1# Global Rules
2 
3These rules apply to ALL phases of the migration skill.
4 
5## Destructive Action Policy
6 
7⛔ **NEVER** perform destructive actions without explicit user confirmation via `ask_user`:
8- Deleting files or directories
9- Overwriting existing code
10- Deploying to production environments
11- Modifying existing Azure resources
12- Removing AWS resources
13 
14## User Confirmation Required
15 
16Always use `ask_user` before:
17- Selecting Azure subscription
18- Selecting Azure region/location
19- Deploying infrastructure
20- Making breaking changes to existing code
21 
22## Best Practices
23 
24- Always use `mcp_azure_mcp_get_azure_bestpractices` tool before generating Azure code
25- Prefer managed identity over connection strings
26- **Always use the latest supported language runtime** — check [supported languages](https://learn.microsoft.com/en-us/azure/azure-functions/supported-languages) for the newest GA version. Never default to older versions
27- **Always prefer bindings over SDKs** — use `input.storageBlob()`, `output.storageBlob()`, `app.storageQueue()`, etc. instead of `BlobServiceClient`, `QueueClient`, or other SDK clients. Only use SDK when no binding exists for the service
28- Follow Azure naming conventions
29- Use Flex Consumption hosting plan for new Functions
30 
31## Identity-First Authentication (Zero API Keys)
32 
33> Enterprise subscriptions commonly enforce policies that block local auth. Always design for identity-based access from the start.
34 
35- **Storage accounts**: Set `allowSharedKeyAccess: false`. Use identity-based connections with `AzureWebJobsStorage__credential`, `__clientId`, and service-specific URIs (`__blobServiceUri`, `__queueServiceUri`, etc.)
36- **Cognitive Services**: Set `disableLocalAuth: true`. Use UAMI + RBAC role (e.g., Cognitive Services User) instead of API keys
37- **Application Insights**: Set `disableLocalAuth: true`. Use `APPLICATIONINSIGHTS_AUTHENTICATION_STRING` with `ClientId=<uamiClientId>;Authorization=AAD`
38- **DefaultAzureCredential with UAMI**: When using User Assigned Managed Identity, always pass `managedIdentityClientId` explicitly:
39  ```javascript
40  const credential = new DefaultAzureCredential({
41    managedIdentityClientId: process.env.AZURE_CLIENT_ID
42  });
43  ```
44  Without this, `DefaultAzureCredential` tries SystemAssigned first and fails. Add `AZURE_CLIENT_ID` as an app setting mapped to the UAMI client ID.
45 
46## Flex Consumption Specifics
47 
48- **Always-ready for non-HTTP triggers**: Blob trigger groups on Flex Consumption require `alwaysReady: [{ name: "blob", instanceCount: 1 }]` to bootstrap the trigger listener. Without it, the trigger group never starts and Event Grid subscriptions are never auto-created (chicken-and-egg problem)
49- **Blob trigger with EventGrid source requires queue endpoint**: The blob extension internally uses queues for poison-message tracking. Must include `AzureWebJobsStorage__queueServiceUri` even when using blob trigger (not queue trigger)
50- **Event Grid subscriptions via Bicep/ARM only**: Do NOT create Event Grid event subscriptions via CLI — webhook validation fails on Flex Consumption with "response code Unknown". Deploy as Bicep resources using `listKeys()` to resolve the `blobs_extension` system key at deployment time
51- **azd init on non-empty directories**: `azd init --template` refuses non-empty directories. Use temp directory approach: init in temp, copy template infrastructure files back
52