Azure Validate

# Azure Validate



> **AUTHORITATIVE GUIDANCE** — Follow these instructions exactly unless they contradict security policies given to you.



> **⛔ STOP — PREREQUISITE CHECK REQUIRED**

>

> Before proceeding, verify this prerequisite is met:

>

> **azure-prepare** was invoked and completed → `.azure/deployment-plan.md` exists with status `Approved` or later

>

> If the plan is missing, **STOP IMMEDIATELY** and invoke **azure-prepare** first.

>

> The complete workflow ensures success:

>

> `azure-prepare` → `azure-validate` → `azure-deploy`



## Triggers



- Check if app is ready to deploy

- Validate azure.yaml or Bicep

- Run preflight checks

- Troubleshoot deployment errors



## Rules



1. Run after azure-prepare, before azure-deploy

2. All checks must pass—do not deploy with failures

3. ⛔ **Destructive actions require `ask_user`** — [global-rules](references/global-rules.md)



## Steps



| # | Action | Reference |

|---|--------|-----------|

| 1 | **Load Plan** — Read `.azure/deployment-plan.md` for recipe and configuration. If missing → run azure-prepare first | `.azure/deployment-plan.md` |

| 2 | **Add Validation Steps** — Copy recipe "Validation Steps" to `.azure/deployment-plan.md` as children of "All validation checks pass" | [recipes/README.md](references/recipes/README.md), `.azure/deployment-plan.md` |

| 3 | **Run Validation** — Execute recipe-specific validation commands | [recipes/README.md](references/recipes/README.md) |

| 4 | **Build Verification** — Build the project and fix any errors before proceeding | See recipe |

| 5 | **Static Role Verification** — Review Bicep/Terraform for correct RBAC role assignments in code | [role-verification.md](references/role-verification.md) |

| 6 | **Record Proof** — Populate **Section 7: Validation Proof** with commands run and results | `.azure/deployment-plan.md` |

| 7 | **Resolve Errors** — Fix failures before proceeding | See recipe's `errors.md` |

| 8 | **Update Status** — Only after ALL checks pass, set status to `Validated` | `.azure/deployment-plan.md` |

| 9 | **Deploy** — Invoke **azure-deploy** skill | — |

> **⛔ VALIDATION AUTHORITY**

>

> This skill is the officially verified way to set plan status to `Validated`. You MUST follow these steps to make sure every prerequisite is fulfilled before setting status to `Validated`:

> 1. Run actual validation commands (azd provision --preview, bicep build, terraform validate, etc.)

> 2. Populate **Section 7: Validation Proof** with the commands you ran and their results

> 3. Only then set status to `Validated`

>

> Do NOT set status to `Validated` without running checks and recording proof.



---



> **⚠️ MANDATORY NEXT STEP — DO NOT SKIP**

>

> After ALL validations pass, you **MUST** invoke **azure-deploy** to execute the deployment. Do NOT attempt to run `azd up`, `azd deploy`, or any deployment commands directly. Let azure-deploy handle execution.

>

> If any validation failed, fix the issues and re-run azure-validate before proceeding.



# Azure Policy Validation

## How to Validate Policies

### 1. Get Subscription ID

Retrieve your current Azure subscription ID:

```bash
az account show --query id -o tsv
```

### 2. Validate Policies

Call the A