Skip to content

EnesBrt/azure_iac_skill

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
references
references
 
 
scripts
scripts
 
 
templates
templates
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
SKILL.md
SKILL.md
 
 

Repository files navigation

Azure IaC Agent Skill

Hermes skill for creating Azure IaC from scratch and deploying it through Azure-native APIs with approval gates.

What it does

  • Turns a user request into Azure IaC.
  • Generates Bicep, ARM JSON, Terraform, or OpenTofu files.
  • Reviews generated or existing IaC before deployment.
  • Runs validation and a real plan / What-If.
  • Summarizes changes, risks, public exposure, RBAC, costs, and secrets.
  • Applies only after explicit human approval.
  • Writes a redacted audit summary after apply.

Workflow

author -> review -> validate -> plan -> approve -> apply -> audit

No direct path from prompt to deployment.

Default engine

Use Bicep for Azure-native IaC.

Use Terraform/OpenTofu only when the project needs HCL, state, modules, or existing Terraform workflows.

Azure deployment path

Bicep/ARM uses Azure Resource Manager deployments:

  • validate: az deployment ... validate
  • plan: az deployment ... what-if
  • apply: az deployment ... create

Underlying ARM API mapping:

  • POST .../validate
  • POST .../whatIf
  • PUT .../deployments/{deploymentName}

Terraform/OpenTofu uses the AzureRM provider and applies the approved saved plan file.

Safety contract

Apply is blocked if:

  • validation failed;
  • no real plan or What-If exists;
  • IaC or parameters changed after planning;
  • the plan hash changed;
  • the Azure scope changed;
  • secrets, state, or raw plan artifacts are exposed;
  • approval is missing or vague.

Bicep/ARM What-If is approval evidence, not a replayable plan. Re-run it before apply and stop if it changed.

Terraform/OpenTofu must apply the exact approved plan artifact.

Repository layout

SKILL.md                         Main Hermes skill procedure
references/engine-workflows.md   Bicep, ARM, Terraform, OpenTofu workflows
references/security-policy.md    Risk classes and blocker rules
references/approval-and-audit.md Plan hash, approval, audit contract
templates/bicep/                 Bicep starter files
templates/terraform/             Terraform/OpenTofu starter files
scripts/scan_iac_risks.py        Static IaC risk scanner
scripts/plan_hash.py             Plan identity/hash helper
tests/                           Regression tests

Install

mkdir -p ~/.hermes/skills/devops
git clone https://github.com/EnesBrt/azure_iac_skill.git ~/.hermes/skills/devops/azure-iac-agent

Use

Use the azure-iac-agent skill to create, plan, and deploy Azure IaC.

Approval format:

I approve apply for <engine> <environment> <deployment-name> with plan hash <sha256>.

Helper scripts

python3 scripts/scan_iac_risks.py <iac-directory>
python3 scripts/plan_hash.py --help

About

Hermes Azure IaC skill for Bicep/ARM and Terraform workflows with validate, plan, approval, apply, and audit gates

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages