AgentSkillsCN

arm-portal-governance

ARM 服务门户 GitOps 平台的规则、工作流与约束条件。适用于修改基础设施代码、Terraform、Crossplane 声明、配置工作流,或进行任何基础设施变更时使用。

SKILL.md
--- frontmatter
name: arm-portal-governance
description: Rules, workflows, and constraints for the ARM Service Portal GitOps platform. Use when modifying infrastructure code, Terraform, Crossplane claims, provisioning workflows, or any infrastructure changes.
license: MIT
metadata:
  author: crh225
  version: "1.0"

ARM Service Portal Governance

This is a GitOps-driven self-service Azure infrastructure provisioning platform. All infrastructure changes must flow through Git.

Critical Rules

Before making ANY changes, understand these non-negotiable constraints:

Never Do These

  • Direct Azure mutations outside GitOps workflow
  • Modify Terraform state files
  • Bypass approval gates
  • Merge PRs automatically to non-dev environments
  • Delete resources without explicit destroy workflow
  • Modify Azure Key Vault secrets or GitHub App keys
  • Relax security policy configurations

Always Do These

  • All infrastructure changes flow through Git PRs
  • Production changes require two approvals
  • Policy violations block requests (not warn)
  • Use blueprints for provisioning, not raw Terraform

Architecture

ComponentPurpose
Portal FrontendReact UI for blueprint catalog and provisioning
Portal BackendNode.js API, GitHub orchestration, policy enforcement
BackstageInfrastructure catalog, resource discovery
ArgoCDGitOps reconciliation on hub cluster
CrossplaneKubernetes-native infrastructure claims
GitHub ActionsTerraform plan/apply execution

Provisioning Flow

code
User selects blueprint → Backend validates → Creates PR → Terraform plan → Human approval → Merge → Terraform apply → Resource created

Environment Approval Requirements

EnvironmentApprovalsConstraints
Dev0Auto-merge enabled
QA1Business hours
Staging1Must match QA config
Prod2Business hours, change control

Repository Structure

  • /portal/ - React frontend and Node.js backend
  • /infra/ - Terraform modules, environments, Crossplane claims
  • /backstage/ - Backstage configuration and templates
  • /.github/workflows/ - CI/CD pipelines

Detailed Documentation

See the full governance docs in .ai/:

  • Context - System mental model
  • Intent - Architectural philosophy
  • Rules - Hard constraints
  • Workflows - Approved execution paths