Import Infrastructure as Code (Azure -> Terraform with AVM)
Convert existing Azure infrastructure into maintainable Terraform code using discovery data and Azure Verified Modules.
When to Use This Skill
Use this skill when the user asks to:
- Import existing Azure resources into Terraform
- Generate IaC from live Azure environments
- Handle any Azure resource type supported by AVM (and document justified non-AVM fallbacks)
- Recreate infrastructure from a subscription or resource group
- Map dependencies between discovered Azure resources
- Use AVM modules instead of handwritten
azurerm_* resources
Prerequisites
- Azure CLI installed and authenticated (
az login)
- Access to the target subscription or resource group
- Terraform CLI installed
- Network access to Terraform Registry and AVM index sources
Inputs
| Parameter |
Required |
Default |
Description |
subscription-id |
No |
Active CLI context |
Azure subscription used for subscription-scope discovery and context setting |
resource-group-name |
No |
None |
Azure resource group used for resource-group-scope discovery |
resource-id |
No |
None |
One or more Azure ARM resource IDs used for specific-resource-scope discovery |
At least one of subscription-id, resource-group-name, or resource-id is required.
Step-by-Step Workflows
1) Collect Required Scope (Mandatory)
Request one of these scopes before running discovery commands:
- Subscription scope:
<subscription-id>
- Resource group scope:
<resource-group-name>
- Specific resources scope: one or more
<resource-id> values
Scope handling rules:
- Treat Azure ARM resource IDs (for example
/subscriptions/.../providers/...) as cloud resource identifiers, not local file system paths.
- Use resource IDs only with Azure CLI
--ids arguments (for example az resource show --ids <resource-id>).
- Never pass resource IDs to file-reading commands (
cat, ls, read_file, glob searches) unless the user explicitly says they are local file paths.
- If the user already provided one valid scope, do not ask for additional scope inputs unless required by a failing command.
- Do not ask follow-up questions that can be answered from already-provided scope values.
If scope is missing, ask for it explicitly and stop.
2) Authenticate and Set Context
Run only the commands required for the selected scope.
For subscription scope:
az login
az account set --subscription <subscription-id>
az account show --query "{subscriptionId:id, name:name, tenantId:tenantId}" -o json
Expected output: JSON object with subscriptionId, name, and tenantId.
For resource group or specific resource scope, az login is still required but az account set is optional if the active context is already correct.
When using specific resource scope, prefer direct --ids-based commands first and avoid extra discovery prompts for subscription or resource group unless needed for a concrete command.
3) Run Discovery Commands
Discover resources using the selected scopes. Ensure to fetch all necessary information for accurate Terraform generation.
az resource list --subscription <subscription-id> -o json
az resource list --resource-group <resource-group-name> -o json
az resource show --ids <resource-id-1> <resource-id-2> ... -o json
Expected output: JSON object or array containing Azure resource metadata (id, type, name, location, tags, properties).
4) Resolve Dependencies Before Code Generation
Parse exported JSON and map:
- Parent-child relationships (for example: NIC -> Subnet -> VNet)
- Cross-resource references in
properties
- Ordering for Terraform creation
IMPORTANT: Generate the following documentation and save it to a docs folder in the root of the project.
exported-resources.json with all discovered resources and their metadata, including dependencies and references.EXPORTED-ARCHITECTURE.MD file with a human-readable architecture overview based on the discovered resources and their relationships.
5) Select Azure Verified Modules (Required)
Use the latest AVM version for each resource type.
Terraform Registry
- Search for "avm" + resource name
- Filter by "Partner" tag to find official AVM modules
- Example: Search "avm storage account" β filter by Partner
Official AVM Index
Note: The following links always point to the latest version of the CSV files on the main branch. As intended, this means the files may change over time. If you require a point-in-time version, consider using a specific release tag in the URL.
- Terraform Resource Modules:
https://raw.githubusercontent.com/Azure/Azure-Verified-Modules/refs/heads/main/docs/static/module-indexes/TerraformResourceModules.csv
- Terraform Pattern Modules:
https://raw.githubusercontent.com/Azure/Azure-Verified-Modules/refs/heads/main/docs/static/module-indexes/TerraformPatternModules.csv
- Terraform Utility Modules:
https://raw.githubusercontent.com/Azure/Azure-Verified-Modules/refs/heads/main/docs/static/module-indexes/TerraformUtilityModules.csv
Individual Module information
Use the web tool or another suitable MCP method to get module information if not available locally in the .terraform folder.
Use AVM sources:
- Registry:
https://registry.terraform.io/modules/Azure/<module>/azurerm/latest
- GitHub:
https://github.com/Azure/terraform-azurerm-avm-res-<service>-<resource>
Prefer AVM modules over handwritten azurerm_* resources when an AVM module exists.
When fetching module information from GitHub repositories, the README.md file in the root of the repository typically contains all detailed information about the module, for example: https://raw.githubusercontent.com/Azure/terraform-azurerm-avm-res--/refs/heads/main/README.md
5a) Read the Module README Before Writing Any Code (Mandatory)
This step is not optional. Before writing a single line of HCL for a module, fetch and
read the full README for that module. Do not rely on knowledge of the raw azurerm provider
or prior experience with other AVM modules.
For each selected AVM module, fetch its README:
https://raw.githubusercontent.com/Azure/terraform-azurerm-avm-res-<service>-<resource>/refs/heads/main/README.md
Or if the module is already downloaded after terraform init:
cat .terraform/modules/<module_key>/README.md
From the README, extract and record before writing code:
- Required Inputs β every input the module requires. Any child resource listed here
(NICs, extensions, subnets, public IPs) is managed inside the module. Do not
create standalone module blocks for those resources.
- Optional Inputs β the exact Terraform variable names and their declared
type.
Do not assume they match the raw azurerm provider argument names or block shapes.
- Usage examples β check what resource group identifier is used (
parent_id vs
resource_group_name), how child resources are expressed (inline map vs separate module),
and what syntax each input expects.
Apply module rules as patterns, not assumptions
Use the lessons below as examples of the type of mismatch that often causes imports to fail.
Do not assume these exact names apply to every AVM module. Always verify each selected module's
README and variables.tf.
avm-res-compute-virtualmachine (any version)
network_interfaces is a Required Input. NICs are owned by the VM module. Never
create standalone avm-res-network-networkinterface modules alongside a VM module β
define every NIC inline under network_interfaces.- TrustedLaunch is expressed through the top-level booleans
secure_boot_enabled = true
and vtpm_enabled = true. The security_type argument exists only under os_disk for
Confidential VM disk encryption and must not be used for TrustedLaunch.
boot_diagnostics is a bool, not an object. Use boot_diagnostics = true; use the
separate boot_diagnostics_storage_account_uri variable if a storage URI is needed.- Extensions are managed inside the module via the
extensions map. Do not create
standalone extension resources.
avm-res-network-virtualnetwork (any version)
- This module is backed by the AzAPI provider, not
azurerm. Use parent_id (the full
resource group resource ID string) to specify the resource group, not resource_group_name.
- Every example in the README shows
parent_id; none show resource_group_name.
Generalized takeaway for all AVM modules:
- Determine child resource ownership from Required Inputs before creating sibling modules.
- Determine accepted variable names and types from Optional Inputs and
variables.tf.
- Determine identifier style and input shape from README usage examples.
- Do not infer argument names from raw
azurerm_* resources.
6) Generate Terraform Files
Before Writing Import Blocks β Inspect Module Source (Mandatory)
After terraform init downloads the modules, inspect each module's source files to determine
the exact Terraform resource addresses before writing any import {} blocks. Never write
import addresses from memory.
Step A β Identify the provider and resource label
grep "^resource" .terraform/modules/<module_key>/main*.tf
This reveals whether the module uses azurerm_* or azapi_resource labels. For example,
avm-res-network-virtualnetwork exposes azapi_resource "vnet", not
azurerm_virtual_network "this".
Step B β Identify child modules and nested paths
grep "^module" .terraform/modules/<module_key>/main*.tf
If child resources are managed in a sub-module (subnets, extensions, etc.), the import
address must include every intermediate module label:
module.<root_module_key>.module.<child_module_key>["<map_key>"].<resource_type>.<label>[<index>]
Step C β Check for count vs for_each
grep -n "count\|for_each" .terraform/modules/<module_key>/main*.tf
Any resource using count requires an index in the import address. When count = 1 (e.g.,
conditional Linux vs Windows selection), the address must end with [0]. Resources using
for_each use string keys, not numeric indexes.
Known import address patterns (examples from lessons learned)
These are examples only. Use them as templates for reasoning, then derive the exact addresses
from the downloaded source code for the modules in your current import.
| Resource |
Correct import to address pattern |
| AzAPI-backed VNet |
module.<vnet_key>.azapi_resource.vnet |
| Subnet (nested, count-based) |
module.<vnet_key>.module.subnet["<subnet_name>"].azapi_resource.subnet[0] |
| Linux VM (count-based) |
module.<vm_key>.azurerm_linux_virtual_machine.this[0] |
| VM NIC |
module.<vm_key>.azurerm_network_interface.virtualmachine_network_interfaces["<nic_key>"] |
| VM extension (default deploy_sequence=5) |
module.<vm_key>.module.extension["<ext_name>"].azurerm_virtual_machine_extension.this |
| VM extension (deploy_sequence=1β4) |
module.<vm_key>.module.extension_<n>["<ext_name>"].azurerm_virtual_machine_extension.this |
| NSG-NIC association |
module.<vm_key>.azurerm_network_interface_security_group_association.this["<nic_key>-<nsg_key>"] |
Produce:
providers.tf with azurerm provider and required version constraintsmain.tf with AVM module blocks and explicit dependenciesvariables.tf for environment-specific valuesoutputs.tf for key IDs and endpointsterraform.tfvars.example with placeholder values
Diff Live Properties Against Module Defaults (Mandatory)
After writing the initial configuration, compare every non-zero property of each discovered
live resource against the default value declared in the corresponding AVM module's
variables.tf. Any property where the live value differs from the module default must be
set explicitly in the Terraform configuration.
Pay particular attention to the following property categories, which are common sources
of silent configuration drift:
- Timeout values (e.g., Public IP
idle_timeout_in_minutes defaults to 4; live
deployments often use 30)
- Network policy flags (e.g., subnet
private_endpoint_network_policies defaults to
"Enabled"; existing subnets often have "Disabled")
- SKU and allocation (e.g., Public IP
sku, allocation_method)
- Availability zones (e.g., VM zone, Public IP zone)
- Redundancy and replication settings on storage and database resources
Retrieve full live properties with explicit az commands, for example:
az network public-ip show --ids <resource_id> --query "{idleTimeout:idleTimeoutInMinutes, sku:sku.name, zones:zones}" -o json
az network vnet subnet show --ids <resource_id> --query "{privateEndpointPolicies:privateEndpointNetworkPolicies, delegation:delegations}" -o json
Do not rely solely on az resource list output, which may omit nested or computed properties.
Pin module versions explicitly:
module "example" {
source = "Azure/<module>/azurerm"
version = "<latest-compatible-version>"
}
7) Validate Generated Code
Run:
terraform init
terraform fmt -recursive
terraform validate
terraform plan
Expected output: no syntax errors, no validation errors, and a plan that matches discovered infrastructure intent.
Troubleshooting
| Problem |
Likely Cause |
Action |
az command fails with authorization errors |
Wrong tenant/subscription or missing RBAC role |
Re-run az login, verify subscription context, confirm required permissions |
| Discovery output is empty |
Incorrect scope or no resources in scope |
Re-check scope input and run scoped list/show command again |
| No AVM module found for a resource type |
Resource type not yet covered by AVM |
Use native azurerm_* resource for that type and document the gap |
terraform validate fails |
Missing variables or unresolved dependencies |
Add required variables and explicit dependencies, then re-run validation |
| Unknown argument or variable not found in module |
AVM variable name differs from azurerm provider argument name |
Read the module README variables.tf or Optional Inputs section for the correct name |
| Import block fails β resource not found at address |
Wrong provider label (azurerm_ vs azapi_), missing sub-module path, or missing [0] index |
Run grep "^resource" .terraform/modules/<key>/main*.tf and grep "^module" to find exact address |
terraform plan shows unexpected ~ update on imported resource |
Live value differs from AVM module default |
Fetch live property with az <resource> show, compare to module default, add explicit value |
| Child-resource module gives "provider configuration not present" |
Child resources declared as standalone modules even though parent module owns them |
Check Required Inputs in README, remove incorrect standalone modules, and model child resources using the parent module's documented input structure |
| Nested child resource import fails with "resource not found" |
Missing intermediate module path, wrong map key, or missing index |
Inspect module blocks and count/for_each in source; build full nested import address including all module segments and required key/index |
| Tool tries to read ARM resource ID as file path or asks repeated scope questions |
Resource ID not treated as --ids input, or agent did not trust already-provided scope |
Treat ARM IDs strictly as cloud identifiers, use az ... --ids ..., and stop re-prompting once one valid scope is present |
Response Contract
When returning results, provide:
- Scope used (subscription, resource group, or resource IDs)
- Discovery files created
- Resource types detected
- AVM modules selected with versions
- Terraform files generated or updated
- Validation command results
- Open gaps requiring user input (if any)
Execution Rules for the Agent
