Governance Anti Patterns Completeness

Completeness

Structural gaps, incomplete scripts, and missing companion resources

Domain: completeness

---

Checks (11)

Check	Description
ANTI-COMP-001	Local auth disabled but no managed identity or role assignment detected — include both when disabling local auth.
ANTI-COMP-002	Deploy script uses lowercase color variables — use UPPERCASE (YELLOW, RED, GREEN, NC).
ANTI-COMP-003	azurerm data source detected — use terraform_remote_state or input variables to reference prior-stage resources.
ANTI-COMP-004	versions.tf detected — consolidate terraform {}, required_providers, and backend into providers.tf only.
ANTI-COMP-005	Variable reference in backend block — backend blocks only support literal values, not variables.
ANTI-COMP-006	Empty backend configuration values detected — provide literal values or use local backend.
ANTI-COMP-007	Hardcoded resource name with naming convention prefix detected — use variables or remote state outputs.
ANTI-COMP-008	Storage Blob Delegator role detected — use Storage Blob Data Contributor (ba92f5b4) for blob data access.
ANTI-COMP-009	capacityMode does not exist in Cosmos DB ARM schema — use capabilities = [{ name = "EnableServerless" }] instead.
ANTI-COMP-010	Use an azapi_resource for blobServices/default and reference its .id for diagnostic settings parent_id.
ANTI-COMP-011	azapi_resource may be missing parent_id — every azapi_resource MUST have parent_id set.

---

ANTI-COMP-001

Local auth disabled but no managed identity or role assignment detected — include both when disabling local auth.

Rationale: Disabling local auth without providing an alternative identity causes authentication failures at runtime.
Agents: terraform-agent, bicep-agent

Targets

Services	Triggers On	Correct Patterns
Microsoft.Storage/storageAccounts Microsoft.ServiceBus/namespaces Microsoft.EventHub/namespaces Microsoft.CognitiveServices/accounts Microsoft.ContainerRegistry/registries Microsoft.OperationalInsights/workspaces	'local_authentication_disabled = true' 'local_auth_disabled = true' 'disableLocalAuth: true' 'shared_access_key_enabled = false' 'allowSharedKeyAccess: false'	'Microsoft.ManagedIdentity/userAssignedIdentities' 'Microsoft.Authorization/roleAssignments' '# Include managed identity AND role assignment when disabling local auth'

---

ANTI-COMP-002

Deploy script uses lowercase color variables — use UPPERCASE (YELLOW, RED, GREEN, NC).

Rationale: Bash convention uses UPPERCASE for constants; lowercase color variables conflict with common variable names.
Agents: terraform-agent, bicep-agent

Targets

Services	Triggers On	Correct Patterns
*All*	'echo -e "${yellow}' 'echo -e "${red}' 'echo -e "${green}'	'echo -e "${YELLOW}message${NC}"' 'echo -e "${RED}message${NC}"' 'echo -e "${GREEN}message${NC}"'

---

ANTI-COMP-003

azurerm data source detected — use terraform_remote_state or input variables to reference prior-stage resources.

Rationale: azurerm data sources require the azurerm provider which is not used in this project — use remote state or variables instead.
Agents: terraform-agent

Targets

Services	Triggers On	Correct Patterns
*All*	'data "azurerm_resource_group"' 'data "azurerm_log_analytics_workspace"' 'data "azurerm_key_vault"' 'data "azurerm_storage_account"' 'data "azurerm_container_registry"'	'data.terraform_remote_state.stage_name.outputs.resource_id' 'var.resource_group_name' '# Reference prior-stage resources via remote state or input variables'

---

ANTI-COMP-004

versions.tf detected — consolidate terraform {}, required_providers, and backend into providers.tf only.

Rationale: This project consolidates terraform {}, required_providers, and backend into providers.tf — a separate versions.tf causes confusion.
Agents: terraform-agent

Targets

Services	Triggers On	Correct Patterns
*All*	'versions.tf'	'providers.tf' '# Consolidate terraform {}, required_providers, and backend into providers.tf only'

---

ANTI-COMP-005

Variable reference in backend block — backend blocks only support literal values, not variables.

Rationale: Terraform backend configuration blocks cannot use variables, locals, or data sources — only literal values are supported.
Agents: terraform-agent

Targets

Services	Triggers On	Correct Patterns
*All*	'var.tfstate_storage_account' 'var.backend_storage_account' 'var.state_storage_account'	'storage_account_name = "mystorageaccount"' '# Use literal values in backend blocks — variables are not supported' 'backend "local" {}'

---

ANTI-COMP-006

Empty backend configuration values detected — provide literal values or use local backend.

Rationale: Empty backend configuration values cause Terraform init failures or silent fallback to defaults.
Agents: terraform-agent

Targets

Services	Triggers On	Correct Patterns
*All*	'storage_account_name = ""' 'container_name = ""' 'key = ""' 'resource_group_name = ""'	'storage_account_name = "tfstate12345"' 'container_name = "tfstate"' 'key = "stage-name.tfstate"' 'backend "local" {}'

---

ANTI-COMP-007

Hardcoded resource name with naming convention prefix detected — use variables or remote state outputs.

Rationale: Hardcoded names with zone prefixes (zd-, pm-, pc-) break when naming conventions change or resources are reused across environments.
Agents: terraform-agent, bicep-agent

Targets

Services	Triggers On	Correct Patterns
*All*	'queueName = "zd-' 'queueName = "pi-' 'queueName = "pm-' 'queueName = "pc-' 'name = "zdacr' 'name = "zdst' 'resource_group_name = "zd-rg-' 'resource_group_name = "pi-rg-' 'resource_group_name = "pm-rg-'	'data.terraform_remote_state.stage.outputs.queue_name' 'var.resource_group_name' 'local.resource_group_name'

---

ANTI-COMP-008

Storage Blob Delegator role detected — use Storage Blob Data Contributor (ba92f5b4) for blob data access.

Rationale: Storage Blob Delegator only grants User Delegation Key access — applications need Storage Blob Data Contributor for actual blob read/write.
Agents: terraform-agent, bicep-agent

Targets

Services	Triggers On	Correct Patterns
Microsoft.Storage/storageAccounts	'storage blob delegator'	'Storage Blob Data Contributor' '# ba92f5b4-2d11-453d-a403-e96b0029c9fe'

---

ANTI-COMP-009

capacityMode does not exist in Cosmos DB ARM schema — use capabilities = [{ name = "EnableServerless" }] instead.

Rationale: The Cosmos DB ARM schema does not have a capacityMode property. Setting it is silently ignored and serverless mode is not activated.
Agents: terraform-agent, bicep-agent

Targets

Services	Triggers On	Correct Patterns
Microsoft.DocumentDB/databaseAccounts	'capacitymode = "serverless"' 'capacitymode'	'capabilities = [{ name = "EnableServerless" }]'

---

ANTI-COMP-010

Use an azapi_resource for blobServices/default and reference its .id for diagnostic settings parent_id.

Rationale: String interpolation for ARM child resource IDs is fragile and breaks when the resource ID format changes.
Agents: terraform-agent

Targets

Services	Triggers On	Correct Patterns
Microsoft.Storage/storageAccounts	'/blobservices/default'	'parent_id = azapi_resource.blob_service.id'

---

ANTI-COMP-011

azapi_resource may be missing parent_id — every azapi_resource MUST have parent_id set.

Rationale: The azapi provider requires parent_id on all resources. Omitting it causes terraform plan failure. For resource groups, parent_id is /subscriptions/${var.subscription_id}. For child resources, parent_id is the parent resource ID.
Agents: terraform-agent

Targets

Services	Triggers On	Correct Patterns
Microsoft.Resources/resourceGroups	'!parent_id'	'parent_id = "/subscriptions/${var.subscription_id}"'

---