Import Infrastructure as Code (Azure -> Terraform with AVM)
Convert existing Azure infrastructure into maintainable Terraform code using discovery data and Azure Verified Modules.
When to Use This Skill
Use this skill when the user asks to:
- Import existing Azure resources into Terraform
- Generate IaC from live Azure environments
- Handle any Azure resource type supported by AVM (and document justified non-AVM fallbacks)
- Recreate infrastructure from a subscription or resource group
- Map dependencies between discovered Azure resources
- Use AVM modules instead of handwritten resources
Prerequisites
- Azure CLI installed and authenticated ()
- Access to the target subscription or resource group
- Terraform CLI installed
- Network access to Terraform Registry and AVM index sources
Inputs
| Parameter | Required | Default | Description |
|---|
| No | Active CLI context | Azure subscription used for subscription-scope discovery and context setting |
| No | None | Azure resource group used for resource-group-scope discovery |
| No | None | One or more Azure ARM resource IDs used for specific-resource-scope discovery |
At least one of
,
, or
is required.
Step-by-Step Workflows
1) Collect Required Scope (Mandatory)
Request one of these scopes before running discovery commands:
- Subscription scope:
- Resource group scope:
- Specific resources scope: one or more values
Scope handling rules:
- Treat Azure ARM resource IDs (for example
/subscriptions/.../providers/...
- Use resource IDs only with Azure CLI arguments (for example
az resource show --ids <resource-id>
- Never pass resource IDs to file-reading commands (, , , glob searches) unless the user explicitly says they are local file paths.
- If the user already provided one valid scope, do not ask for additional scope inputs unless required by a failing command.
- Do not ask follow-up questions that can be answered from already-provided scope values.
If scope is missing, ask for it explicitly and stop.
2) Authenticate and Set Context
Run only the commands required for the selected scope.
For subscription scope:
bash
az login
az account set --subscription <subscription-id>
az account show --query "{subscriptionId:id, name:name, tenantId:tenantId}" -o json
Expected output: JSON object with
,
, and
.
For resource group or specific resource scope,
is still required but
is optional if the active context is already correct.
When using specific resource scope, prefer direct
-based commands first and avoid extra discovery prompts for subscription or resource group unless needed for a concrete command.
3) Run Discovery Commands
Discover resources using the selected scopes. Ensure to fetch all necessary information for accurate Terraform generation.
bash
# Subscription scope
az resource list --subscription <subscription-id> -o json
# Resource group scope
az resource list --resource-group <resource-group-name> -o json
# Specific resource scope
az resource show --ids <resource-id-1> <resource-id-2> ... -o json
Expected output: JSON object or array containing Azure resource metadata (
,
,
,
,
,
).
4) Resolve Dependencies Before Code Generation
Parse exported JSON and map:
- Parent-child relationships (for example: NIC -> Subnet -> VNet)
- Cross-resource references in
- Ordering for Terraform creation
IMPORTANT: Generate the following documentation and save it to a docs folder in the root of the project.
- with all discovered resources and their metadata, including dependencies and references.
- file with a human-readable architecture overview based on the discovered resources and their relationships.
5) Select Azure Verified Modules (Required)
Use the latest AVM version for each resource type.
Terraform Registry
- Search for "avm" + resource name
- Filter by "Partner" tag to find official AVM modules
- Example: Search "avm storage account" → filter by Partner
Official AVM Index
Note: The following links always point to the latest version of the CSV files on the main branch. As intended, this means the files may change over time. If you require a point-in-time version, consider using a specific release tag in the URL.
- Terraform Resource Modules:
https://raw.githubusercontent.com/Azure/Azure-Verified-Modules/refs/heads/main/docs/static/module-indexes/TerraformResourceModules.csv
- Terraform Pattern Modules:
https://raw.githubusercontent.com/Azure/Azure-Verified-Modules/refs/heads/main/docs/static/module-indexes/TerraformPatternModules.csv
- Terraform Utility Modules:
https://raw.githubusercontent.com/Azure/Azure-Verified-Modules/refs/heads/main/docs/static/module-indexes/TerraformUtilityModules.csv
Individual Module information
Use the
tool or another suitable MCP method to get module information if not available locally in the
folder.
Use AVM sources:
- Registry:
https://registry.terraform.io/modules/Azure/<module>/azurerm/latest
- GitHub:
https://github.com/Azure/terraform-azurerm-avm-res-<service>-<resource>
Prefer AVM modules over handwritten
resources when an AVM module exists.
When fetching module information from GitHub repositories, the README.md file in the root of the repository typically contains all detailed information about the module, for example:
https://raw.githubusercontent.com/Azure/terraform-azurerm-avm-res-<service>-<resource>/refs/heads/main/README.md
5a) Read the Module README Before Writing Any Code (Mandatory)
This step is not optional. Before writing a single line of HCL for a module, fetch and
read the full README for that module. Do not rely on knowledge of the raw
provider
or prior experience with other AVM modules.
For each selected AVM module, fetch its README:
text
https://raw.githubusercontent.com/Azure/terraform-azurerm-avm-res-<service>-<resource>/refs/heads/main/README.md
Or if the module is already downloaded after
:
bash
cat .terraform/modules/<module_key>/README.md
From the README, extract and record before writing code:
- Required Inputs — every input the module requires. Any child resource listed here
(NICs, extensions, subnets, public IPs) is managed inside the module. Do not
create standalone module blocks for those resources.
- Optional Inputs — the exact Terraform variable names and their declared .
Do not assume they match the raw provider argument names or block shapes.
- Usage examples — check what resource group identifier is used ( vs
), how child resources are expressed (inline map vs separate module),
and what syntax each input expects.
Apply module rules as patterns, not assumptions
Use the lessons below as examples of the
type of mismatch that often causes imports to fail.
Do not assume these exact names apply to every AVM module. Always verify each selected module's
README and
.
avm-res-compute-virtualmachine
- is a Required Input. NICs are owned by the VM module. Never
create standalone
avm-res-network-networkinterface
- TrustedLaunch is expressed through the top-level booleans
secure_boot_enabled = true
- is a , not an object. Use ; use the
separate
boot_diagnostics_storage_account_uri
- Extensions are managed inside the module via the map. Do not create
standalone extension resources.
avm-res-network-virtualnetwork
- This module is backed by the AzAPI provider, not . Use (the full
resource group resource ID string) to specify the resource group, not .
- Every example in the README shows ; none show .
Generalized takeaway for all AVM modules:
- Determine child resource ownership from Required Inputs before creating sibling modules.
- Determine accepted variable names and types from Optional Inputs and .
- Determine identifier style and input shape from README usage examples.
- Do not infer argument names from raw resources.
6) Generate Terraform Files
Before Writing Import Blocks — Inspect Module Source (Mandatory)
After
downloads the modules, inspect each module's source files to determine
the exact Terraform resource addresses before writing any
blocks. Never write
import addresses from memory.
Step A — Identify the provider and resource label
bash
grep "^resource" .terraform/modules/<module_key>/main*.tf
This reveals whether the module uses
or
labels. For example,
avm-res-network-virtualnetwork
exposes
, not
azurerm_virtual_network "this"
.
Step B — Identify child modules and nested paths
bash
grep "^module" .terraform/modules/<module_key>/main*.tf
If child resources are managed in a sub-module (subnets, extensions, etc.), the import
address must include every intermediate module label:
text
module.<root_module_key>.module.<child_module_key>["<map_key>"].<resource_type>.<label>[<index>]
Step C — Check for vs
bash
grep -n "count\|for_each" .terraform/modules/<module_key>/main*.tf
Any resource using
requires an index in the import address. When
(e.g.,
conditional Linux vs Windows selection), the address must end with
. Resources using
use string keys, not numeric indexes.
Known import address patterns (examples from lessons learned)
These are examples only. Use them as templates for reasoning, then derive the exact addresses
from the downloaded source code for the modules in your current import.
| Resource | Correct import address pattern |
|---|
| AzAPI-backed VNet | module.<vnet_key>.azapi_resource.vnet
|
| Subnet (nested, count-based) | module.<vnet_key>.module.subnet["<subnet_name>"].azapi_resource.subnet[0]
|
| Linux VM (count-based) | module.<vm_key>.azurerm_linux_virtual_machine.this[0]
|
| VM NIC | module.<vm_key>.azurerm_network_interface.virtualmachine_network_interfaces["<nic_key>"]
|
| VM extension (default deploy_sequence=5) | module.<vm_key>.module.extension["<ext_name>"].azurerm_virtual_machine_extension.this
|
| VM extension (deploy_sequence=1–4) | module.<vm_key>.module.extension_<n>["<ext_name>"].azurerm_virtual_machine_extension.this
|
| NSG-NIC association | module.<vm_key>.azurerm_network_interface_security_group_association.this["<nic_key>-<nsg_key>"]
|
Produce:
- with provider and required version constraints
- with AVM module blocks and explicit dependencies
- for environment-specific values
- for key IDs and endpoints
- with placeholder values
Diff Live Properties Against Module Defaults (Mandatory)
After writing the initial configuration, compare every non-zero property of each discovered
live resource against the default value declared in the corresponding AVM module's
. Any property where the live value differs from the module default must be
set explicitly in the Terraform configuration.
Pay particular attention to the following property categories, which are common sources
of silent configuration drift:
- Timeout values (e.g., Public IP defaults to ; live
deployments often use )
- Network policy flags (e.g., subnet
private_endpoint_network_policies
- SKU and allocation (e.g., Public IP , )
- Availability zones (e.g., VM zone, Public IP zone)
- Redundancy and replication settings on storage and database resources
Retrieve full live properties with explicit
commands, for example:
bash
az network public-ip show --ids <resource_id> --query "{idleTimeout:idleTimeoutInMinutes, sku:sku.name, zones:zones}" -o json
az network vnet subnet show --ids <resource_id> --query "{privateEndpointPolicies:privateEndpointNetworkPolicies, delegation:delegations}" -o json
Do not rely solely on
output, which may omit nested or computed properties.
Pin module versions explicitly:
hcl
module "example" {
source = "Azure/<module>/azurerm"
version = "<latest-compatible-version>"
}
7) Validate Generated Code
Run:
bash
terraform init
terraform fmt -recursive
terraform validate
terraform plan
Expected output: no syntax errors, no validation errors, and a plan that matches discovered infrastructure intent.
Troubleshooting
| Problem | Likely Cause | Action |
|---|
| command fails with authorization errors | Wrong tenant/subscription or missing RBAC role | Re-run , verify subscription context, confirm required permissions |
| Discovery output is empty | Incorrect scope or no resources in scope | Re-check scope input and run scoped list/show command again |
| No AVM module found for a resource type | Resource type not yet covered by AVM | Use native resource for that type and document the gap |
| fails | Missing variables or unresolved dependencies | Add required variables and explicit dependencies, then re-run validation |
| Unknown argument or variable not found in module | AVM variable name differs from provider argument name | Read the module README or Optional Inputs section for the correct name |
| Import block fails — resource not found at address | Wrong provider label ( vs ), missing sub-module path, or missing index | Run grep "^resource" .terraform/modules/<key>/main*.tf
|
| shows unexpected on imported resource | Live value differs from AVM module default | Fetch live property with , compare to module default, add explicit value |
| Child-resource module gives "provider configuration not present" | Child resources declared as standalone modules even though parent module owns them | Check Required Inputs in README, remove incorrect standalone modules, and model child resources using the parent module's documented input structure |
| Nested child resource import fails with "resource not found" | Missing intermediate module path, wrong map key, or missing index | Inspect module blocks and / in source; build full nested import address including all module segments and required key/index |
| Tool tries to read ARM resource ID as file path or asks repeated scope questions | Resource ID not treated as input, or agent did not trust already-provided scope | Treat ARM IDs strictly as cloud identifiers, use , and stop re-prompting once one valid scope is present |
Response Contract
When returning results, provide:
- Scope used (subscription, resource group, or resource IDs)
- Discovery files created
- Resource types detected
- AVM modules selected with versions
- Terraform files generated or updated
- Validation command results
- Open gaps requiring user input (if any)
Execution Rules for the Agent
- Do not continue if scope is missing.
- Do not claim successful import without listing discovered files and validation output.
- Do not skip dependency mapping before generating Terraform.
- Prefer AVM modules first; justify each non-AVM fallback explicitly.
- Read the README for every AVM module before writing code. Required Inputs identify
which child resources the module owns. Optional Inputs document exact variable names and
types. Usage examples show provider-specific conventions ( vs
). Skipping the README is the single most common cause of
code errors in AVM-based imports.
- Never assume NIC, extension, or public IP resources are standalone. For
any AVM module, treat child resources as parent-owned unless the README explicitly indicates
a separate module is required. Check Required Inputs before creating sibling modules.
- Never write import addresses from memory. After , grep the downloaded
module source to discover the actual provider ( vs ), resource labels,
sub-module nesting, and vs usage before writing any block.
- Never treat ARM resource IDs as file paths. Resource IDs belong in Azure CLI
arguments and API queries, not file IO tools. Only read local files when a real workspace
path is provided.
- Minimize prompts when scope is already known. If subscription, resource group, or
specific resource IDs are already provided, proceed with commands directly and only ask a
follow-up when a command fails due to missing required context.
- Do not declare the import complete until shows 0 destroys and 0
unwanted changes. Telemetry resources are acceptable. Any or
on real infrastructure resources must be resolved.
References