1---
2name: azure-validate
3description: "Pre-deployment validation for Azure readiness. Run deep checks on configuration, infrastructure (Bicep or Terraform), RBAC role assignments, managed identity permissions, and prerequisites before deploying. WHEN: validate my app, check deployment readiness, run preflight checks, verify configuration, check if ready to deploy, validate azure.yaml, validate Bicep, test before deploying, troubleshoot deployment errors, validate Azure Functions, validate function app, validate serverless deployment, verify RBAC roles, check role assignments, review managed identity permissions, what-if analysis, validate Container Apps deployment."
4license: MIT
5metadata:
6  author: Microsoft
7  version: "0.0.0-placeholder"
8---
9 
10# Azure Validate
11 
12> **AUTHORITATIVE GUIDANCE** — Follow these instructions exactly unless they contradict security policies given to you.
13 
14> **⛔ STOP — PREREQUISITE CHECK REQUIRED**
15>
16> Before proceeding, verify this prerequisite is met:
17>
18> **azure-prepare** was invoked and completed → `.azure/deployment-plan.md` exists with status `Approved` or later
19>
20> If the plan is missing, **STOP IMMEDIATELY** and invoke **azure-prepare** first.
21>
22> The complete workflow ensures success:
23>
24> `azure-prepare` → `azure-validate` → `azure-deploy`
25 
26## Triggers
27 
28- Check if app is ready to deploy
29- Validate azure.yaml or Bicep
30- Run preflight checks
31- Troubleshoot deployment errors
32 
33## Rules
34 
351. Run after azure-prepare, before azure-deploy
362. All checks must pass—do not deploy with failures
373. ⛔ **Destructive actions require `ask_user`** — [global-rules](references/global-rules.md)
38 
39## Steps
40 
41| # | Action | Reference |
42|---|--------|-----------|
43| 1 | **Load Plan** — Read `.azure/deployment-plan.md` for recipe and configuration. If missing → run azure-prepare first | `.azure/deployment-plan.md` |
44| 2 | **Add Validation Steps** — Copy recipe "Validation Steps" to `.azure/deployment-plan.md` as children of "All validation checks pass" | [recipes/README.md](references/recipes/README.md), `.azure/deployment-plan.md` |
45| 3 | **Run Validation** — Execute recipe-specific validation commands | [recipes/README.md](references/recipes/README.md) |
46| 4 | **Build Verification** — Build the project and fix any errors before proceeding | See recipe |
47| 5 | **Static Role Verification** — Review Bicep/Terraform for correct RBAC role assignments in code | [role-verification.md](references/role-verification.md) |
48| 6 | **Record Proof** — Populate **Section 7: Validation Proof** with commands run and results | `.azure/deployment-plan.md` |
49| 7 | **Resolve Errors** — Fix failures before proceeding | See recipe's `errors.md` |
50| 8 | **Update Status** — Only after ALL checks pass, set status to `Validated` | `.azure/deployment-plan.md` |
51| 9 | **Deploy** — Invoke **azure-deploy** skill | — |
52> **⛔ VALIDATION AUTHORITY**
53>
54> This skill is the officially verified way to set plan status to `Validated`. You MUST follow these steps to make sure every prerequisite is fulfilled before setting status to `Validated`:
55> 1. Run actual validation commands (azd provision --preview, bicep build, terraform validate, etc.)
56> 2. Populate **Section 7: Validation Proof** with the commands you ran and their results
57> 3. Only then set status to `Validated`
58>
59> Do NOT set status to `Validated` without running checks and recording proof.
60 
61---
62 
63> **⚠️ MANDATORY NEXT STEP — DO NOT SKIP**
64>
65> After ALL validations pass, you **MUST** invoke **azure-deploy** to execute the deployment. Do NOT attempt to run `azd up`, `azd deploy`, or any deployment commands directly. Let azure-deploy handle execution.
66>
67> If any validation failed, fix the issues and re-run azure-validate before proceeding.
68