1# Global Rules
2 
3These rules apply to ALL phases of App Service migration.
4 
5## Destructive Action Policy
6 
7⛔ **NEVER** perform destructive actions without explicit user confirmation via `ask_user`:
8- Deleting files or directories
9- Overwriting existing code
10- Deploying to production environments
11- Modifying existing Azure resources
12- Removing source-platform resources
13 
14## User Confirmation Required
15 
16Always use `ask_user` before:
17- Selecting Azure subscription
18- Selecting Azure region/location
19- Deploying infrastructure
20- Making breaking changes to existing code
21- Choosing App Service Plan tier (Free, Basic, Standard, Premium)
22 
23## Best Practices
24 
25- Always use `mcp_azure_mcp_get_azure_bestpractices` tool before generating Azure code
26- Prefer managed identity over connection strings or API keys
27- **Always use the latest supported runtime stack** — see the App Service [language overview](https://learn.microsoft.com/azure/app-service/overview-supported-languages) for the supported stacks page per language
28- Follow Azure naming conventions
29- Use Premium v3 or Standard plans for production workloads
30- Enable health checks and diagnostic logging from day one
31 
32## Identity-First Authentication (Zero Secrets)
33 
34> Enterprise subscriptions commonly enforce policies that block local auth. Always design for identity-based access from the start.
35 
36- **Storage accounts**: Use identity-based connections with `DefaultAzureCredential`
37- **Databases**: Use Microsoft Entra authentication for Azure SQL and PostgreSQL Flexible Server
38- **Key Vault**: Use Key Vault references in App Settings (`@Microsoft.KeyVault(SecretUri=...)`)
39- **Application Insights**: Configure ingestion via the connection string app setting (`APPLICATIONINSIGHTS_CONNECTION_STRING`). Use managed identity for management-plane access (querying, configuring components), not for telemetry ingestion
40- **DefaultAzureCredential with UAMI**: Always pass `managedIdentityClientId` explicitly:
41  ```javascript
42  const credential = new DefaultAzureCredential({
43    managedIdentityClientId: process.env.AZURE_CLIENT_ID
44  });
45  ```
46 
47## App Service Specifics
48 
49- **Always enable HTTPS Only** — set `httpsOnly: true` in Bicep
50- **Use 64-bit worker** for production — set `use32BitWorkerProcess: false`
51- **Enable Always On** for Standard tier and above to prevent idle unload
52- **Configure health check path** — `/healthz` or equivalent endpoint
53- **Use deployment slots** for zero-downtime deployments in Standard tier+
54- **Set minimum TLS to 1.2** — `minTlsVersion: '1.2'`
55- **Enable managed identity** — prefer User Assigned for multi-resource scenarios
56- **Use App Configuration** for shared settings across environments
57- **Use Key Vault** for secrets — never store secrets in App Settings directly
58 
59## Output Directory
60 
61All migration output goes to `<source-folder>-azure/` at workspace root. Never modify the source directory.
62