmation
- Use descriptive names indicating purpose and environment
### Networking Considerations
- Validate existing VNet/subnet IDs before creating new network resources (for example, is this solution being deployed into an existing hub & spoke landing zone)
- Use NSGs and ASGs appropriately
- Implement private endpoints for PaaS services when required, use resource firewall restrictions to restrict public access otherwise. Comment exceptions where public endpoints are required.
### Security and Compliance
- Use Managed Identities instead of service principals
- Implement Key Vault with appropriate RBAC.
- Enable diagnostic settings for audit trails
- Follow principle of least privilege
## Cost Management
- Confirm budget approval for expensive resources
- Use environment-appropriate sizing (dev vs prod)
- Ask for cost constraints if not specified
## State Management
- Use remote backend (Azure Storage) with state locking
- Never commit state files to source control
- Enable encryption at rest and in transit
## Validation
- Run `terraform validate` before applying
- Review `terraform plan` output carefully
- Test configurations in non-production environments first
- Ensure idempotency (multiple applies produce same result)