Add Azure Functions TypeScript deployment guidance for Event Hubs and enterprise policies

plugin/skills/azure-deploy/references/recipes/azd/errors.md

@@ -1,5 +1,7 @@
 # AZD Errors
 
+## Common Errors
+
 | Error | Resolution |
 |-------|------------|
 | Not authenticated | `azd auth login` |
@@ -9,6 +11,84 @@
 | Package failed | Verify Dockerfile and dependencies |
 | Quota exceeded | Request increase or change region |
 
+## TypeScript Functions Deployment Errors
+
+### Error: "sh: 1: tsc: Permission denied"
+
+**Root Cause:** Local `node_modules/` uploaded with wrong permissions OR TypeScript source excluded.
+
+**Solution:**
+
+1. Ensure `.funcignore` includes `node_modules/` and does NOT exclude `*.ts` or `tsconfig.json`
+2. Ensure `azure.yaml` uses `language: ts` for remote build
+3. Redeploy: `azd deploy --no-prompt`
+
+**For detailed .funcignore configuration**, see [azure-prepare skill typescript-funcignore.md](../../../../azure-prepare/references/recipes/azd/typescript-funcignore.md)
+
+### Alternative: Switch to Local Build
+
+Update `azure.yaml` to use `language: js` with a `prepackage` hook to run `npm run build`.
+
+## Application Insights Errors
+
+### Error: No Traces in Application Insights
+
+**Symptom:** Function App running but no telemetry in Application Insights.
+
+**Common Causes:**
+1. Missing `APPLICATIONINSIGHTS_AUTHENTICATION_STRING` app setting (when `DisableLocalAuth: true`)
+2. Missing `Monitoring Metrics Publisher` RBAC role
+3. Incorrect client ID for user-assigned identity
+4. Managed identity not enabled
+
+**Quick Fix - Add Required Bicep:**
+```bicep
+// App setting
+APPLICATIONINSIGHTS_AUTHENTICATION_STRING: 'Authorization=AAD'
+
+// Role assignment
+resource appInsightsRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(functionApp.id, appInsights.id)
+  scope: appInsights
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
+    principalId: functionApp.identity.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+```
+
+**Verify:**
+```bash
+az functionapp identity show -g <rg> -n <app>
+az functionapp config appsettings list -g <rg> -n <app> --query "[?name=='APPLICATIONINSIGHTS_AUTHENTICATION_STRING']"
+```
+
+Wait 5-10 minutes for propagation.
+
+**For complete setup**, see [azure-prepare skill appinsights-auth.md](../../../../azure-prepare/references/recipes/azd/appinsights-auth.md)
+
+## Policy Compliance Errors
+
+### Error: RequestDisallowedByPolicy - Local Auth Not Allowed
+
+**Error Message:**
+```
+RequestDisallowedByPolicy: Resource 'evhns-xxx' was disallowed by policy.
+Reasons: 'Local authentication methods are not allowed.'
+```
+
+**Affected Services:** Event Hubs, Service Bus, Storage, Application Insights
+
+**Solution - Add to Bicep:**
+- Event Hubs/Service Bus: `disableLocalAuth: true`
+- Storage: `allowSharedKeyAccess: false`
+- Application Insights: `DisableLocalAuth: true`
+
+Then reprovision: `azd provision --no-prompt`
+
+**For complete examples**, see [azure-prepare skill enterprise-policy.md](../../../../azure-prepare/references/recipes/azd/enterprise-policy.md)
+
 ## Retry
 
 ```bash

plugin/skills/azure-prepare/SKILL.md

@@ -31,6 +31,7 @@ Activate this skill when user wants to:
 4. Follow linked references for best practices and guidance
 5. Update `.azure/preparation-manifest.md` after each phase
 6. Invoke **azure-validate** before any deployment
+7. **ALWAYS use `azd init -t <template>`** when a matching template exists in the decision tree
 
 > **⛔ MANDATORY USER CONFIRMATION REQUIRED**
 >

plugin/skills/azure-prepare/references/recipes/azd/appinsights-auth.md

@@ -0,0 +1,75 @@
+# Application Insights Identity-Based Authentication
+
+When `DisableLocalAuth: true` is set on Application Insights (required by enterprise policies), you must configure identity-based authentication.
+
+## Requirements
+
+1. **Managed Identity**: Function App must have managed identity enabled
+2. **RBAC Role**: `Monitoring Metrics Publisher` role on Application Insights
+3. **App Setting**: `APPLICATIONINSIGHTS_AUTHENTICATION_STRING`
+
+## Bicep Configuration
+
+### System-Assigned Identity
+
+```bicep
+// 1. Enable managed identity
+resource functionApp 'Microsoft.Web/sites@2023-01-01' = {
+  name: functionAppName
+  identity: { type: 'SystemAssigned' }
+}
+
+// 2. Assign role
+resource appInsightsRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(functionApp.id, appInsights.id)
+  scope: appInsights
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
+    principalId: functionApp.identity.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
+// 3. Add app setting
+resource functionAppSettings 'Microsoft.Web/sites/config@2023-01-01' = {
+  name: 'appsettings'
+  parent: functionApp
+  properties: {
+    APPLICATIONINSIGHTS_AUTHENTICATION_STRING: 'Authorization=AAD'
+    APPLICATIONINSIGHTS_CONNECTION_STRING: appInsights.properties.ConnectionString
+  }
+}
+```
+
+### User-Assigned Identity
+
+For user-assigned identity, include client ID in authentication string:
+
+```bicep
+APPLICATIONINSIGHTS_AUTHENTICATION_STRING: 'ClientId=${userIdentity.properties.clientId};Authorization=AAD'
+```
+
+## Troubleshooting
+
+**Symptom:** No traces in Application Insights
+
+**Verify:**
+```bash
+# Check identity
+az functionapp identity show -g <rg> -n <app>
+
+# Check app setting
+az functionapp config appsettings list -g <rg> -n <app> \
+  --query "[?name=='APPLICATIONINSIGHTS_AUTHENTICATION_STRING']"
+
+# Check role
+az role assignment list --scope <app-insights-resource-id> \
+  --query "[?roleDefinitionName=='Monitoring Metrics Publisher']"
+```
+
+Wait 5-10 minutes for propagation after deployment.
+
+## See Also
+
+- [enterprise-policy.md](enterprise-policy.md) - Policy compliance requirements
+- [iac-rules.md](iac-rules.md) - IAC security rules

plugin/skills/azure-prepare/references/recipes/azd/azure-yaml.md

@@ -50,6 +50,70 @@ services:
     host: function
 ```
 
+### Azure Functions - TypeScript
+
+TypeScript Functions support **two deployment approaches**:
+
+#### Remote Build (Recommended)
+```yaml
+services:
+  functions:
+    project: ./src/functions
+    language: ts  # Use 'ts' for remote build
+    host: function
+```
+
+**How it works:**
+1. Uploads TypeScript source (`.ts` files) and `tsconfig.json`
+2. Azure's Oryx build system compiles TypeScript remotely
+3. No local build step needed
+
+**Required `.funcignore`:**
+```gitignore
+node_modules/     # MUST exclude to avoid permission errors
+*.js.map
+.git*
+.vscode
+local.settings.json
+test
+```
+
+**Common error if misconfigured:**
+```
+Error: sh: 1: tsc: Permission denied
+```
+
+**Fix:** Ensure `.funcignore` excludes `node_modules/` and does NOT exclude `*.ts` or `tsconfig.json`.
+
+#### Local Build (Alternative)
+```yaml
+services:
+  functions:
+    project: ./src/functions
+    language: js  # Use 'js' for local build
+    host: function
+    hooks:
+      prepackage:
+        shell: sh
+        run: npm run build
+```
+
+**How it works:**
+1. `npm run build` compiles TypeScript locally before packaging
+2. Uploads compiled JavaScript files only
+3. Faster deployment, but requires local Node.js setup
+
+**Required `.funcignore`:**
+```gitignore
+*.ts              # Exclude source files
+tsconfig.json     # Exclude config
+node_modules/
+.git*
+.vscode
+local.settings.json
+test
+```
+
 ### Static Web App
 
 ```yaml

plugin/skills/azure-prepare/references/recipes/azd/enterprise-policy.md

@@ -0,0 +1,79 @@
+# Enterprise Policy Compliance
+
+Many Azure enterprise environments enforce security policies that require disabling local authentication methods. When generating infrastructure, **always include** these security properties to comply with common enterprise policies.
+
+## Event Hubs Namespace
+
+```bicep
+resource eventHubNamespace 'Microsoft.EventHub/namespaces@2024-01-01' = {
+  name: eventHubNamespaceName
+  location: location
+  sku: {
+    name: 'Standard'
+    tier: 'Standard'
+  }
+  properties: {
+    disableLocalAuth: true  // REQUIRED for enterprise policy compliance
+  }
+}
+```
+
+## Storage Account
+
+```bicep
+resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = {
+  name: storageAccountName
+  location: location
+  sku: {
+    name: 'Standard_LRS'
+  }
+  kind: 'StorageV2'
+  properties: {
+    allowSharedKeyAccess: false  // REQUIRED for enterprise policy compliance
+  }
+}
+```
+
+## Application Insights
+
+```bicep
+resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
+  name: appInsightsName
+  location: location
+  kind: 'web'
+  properties: {
+    Application_Type: 'web'
+    DisableLocalAuth: true  // REQUIRED for enterprise policy compliance
+  }
+}
+```
+
+## Service Bus Namespace
+
+```bicep
+resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {
+  name: serviceBusNamespaceName
+  location: location
+  sku: {
+    name: 'Standard'
+  }
+  properties: {
+    disableLocalAuth: true  // REQUIRED for enterprise policy compliance
+  }
+}
+```
+
+## Common Policy Errors
+
+**Error:**
+```
+RequestDisallowedByPolicy: Resource 'evhns-xxx' was disallowed by policy.
+Reasons: 'Local authentication methods are not allowed.'
+```
+
+**Solution:** Add `disableLocalAuth: true` (or `allowSharedKeyAccess: false` for Storage) to the resource properties in Bicep.
+
+## See Also
+
+- [iac-rules.md](iac-rules.md) - Complete IAC rules including security requirements
+- [appinsights-auth.md](appinsights-auth.md) - Application Insights identity-based authentication

plugin/skills/azure-prepare/references/recipes/azd/functions-templates.md

@@ -54,7 +54,12 @@ Cross-reference with [top Azure Functions scenarios](https://learn.microsoft.com
 
 8. Does it use Event Hubs for streaming?
    Indicators: EventHubTrigger, @app.event_hub, event_hub_output, streaming
-   └─► YES → Use Event Hubs Template: https://learn.microsoft.com/en-us/samples/azure-samples/azure-functions-flex-consumption-samples/
+   └─► YES → Use Event Hubs Template:
+       | Runtime | Template Command |
+       |---------|-----------------|
+       | .NET | `azd init -t Azure-Samples/functions-quickstart-dotnet-azd-eventhub` |
+       | Python | `azd init -t Azure-Samples/functions-quickstart-python-azd-eventhub` |
+       | TypeScript/JS | No template yet. Use .NET or Python template infra, adapt azure.yaml for Node.js |
 
 9. Does it use Event Grid for pub/sub?
    Indicators: EventGridTrigger, @app.event_grid, event_grid_output, external events
@@ -168,6 +173,18 @@ When using azd templates, the following resources are created:
 | Cosmos DB | Change feed processing |
 | Service Bus | Enterprise messaging |
 
+## TypeScript Functions
+
+For TypeScript Functions deployment, see:
+- **[typescript-funcignore.md](typescript-funcignore.md)** - `.funcignore` configuration for remote and local builds
+- **[azure-yaml.md](azure-yaml.md)** - Azure.yaml configuration with TypeScript examples
+
+## Enterprise Policy Compliance
+
+For enterprise environments with security policies requiring identity-based authentication:
+- **[enterprise-policy.md](enterprise-policy.md)** - Required Bicep properties (disableLocalAuth, etc.)
+- **[appinsights-auth.md](appinsights-auth.md)** - Application Insights identity-based authentication setup
+
 ## Next Steps
 
 After selecting and initializing a template:

plugin/skills/azure-prepare/references/recipes/azd/iac-rules.md

@@ -45,6 +45,20 @@ All modules must accept:
 | Diagnostics | Enable logging |
 | API versions | Use latest |
 
+## Enterprise Policy Compliance
+
+Many organizations enforce Azure policies requiring identity-based authentication. **Always include** `disableLocalAuth: true` or `allowSharedKeyAccess: false` in generated Bicep to ensure compliance.
+
+**Required properties:**
+- Event Hubs: `disableLocalAuth: true`
+- Service Bus: `disableLocalAuth: true`
+- Storage Account: `allowSharedKeyAccess: false`
+- Application Insights: `DisableLocalAuth: true` (note capital D)
+
+**For detailed examples and Application Insights authentication setup**, see:
+- [enterprise-policy.md](enterprise-policy.md) - Full Bicep examples for all services
+- [appinsights-auth.md](appinsights-auth.md) - Application Insights identity-based authentication with RBAC
+
 ## Container Resources
 
 ```bicep