Skip to content
APEX

Step 3.5 — Governance

Purpose

Section titled “Purpose”

Discover effective Azure Policy assignments (including management-group-inherited ones), classify their effects, and emit the 04-governance-constraints.{md,json} artifacts that gate downstream IaC planning and deployment.

Agent

Section titled “Agent”

04g-Governance — uses the azure-governance-discovery skill.

Invocation

Section titled “Invocation”
Invoke: Ctrl+Shift+A → 04g-Governance
Output: agent-output/{project}/04-governance-constraints.md
        agent-output/{project}/04-governance-constraints.json

What gets discovered

Section titled “What gets discovered”
  • Policy assignments at subscription + management-group scope.
  • Policy definitions and exemptions referenced by assignments.
  • Effect classification (Deny, Audit, Modify, DeployIfNotExists).
  • Dual-track property mapping — bicepPropertyPath + azurePropertyPath — so both IaC tracks can self-validate.
  • SKU allowlist projection via derive-sku-allowlist.mjs, written into sku-manifest.sku_allowlist_snapshot.

Review

Section titled “Review”

1 × governance-reconciliation adversarial pass (mandatory when constraints exist; skipped when the policy array is empty).

Hand-off

Section titled “Hand-off”

The Orchestrator routes context to Step 4 — IaC Plan.