Merge pull request #4 from Ba4bes/ba4bes/fix-azure-iac-generator-skill

feat: Implement Azure IaC generator with Bicep conversion and diagram…

Author: Ba4bes

ba4bes-unific-travis.sln

@@ -0,0 +1,64 @@
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.5.2.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "tests", "tests", "{0AB3BF05-4346-4AA6-1389-037BE0695223}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "appinsights-instrumentation", "appinsights-instrumentation", "{ACF383C6-5B38-4A54-7773-CC6029374F88}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "resources", "resources", "{66E69BC0-5302-D2DC-C6CF-C9DDB9A11B2B}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "aspnetcore-app", "tests\appinsights-instrumentation\resources\aspnetcore-app\aspnetcore-app.csproj", "{CABCA128-4474-8808-9FCB-383890941946}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "azure-prepare", "azure-prepare", "{A44C729E-0F82-40BC-04DE-9CBB89B4F9EB}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "eval", "eval", "{79540773-9505-E730-EBDE-F703833C4BC5}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "fixtures", "fixtures", "{1F2AA042-BF07-CA97-0662-E6B6BC8CBC3F}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "dotnet-cosmosdb", "dotnet-cosmosdb", "{50619CA1-9D12-3683-C115-3022E34003B1}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MyFunctions", "tests\azure-prepare\eval\fixtures\dotnet-cosmosdb\MyFunctions.csproj", "{74C8039D-26B2-72B9-DE91-46D23FAD45F6}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "dotnet-http", "dotnet-http", "{5FDD7ED6-3A7A-71F0-7FB3-F520640D44DD}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MyFunctions", "tests\azure-prepare\eval\fixtures\dotnet-http\MyFunctions.csproj", "{465FB149-DF7E-536B-A0C3-40707ED77907}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{CABCA128-4474-8808-9FCB-383890941946}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{CABCA128-4474-8808-9FCB-383890941946}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{CABCA128-4474-8808-9FCB-383890941946}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{CABCA128-4474-8808-9FCB-383890941946}.Release|Any CPU.Build.0 = Release|Any CPU
+		{74C8039D-26B2-72B9-DE91-46D23FAD45F6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{74C8039D-26B2-72B9-DE91-46D23FAD45F6}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{74C8039D-26B2-72B9-DE91-46D23FAD45F6}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{74C8039D-26B2-72B9-DE91-46D23FAD45F6}.Release|Any CPU.Build.0 = Release|Any CPU
+		{465FB149-DF7E-536B-A0C3-40707ED77907}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{465FB149-DF7E-536B-A0C3-40707ED77907}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{465FB149-DF7E-536B-A0C3-40707ED77907}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{465FB149-DF7E-536B-A0C3-40707ED77907}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(NestedProjects) = preSolution
+		{ACF383C6-5B38-4A54-7773-CC6029374F88} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
+		{66E69BC0-5302-D2DC-C6CF-C9DDB9A11B2B} = {ACF383C6-5B38-4A54-7773-CC6029374F88}
+		{CABCA128-4474-8808-9FCB-383890941946} = {66E69BC0-5302-D2DC-C6CF-C9DDB9A11B2B}
+		{A44C729E-0F82-40BC-04DE-9CBB89B4F9EB} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
+		{79540773-9505-E730-EBDE-F703833C4BC5} = {A44C729E-0F82-40BC-04DE-9CBB89B4F9EB}
+		{1F2AA042-BF07-CA97-0662-E6B6BC8CBC3F} = {79540773-9505-E730-EBDE-F703833C4BC5}
+		{50619CA1-9D12-3683-C115-3022E34003B1} = {1F2AA042-BF07-CA97-0662-E6B6BC8CBC3F}
+		{74C8039D-26B2-72B9-DE91-46D23FAD45F6} = {50619CA1-9D12-3683-C115-3022E34003B1}
+		{5FDD7ED6-3A7A-71F0-7FB3-F520640D44DD} = {1F2AA042-BF07-CA97-0662-E6B6BC8CBC3F}
+		{465FB149-DF7E-536B-A0C3-40707ED77907} = {5FDD7ED6-3A7A-71F0-7FB3-F520640D44DD}
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {8E98131F-80C5-4D1E-A0E7-CC00D7F68BE0}
+	EndGlobalSection
+EndGlobal

plugin/skills/azure-iac-generator/SKILL.md

@@ -4,12 +4,12 @@ description: "Generate deployment-ready Bicep templates from existing Azure envi
 license: MIT
 metadata:
   author: Microsoft
-  version: "1.0.0"
+  version: "1.0.1"
 ---
 
 # Azure IaC Generator
 
-Reverse-engineer live Azure resources or Draw.io diagrams into deployment-ready, modular Bicep. The goal is an **environment-identical** redeployment — every runtime version, SKU, and setting must match the Azure source.
+Reverse-engineer live Azure resources or Draw.io diagrams into deployment-ready, modular Bicep. The goal is an **environment-identical** redeployment for supported configurations. When Azure uses an end-of-life runtime, preserve the extracted value in comments and default to the current supported upgrade path.
 
 ## Prerequisites
 
@@ -32,6 +32,10 @@ Reverse-engineer live Azure resources or Draw.io diagrams into deployment-ready,
 | **CLI fallback** | `az resource show --ids <id>`, `az webapp show`, `az webapp config appsettings list` |
 | **Output** | Project folder with `main.bicep`, `.bicepparam`, `modules/`, `dependencies/`, `README.md` |
 
+## Design Notes
+
+Named `azure-iac-generator` rather than `azure-bicep-generator` to accommodate future IaC tooling such as Terraform. Bicep is the only supported target today; Terraform support is reserved for a future iteration.
+
 ## Routing — MUST follow the matched workflow
 
 ```
@@ -49,6 +53,7 @@ User request
 - [azure-resource-configs.md](references/azure-resource-configs.md) — Per-type property extraction
 - [azure-deployment-verification.md](references/azure-deployment-verification.md) — Pre-deployment checks
 - [version-currency.md](references/version-currency.md) — API + runtime version rules
+- [bicep-parsing.md](references/procedures/bicep-parsing.md) — Parse existing Bicep and `.bicepparam` files when merging with generated output
 
 ## Output Structure — MUST create this folder layout
 

plugin/skills/azure-iac-generator/references/azure-deployment-verification.md

@@ -1,5 +1,8 @@
 # Azure Deployment Verification Rules
 
+> **Canonical copy:** Shared deployment-verification rules used by Azure IaC skills. Keep local copies aligned when this rule set changes.
+
+
 Shared pre-deployment verification rules for generated Bicep templates. These cover **gotcha-prone constraints** that are easy to miss — SKU dependencies, resource compatibility, and networking rules that cause deployment failures.
 
 For rules not listed here (security defaults like TLS 1.2, HTTPS enforcement, runtime version currency), verify against Bicep MCP `get_az_resource_type_schema`, [bicep-best-practices.md](bicep-best-practices.md), and Microsoft documentation.

plugin/skills/azure-iac-generator/references/azure-resource-model.md

@@ -1,5 +1,8 @@
 # Azure Resource Metadata Model
 
+> **Canonical copy:** Shared resource-model schema used across Azure IaC and diagram skills. Keep local copies aligned when this schema changes.
+
+
 Shared internal representation used by AzVerify skills (sketch-to-diagram, diagram-to-bicep, diagram-azure-sync).
 
 ## Schema

plugin/skills/azure-iac-generator/references/azure-stencil-mapping.json

@@ -0,0 +1,110 @@
+{
+  "_canonicalCopy": {
+    "description": "Shared Azure stencil mapping copied into azure-iac-generator so diagram-parsing references resolve locally.",
+    "maintainers": [
+      "Azure IaC skills"
+    ]
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Compute/virtualMachines",
+      "imagePath": "img/lib/azure2/compute/Virtual_Machine.svg"
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "imagePath": "img/lib/azure2/app_services/App_Services.svg"
+    },
+    {
+      "type": "Microsoft.Web/serverfarms",
+      "imagePath": "img/lib/azure2/app_services/App_Service_Plans.svg"
+    },
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "imagePath": "img/lib/azure2/storage/Storage_Accounts.svg"
+    },
+    {
+      "type": "Microsoft.KeyVault/vaults",
+      "imagePath": "img/lib/azure2/security/Key_Vaults.svg"
+    },
+    {
+      "type": "Microsoft.Sql/servers",
+      "imagePath": "img/lib/azure2/databases/SQL_Server.svg"
+    },
+    {
+      "type": "Microsoft.Sql/servers/databases",
+      "imagePath": "img/lib/azure2/databases/SQL_Database.svg"
+    },
+    {
+      "type": "Microsoft.Network/virtualNetworks",
+      "imagePath": "img/lib/azure2/networking/Virtual_Networks.svg"
+    },
+    {
+      "type": "Microsoft.Network/virtualNetworks/subnets",
+      "imagePath": "img/lib/azure2/networking/Subnets.svg"
+    },
+    {
+      "type": "Microsoft.Network/networkSecurityGroups",
+      "imagePath": "img/lib/azure2/networking/Network_Security_Groups.svg"
+    },
+    {
+      "type": "Microsoft.Network/privateEndpoints",
+      "imagePath": "img/lib/azure2/networking/Private_Link.svg"
+    },
+    {
+      "type": "Microsoft.Network/privateDnsZones",
+      "imagePath": "img/lib/azure2/networking/Private_DNS_Zones.svg"
+    },
+    {
+      "type": "Microsoft.Network/applicationGateways",
+      "imagePath": "img/lib/azure2/networking/Application_Gateways.svg"
+    },
+    {
+      "type": "Microsoft.Network/loadBalancers",
+      "imagePath": "img/lib/azure2/networking/Load_Balancers.svg"
+    },
+    {
+      "type": "Microsoft.Network/publicIPAddresses",
+      "imagePath": "img/lib/azure2/networking/Public_IP_Addresses.svg"
+    },
+    {
+      "type": "Microsoft.ContainerRegistry/registries",
+      "imagePath": "img/lib/azure2/containers/Container_Registries.svg"
+    },
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "imagePath": "img/lib/azure2/containers/Kubernetes_Services.svg"
+    },
+    {
+      "type": "Microsoft.App/containerApps",
+      "imagePath": "img/lib/azure2/containers/Container_Apps.svg"
+    },
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts",
+      "imagePath": "img/lib/azure2/databases/Azure_Cosmos_DB.svg"
+    },
+    {
+      "type": "Microsoft.Cache/redis",
+      "imagePath": "img/lib/azure2/databases/Azure_Cache_for_Redis.svg"
+    },
+    {
+      "type": "Microsoft.ServiceBus/namespaces",
+      "imagePath": "img/lib/azure2/integration/Service_Bus.svg"
+    },
+    {
+      "type": "Microsoft.EventHub/namespaces",
+      "imagePath": "img/lib/azure2/analytics/Event_Hubs.svg"
+    },
+    {
+      "type": "Microsoft.Insights/components",
+      "imagePath": "img/lib/azure2/monitor/Application_Insights.svg"
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "imagePath": "img/lib/azure2/monitor/Log_Analytics_Workspaces.svg"
+    },
+    {
+      "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
+      "imagePath": "img/lib/azure2/identity/Managed_Identities.svg"
+    }
+  ]
+}

plugin/skills/azure-iac-generator/references/azure-to-bicep-workflow.md

@@ -14,7 +14,7 @@ Get target scope: resource group name(s) and subscription ID. If not specified,
 
 ## Step 3 — Discover Resources
 
-Use `azure_mcp-group_resource_list` (or `az resource list --resource-group <name>`) to enumerate all resources. Extract: `id`, `name`, `type`, `location`, `tags`, `sku`. If no resources found, stop with an error.
+Use `group_resource_list` (or `az resource list --resource-group <name>`) to enumerate all resources. Extract: `id`, `name`, `type`, `location`, `tags`, `sku`. If no resources found, stop with an error.
 
 ## Step 4 — Filter Non-Deployable Resources
 
@@ -65,14 +65,14 @@ Follow [bicep-best-practices.md](bicep-best-practices.md) strictly. Call Bicep M
 | `main.bicep` | `targetScope = 'resourceGroup'`; all params with `@description()` and `@secure()` where needed; one `module` block per category; outputs for key endpoints/IDs |
 | `<scope>.bicepparam` | `using 'main.bicep'`; every param value matching current Azure config; 1-3 line comments per param (what it controls, alternatives with cost impact, version EOL dates); `readEnvironmentVariable()` for secrets |
 | `modules/networking.bicep` | VNets, subnets, NSGs, private endpoints, NICs, firewalls |
-| `modules/compute.bicep` | VMs, App Services, Functions, Container Apps — **use actual runtime from Azure** (e.g., `DOTNETCORE|8.0` exactly as extracted, not guessed) |
+| `modules/compute.bicep` | VMs, App Services, Functions, Container Apps — follow the runtime defaulting rules in [version-currency.md](version-currency.md) |
 | `modules/data.bicep` | Storage, SQL, Cosmos DB, Redis, Key Vault |
 | `modules/identity.bicep` | User-assigned managed identities, role assignments |
 | `modules/monitoring.bicep` | App Insights, Log Analytics, action groups |
 
 Only create module files that have resources. Each module receives only the params it needs. Use `parent:` for child resources, `existing` blocks for cross-module refs, symbolic references (`foo.id`) — never `resourceId()`.
 
-**Runtime version rule**: Use the exact runtime version from Azure. If the extracted version is end-of-life per [version-currency.md](version-currency.md), keep the current value as default but add a comment recommending the upgrade with EOL date.
+Apply the runtime defaulting and comment rules from [version-currency.md](version-currency.md). That file is the single source of truth for supported-versus-EOL handling.
 
 ## Step 9 — Generate Dependencies Folder
 

plugin/skills/azure-iac-generator/references/procedures/azure-authentication.md

@@ -1,5 +1,8 @@
 # Azure Authentication Check
 
+> **Canonical copy:** Shared authentication gate used by Azure IaC and diagram skills. Keep local copies aligned when this procedure changes.
+
+
 Canonical procedure for verifying Azure session before any Azure operations. Referenced by all skills that interact with Azure.
 
 ---

plugin/skills/azure-iac-generator/references/procedures/bicep-parsing.md

@@ -1,5 +1,8 @@
 # Bicep Parsing Procedure
 
+> **Canonical copy:** Shared Bicep parsing procedure used by Azure IaC and comparison skills. Keep local copies aligned when this procedure changes.
+
+
 Parse Bicep templates into a structured resource model for comparison. Referenced by skills that analyze existing Bicep files.
 
 ---

plugin/skills/azure-iac-generator/references/procedures/diagram-parsing.md

@@ -1,5 +1,8 @@
 # Diagram Parsing Procedure
 
+> **Canonical copy:** Shared diagram-parsing procedure used by Azure IaC and diagram skills. Keep local copies aligned when this procedure changes.
+
+
 Parse a Draw.io XML file into a structured resource model. Referenced by all skills that consume Draw.io diagrams.
 
 ---

plugin/skills/azure-iac-generator/references/procedures/resource-filtering.md

@@ -0,0 +1,28 @@
+# Resource Filtering for Azure-to-Bicep
+
+> **Canonical copy:** Shared resource-filtering rules used by Azure IaC skills. Keep local copies aligned when this filter list changes.
+
+
+Use this table during Azure-to-Bicep discovery to remove resources that should not become first-class Bicep resources in generated output.
+
+## Filtering Table
+
+| Resource Pattern or Type | Why It Is Filtered | Exclude for Bicep |
+|---|---|---|
+| `Microsoft.Resources/deployments` | Deployment history is operational metadata, not desired-state infrastructure. | Yes |
+| `Microsoft.Insights/metricalerts` generated by platform onboarding | Often auto-created during monitoring enablement and not part of the requested baseline. | Yes |
+| `Microsoft.AlertsManagement/smartDetectorAlertRules` | Auto-generated smart detection rules are service-managed. | Yes |
+| `microsoft.insights/webtests` created by availability defaults | Synthetic tests may be optional operational assets rather than core infrastructure. | Yes |
+| Resources with `hidden-` prefixes or `hidden-link:` tags | Platform-generated link resources are derived artifacts, not author-managed infrastructure. | Yes |
+| Extension resources whose lifecycle is entirely platform-managed | These resources are recreated by the parent service and should not be emitted directly. | Yes |
+| `Microsoft.Insights/components` | Application Insights is deployable infrastructure and should be preserved. | No |
+| `Microsoft.OperationalInsights/workspaces` | Log Analytics workspaces are deployable infrastructure and should be preserved. | No |
+| `Microsoft.ManagedIdentity/userAssignedIdentities` | User-assigned identities are first-class deployable resources. | No |
+| `Microsoft.Insights/diagnosticSettings` | Diagnostic settings are deployable and often required for parity. | No |
+
+## Procedure
+
+1. Start with the full `group_resource_list` output.
+2. Exclude rows marked **Yes** in the table above.
+3. Keep all rows marked **No**, even when they were created by portal workflows.
+4. If a resource is ambiguous, prefer keeping it and note the uncertainty in the generated `README.md`.