AgentSkillsCN

shared-contract

实验室流水线中所有代理与技能所共同遵循的跨领域规则的唯一真实来源。每项需求都拥有唯一的编号(R-0xx)。

SKILL.md
--- frontmatter
name: shared-contract
description: Single source of truth for cross-cutting rules referenced by all agents and skills in the lab pipeline. Every requirement has a unique ID (R-0xx).

Shared Contract

Authoritative cross-cutting rules for the hands-on lab pipeline. Every requirement is identified by a unique ID (R-0xx). Other files MUST reference these IDs — never restate the rule.

For the full Azure governance implementation policy, see Governance-Lab.md at the workspace root.


R-001: Resource Group Naming

Pattern: <exam>-<domain>-<topic>-<deployment>

  • <exam>: lowercase exam code (az104, ai102)
  • <domain>: lowercase domain slug (e.g., networking, storage, generative-ai)
  • <topic>: lowercase topic slug (e.g., vnet-peering, blob-versioning)
  • <deployment>: tf | bicep | scripted

Example: az104-networking-vnet-peering-tf


R-002: Resource Naming — AZ-104 Prefixes

Pattern: <prefix>-<topic>[-instance]

ResourcePrefix
VNetvnet
Subnetsnet
NSGnsg
VMvm
Storagest<exam><topic> (no hyphens)
Load Balancerlb
Key Vaultkv
Log Analyticslaw
Recovery Vaultrsv

R-003: Resource Naming — AI-102 Prefixes

ResourcePrefix
OpenAIoai
Multi-servicecog
Visioncv
Languagelang
AI Searchsrch
Deploymentdeploy
Cosmos DBcosmos
Storage (AI output)st<exam><topic>

OpenAI accounts require random suffix for global uniqueness.


R-004: Bicep Stack Naming

Pattern: stack-<domain>-<topic>

No exam code in stack name.


R-005: Required Tags (All Resources)

TagRule
EnvironmentAlways Lab
ProjectUppercase: AI-102 or AZ-104
Domaine.g., Networking, Storage, Generative AI
PurposeDescriptive (e.g., VNet Peering)
OwnerGreg Tate
DateCreatedStatic YYYY-MM-DD — no timestamp() / utcNow()
DeploymentMethodTerraform or Bicep

R-006: Region Rules

SettingValue
Defaulteastus
Fallbackwestus2eastus2centralus
AllowedAny US region

Use eastus unless capacity requires fallback.


R-007: Infrastructure SKU Defaults

ResourceDefault
VMStandard_B2s (B1s if sufficient)
StorageStandard LRS
Load BalancerBasic
Public IPBasic
SQLBasic / S0
DiskStandard HDD

R-008: AI Service SKU Defaults

ServiceDefault
OpenAIS0
Cognitive ServicesF0 → S0
Computer VisionF0
Custom VisionF0
LanguageF0
TranslatorF0
SpeechF0
Form RecognizerF0
AI SearchFree / Basic

Start free tier when available.


R-009: Per-Lab Resource Limits

ResourceMax
VMs4
Public IPs5
Storage Accounts3
VNets4
OpenAI Accounts2
Cognitive Accounts3
Model Deployments4

R-010: Lab Folder Structure

IaaC (Terraform)

code
<EXAM>/hands-on-labs/<domain>/lab-<topic>/
├── README.md
├── terraform/
│   ├── main.tf
│   ├── variables.tf
│   ├── outputs.tf
│   ├── providers.tf
│   ├── terraform.tfvars
│   └── modules/
│       └── <module>/
│           ├── main.tf
│           ├── variables.tf
│           └── outputs.tf
└── validation/
    └── <validation-script>.ps1

IaaC (Bicep)

code
<EXAM>/hands-on-labs/<domain>/lab-<topic>/
├── README.md
├── bicep/
│   ├── main.bicep
│   ├── main.bicepparam
│   ├── bicepconfig.json
│   ├── bicep.ps1
│   └── modules/
│       └── <module>.bicep
└── validation/
    └── <validation-script>.ps1

Scripted

code
<EXAM>/hands-on-labs/<domain>/lab-<topic>/
├── README.md
├── scripts/
│   ├── deploy.*
│   ├── config.* (if needed)
│   └── cleanup.*
└── validation/

Manual

code
<EXAM>/hands-on-labs/<domain>/lab-<topic>/
├── README.md
└── screenshots/ (optional)

R-011: README 14-Section Order

Every lab README must contain these sections in this exact sequence:

  1. Exam Question Scenario
  2. Solution Architecture
  3. Architecture Diagram
  4. Lab Objectives
  5. Lab Structure
  6. Prerequisites
  7. Deployment
  8. Testing the Solution
  9. Cleanup
  10. Scenario Analysis
  11. Key Learning Points
  12. Related Objectives
  13. Additional Resources
  14. Related Labs

R-012: Code Header Block

Include in all .tf, .bicep, .ps1 files. Do NOT include in README.

code
# -------------------------------------------------------------------------
# Program: [filename]
# Description: [purpose]
# Context: [EXAM] Lab - [scenario]
# Author: Greg Tate
# Date: [YYYY-MM-DD]
# -------------------------------------------------------------------------

Use // for .bicep files, # for .tf and .ps1.


R-013: Mermaid Diagram Criteria

  • Required when 2+ interconnected resources are deployed
  • Use graph TD (top-down) or graph LR (left-right)
  • Resource names must match governance naming conventions
  • Show dependencies and relationships
  • If not required, include a brief note instead of omitting the section

R-014: Review Report Schema

code
## Review Summary
- Overall: [PASS | FAIL]
- Checks Passed: [X/Y]
- Critical Violations: [count]

## Detailed Results

### [Category Name]
- [Check]: PASS
- [Check]: FAIL — [issue and fix]

## Required Fixes (if FAIL)
1. [File]: [exact change]

R-015: Cleanup Policy

  • Destroy lab resources within 7 days
  • Track via DateCreated tag
  • README cleanup section must reference 7-day policy
  • Reference labs must justify permanence in README

R-016: Soft-Delete / Purge

Resources Requiring Purge

ResourceRetentionManual Purge
Cognitive Services48 hrsYes
Key Vault7–90 daysYes
API Management48 hrsYes
Recovery Vault14 daysYes
App Insights14 daysNo
Log Analytics14 daysNo

If not purgeable → use unique naming.

Disable Patterns

Terraform:

hcl
soft_delete_enabled                          = false
purge_soft_delete_on_destroy                 = true
permanently_delete_on_destroy                = true    # Log Analytics
purge_protected_items_from_vault_on_destroy  = true    # Recovery Vault

Bicep:

bicep
softDeleteState: 'Disabled'

R-017: Deployment Method Priority

IaaC > Scripted > Manual

MethodUse When
IaaC (Terraform / Bicep)Deploying Azure resources, architecture focus, repeatable
Scripted (PowerShell/CLI)Imperative workflows, operational focus
Manual (Portal / UI)Portal navigation is tested, UI-centric

If IaaC, always ask user to choose Terraform or Bicep. Never auto-select.


R-018: IaaC Validation Sequence

  1. Validate Syntax — terraform validate or bicep build
  2. Regional Capacity Test — for constrained services (see R-019)
  3. Final Validation — terraform plan or deployment preview

Terraform:

code
Use-AzProfile Lab
Test-Path terraform.tfvars
terraform init
terraform validate
terraform fmt
# Capacity tests here (R-019)
terraform plan

Bicep:

code
Use-AzProfile Lab
.\bicep.ps1 validate
# Capacity tests here (R-019)
.\bicep.ps1 plan

R-019: Capacity-Constrained Services

Services requiring regional capacity validation before deployment:

  • Cosmos DB (Microsoft.DocumentDB)
  • AI Search (Microsoft.Search)
  • OpenAI / Cognitive Services (Microsoft.CognitiveServices)

Validation commands:

powershell
az provider show --namespace Microsoft.DocumentDB `
    --query "resourceTypes[?resourceType=='databaseAccounts'].locations[]"

az provider show --namespace Microsoft.Search `
    --query "resourceTypes[?resourceType=='searchServices'].locations[]"

az provider show --namespace Microsoft.CognitiveServices `
    --query "resourceTypes[?resourceType=='accounts'].locations[]"

If unavailable, use fallback regions per R-006.


R-020: Lab Subscription

code
e091f6e7-031a-4924-97bb-8c983ca5d21a

Must appear in:

  • terraform.tfvarslab_subscription_id
  • Bicep → subscription context validation
  • Validation scripts → subscription check

R-021: Language Style Conventions

ToolStyle
Terraformsnake_case
BicepcamelCase params
Azure NamesPrefix standards per R-002 / R-003

R-022: Module Rule

Use modules when 2+ related resource types are deployed.

  • Domain grouping (one concern per module)
  • Self-contained with clear inputs/outputs
  • Pass common_tags (TF) / commonTags (Bicep) to all modules
  • Pass identity references (e.g., principal_id) as explicit inputs for RBAC
  • Thin orchestration in root main.tf / main.bicep
  • Anti-pattern: consolidating unrelated resource types into a single module

R-023: Common Tags Variable Pattern

Terraform:

hcl
locals {
  common_tags = {
    Environment      = "Lab"
    Project          = "<EXAM>"
    Domain           = "<Domain>"
    Purpose          = "<Purpose>"
    Owner            = var.owner
    DateCreated      = var.date_created
    DeploymentMethod = "Terraform"
  }
}

Bicep:

bicep
var commonTags = {
  Environment: 'Lab'
  Project: '<EXAM>'
  Domain: '<Domain>'
  Purpose: '<Purpose>'
  Owner: owner
  DateCreated: dateCreated
  DeploymentMethod: 'Bicep'
}

R-024: Password Generation

Must meet Azure complexity. Never define as input variable. Output as sensitive.

Terraform: Use hashicorp/random.

hcl
resource "random_password" "admin" {
  length           = 16
  special          = true
  override_special = "!@#$%"
}

Bicep: Use uniqueString() or static pattern. Mark @secure().

Target pattern: AzureLab2026!


R-025: Azure Configuration Guardrails

  • Load Balancer SNAT: Set disableOutboundSnat = true when frontend used for inbound + outbound
  • NIC + Public IP: NIC with instance public IP cannot join outbound backend pool
  • Storage Containers (TF): Use storage_account_id not storage_account_name
  • AI Services: Enable public network access for labs; validate model availability per region; start minimal capacity; output keys as sensitive
  • AI Agent RBAC: Requires both data plane + control plane roles (e.g., Cosmos DB Operator)

For full details, see Governance-Lab.md at the workspace root.