← Back to Skills Marketplace
2098
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install azd-deployment
Description
Deploy containerized applications to Azure Container Apps using Azure Developer CLI (azd). Use when setting up azd projects, writing azure.yaml configuration, creating Bicep infrastructure for Container Apps, configuring remote builds with ACR, implementing idempotent deployments, managing environment variables across local/.azure/Bicep, or troubleshooting azd up failures. Triggers on requests for azd configuration, Container Apps deployment, multi-service deployments, and infrastructure-as-code with Bicep.
README (SKILL.md)
Azure Developer CLI (azd) Container Apps Deployment
Deploy containerized frontend + backend applications to Azure Container Apps with remote builds, managed identity, and idempotent infrastructure.
Quick Start
# Initialize and deploy
azd auth login
azd init # Creates azure.yaml and .azure/ folder
azd env new \x3Cenv-name> # Create environment (dev, staging, prod)
azd up # Provision infra + build + deploy
Core File Structure
project/
├── azure.yaml # azd service definitions + hooks
├── infra/
│ ├── main.bicep # Root infrastructure module
│ ├── main.parameters.json # Parameter injection from env vars
│ └── modules/
│ ├── container-apps-environment.bicep
│ └── container-app.bicep
├── .azure/
│ ├── config.json # Default environment pointer
│ └── \x3Cenv-name>/
│ ├── .env # Environment-specific values (azd-managed)
│ └── config.json # Environment metadata
└── src/
├── frontend/Dockerfile
└── backend/Dockerfile
azure.yaml Configuration
Minimal Configuration
name: azd-deployment
services:
backend:
project: ./src/backend
language: python
host: containerapp
docker:
path: ./Dockerfile
remoteBuild: true
Full Configuration with Hooks
name: azd-deployment
metadata:
template: [email protected]
infra:
provider: bicep
path: ./infra
azure:
location: eastus2
services:
frontend:
project: ./src/frontend
language: ts
host: containerapp
docker:
path: ./Dockerfile
context: .
remoteBuild: true
backend:
project: ./src/backend
language: python
host: containerapp
docker:
path: ./Dockerfile
context: .
remoteBuild: true
hooks:
preprovision:
shell: sh
run: |
echo "Before provisioning..."
postprovision:
shell: sh
run: |
echo "After provisioning - set up RBAC, etc."
postdeploy:
shell: sh
run: |
echo "Frontend: ${SERVICE_FRONTEND_URI}"
echo "Backend: ${SERVICE_BACKEND_URI}"
Key azure.yaml Options
| Option | Description |
|---|---|
remoteBuild: true |
Build images in Azure Container Registry (recommended) |
context: . |
Docker build context relative to project path |
host: containerapp |
Deploy to Azure Container Apps |
infra.provider: bicep |
Use Bicep for infrastructure |
Environment Variables Flow
Three-Level Configuration
- Local
.env- For local development only .azure/\x3Cenv>/.env- azd-managed, auto-populated from Bicep outputsmain.parameters.json- Maps env vars to Bicep parameters
Parameter Injection Pattern
// infra/main.parameters.json
{
"parameters": {
"environmentName": { "value": "${AZURE_ENV_NAME}" },
"location": { "value": "${AZURE_LOCATION=eastus2}" },
"azureOpenAiEndpoint": { "value": "${AZURE_OPENAI_ENDPOINT}" }
}
}
Syntax: ${VAR_NAME} or ${VAR_NAME=default_value}
Setting Environment Variables
# Set for current environment
azd env set AZURE_OPENAI_ENDPOINT "https://my-openai.openai.azure.com"
azd env set AZURE_SEARCH_ENDPOINT "https://my-search.search.windows.net"
# Set during init
azd env new prod
azd env set AZURE_OPENAI_ENDPOINT "..."
Bicep Output → Environment Variable
// In main.bicep - outputs auto-populate .azure/\x3Cenv>/.env
output SERVICE_FRONTEND_URI string = frontend.outputs.uri
output SERVICE_BACKEND_URI string = backend.outputs.uri
output BACKEND_PRINCIPAL_ID string = backend.outputs.principalId
Idempotent Deployments
Why azd up is Idempotent
- Bicep is declarative - Resources reconcile to desired state
- Remote builds tag uniquely - Image tags include deployment timestamp
- ACR reuses layers - Only changed layers upload
Preserving Manual Changes
Custom domains added via Portal can be lost on redeploy. Preserve with hooks:
hooks:
preprovision:
shell: sh
run: |
# Save custom domains before provision
if az containerapp show --name "$FRONTEND_NAME" -g "$RG" &>/dev/null; then
az containerapp show --name "$FRONTEND_NAME" -g "$RG" \
--query "properties.configuration.ingress.customDomains" \
-o json > /tmp/domains.json
fi
postprovision:
shell: sh
run: |
# Verify/restore custom domains
if [ -f /tmp/domains.json ]; then
echo "Saved domains: $(cat /tmp/domains.json)"
fi
Handling Existing Resources
// Reference existing ACR (don't recreate)
resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-07-01' existing = {
name: containerRegistryName
}
// Set customDomains to null to preserve Portal-added domains
customDomains: empty(customDomainsParam) ? null : customDomainsParam
Container App Service Discovery
Internal HTTP routing between Container Apps in same environment:
// Backend reference in frontend env vars
env: [
{
name: 'BACKEND_URL'
value: 'http://ca-backend-${resourceToken}' // Internal DNS
}
]
Frontend nginx proxies to internal URL:
location /api {
proxy_pass $BACKEND_URL;
}
Managed Identity & RBAC
Enable System-Assigned Identity
resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
identity: {
type: 'SystemAssigned'
}
}
output principalId string = containerApp.identity.principalId
Post-Provision RBAC Assignment
hooks:
postprovision:
shell: sh
run: |
PRINCIPAL_ID="${BACKEND_PRINCIPAL_ID}"
# Azure OpenAI access
az role assignment create \
--assignee-object-id "$PRINCIPAL_ID" \
--assignee-principal-type ServicePrincipal \
--role "Cognitive Services OpenAI User" \
--scope "$OPENAI_RESOURCE_ID" 2>/dev/null || true
# Azure AI Search access
az role assignment create \
--assignee-object-id "$PRINCIPAL_ID" \
--role "Search Index Data Reader" \
--scope "$SEARCH_RESOURCE_ID" 2>/dev/null || true
Common Commands
# Environment management
azd env list # List environments
azd env select \x3Cname> # Switch environment
azd env get-values # Show all env vars
azd env set KEY value # Set variable
# Deployment
azd up # Full provision + deploy
azd provision # Infrastructure only
azd deploy # Code deployment only
azd deploy --service backend # Deploy single service
# Debugging
azd show # Show project status
az containerapp logs show -n \x3Capp> -g \x3Crg> --follow # Stream logs
Reference Files
- Bicep patterns: See references/bicep-patterns.md for Container Apps modules
- Troubleshooting: See references/troubleshooting.md for common issues
- azure.yaml schema: See references/azure-yaml-schema.md for full options
Critical Reminders
- Always use
remoteBuild: true- Local builds fail on M1/ARM Macs deploying to AMD64 - Bicep outputs auto-populate .azure/\x3Cenv>/.env - Don't manually edit
- Use
azd env setfor secrets - Not main.parameters.json defaults - Service tags (
azd-service-name) - Required for azd to find Container Apps || truein hooks - Prevent RBAC "already exists" errors from failing deploy
Usage Guidance
Before installing or using this skill, be aware: (1) It assumes azd and az are available and that you have an authenticated Azure session — the manifest doesn't declare those requirements. Install/run only where you control the Azure subscription and tooling. (2) Review all hook scripts and Bicep templates yourself — hooks run arbitrary az commands and can assign roles; ensure they don't grant more privileges than you intend. (3) The Bicep examples include a pattern that enables ACR admin credentials and injects registry credentials into container secrets — avoid this in production; prefer managed identity or Key Vault secret references. (4) Because the skill's source/homepage is unknown, exercise extra caution: run initial deployments in a sandbox subscription, inspect the generated .azure/<env>/.env files and Bicep output, and confirm RBAC changes before applying them. If you want to proceed, require explicit confirmation before running any hook that performs role assignments or prints credential values.
Capability Analysis
Type: OpenClaw Skill
Name: azd-deployment
Version: 0.1.0
This skill is classified as suspicious due to its inherent high-risk capabilities, specifically the allowance of arbitrary shell command execution via `azd` hooks (demonstrated in `SKILL.md` and detailed in `references/azure-yaml-schema.md`). These hooks have access to sensitive Azure environment variables like `AZURE_SUBSCRIPTION_ID` and `AZURE_RESOURCE_GROUP`. Additionally, Bicep patterns described in `references/bicep-patterns.md` show direct handling of container registry credentials. While all examples provided are for legitimate Azure deployment and configuration, these broad permissions and execution capabilities, without clear malicious intent, elevate the classification to suspicious.
Capability Assessment
Purpose & Capability
The name/description match the SKILL.md content (azd, azure.yaml, Bicep, Container Apps). However the manifest declares no required binaries or credentials even though the runtime instructions depend on azd and az and on an authenticated Azure context. The skill also has no public source/homepage which reduces transparency.
Instruction Scope
The SKILL.md instructions stay within deployment / infra territory: init, env management, provision/deploy, Bicep patterns, and hook scripts. Hooks run arbitrary shell/az commands (creating role assignments, listing resources); this is expected for postprovision tasks but grants the hook scripts broad ability to alter Azure resources.
Install Mechanism
This is an instruction-only skill (no install spec, no code files to execute). That lowers disk/execution risk — the security surface is the instructions themselves and the environment where the agent runs them.
Credentials
The skill does not declare required env vars/credentials but uses many Azure-related variables (AZURE_OPENAI_ENDPOINT, AZURE_SEARCH_ENDPOINT, AZURE_SUBSCRIPTION_ID, AZURE_RESOURCE_GROUP, outputs like BACKEND_PRINCIPAL_ID). More importantly, some included Bicep patterns enable ACR admin credentials and call containerRegistry.listCredentials()/listCredentials().passwords[0].value to place registry credentials into secrets — this is inconsistent with other parts of the docs that recommend managed identity and is a sensitive, high-privilege pattern. Hooks that run az role assignment create require privileges and can grant rights to deployed identities.
Persistence & Privilege
The skill does not request persistent platform-level privileges (always:false) and does not modify other skills' config. Its operations are limited to creating/modifying Azure resources in the user's subscription (expected for a deployment skill).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install azd-deployment - After installation, invoke the skill by name or use
/azd-deployment - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of azd-deployment skill for Azure Container Apps.
- Deploy containerized frontend and backend apps using Azure Developer CLI (azd) with remote ACR builds and Bicep infrastructure-as-code.
- Provides full sample file structure, azure.yaml service configuration, and Bicep module patterns.
- Documents three-level environment variable management connecting local dev, azd-managed settings, and deployment parameters.
- Details idempotent deployment patterns and how to preserve Portal-applied customizations on redeploy.
- Includes RBAC assignment via deployment hooks and best practices for managed identities.
- Offers built-in troubleshooting references, common azd commands, and key reminders for remote builds and environment management.
Metadata
Frequently Asked Questions
What is Azd Deployment for Azure?
Deploy containerized applications to Azure Container Apps using Azure Developer CLI (azd). Use when setting up azd projects, writing azure.yaml configuration, creating Bicep infrastructure for Container Apps, configuring remote builds with ACR, implementing idempotent deployments, managing environment variables across local/.azure/Bicep, or troubleshooting azd up failures. Triggers on requests for azd configuration, Container Apps deployment, multi-service deployments, and infrastructure-as-code with Bicep. It is an AI Agent Skill for Claude Code / OpenClaw, with 2098 downloads so far.
How do I install Azd Deployment for Azure?
Run "/install azd-deployment" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Azd Deployment for Azure free?
Yes, Azd Deployment for Azure is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Azd Deployment for Azure support?
Azd Deployment for Azure is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Azd Deployment for Azure?
It is built and maintained by thegovind (@thegovind); the current version is v0.1.0.
More Skills