Prompting Best Practices

Choose the Right Interface

Interface	Best For
Inline suggestions (Tab)	Completing code snippets, variable names, repetitive blocks
Copilot Chat	Questions, generating larger sections, debugging
Agentic InfraOps Agents	Multi-step workflows, end-to-end projects

Break Down Complex Tasks

Do not ask for an entire landing zone in one prompt. Start small and iterate.

❌ Create a complete Azure landing zone with networking, identity, security,
   and governance

✅ Create a hub VNet with:
   - Address space: 10.0.0.0/16
   - Subnets: GatewaySubnet, AzureFirewallSubnet, SharedServicesSubnet
   - NSG on SharedServicesSubnet with deny-all default

Be Specific About Requirements

❌ Create a storage account

✅ Create a Bicep module for Azure Storage with:
   - SKU: Standard_ZRS
   - HTTPS only, TLS 1.2 minimum
   - No public blob access
   - Soft delete: 30 days

✅ Create a Terraform module for Azure Storage with:
   - SKU: Standard_ZRS
   - HTTPS only, TLS 1.2 minimum
   - No public blob access
   - Soft delete: 30 days

Provide Context in Your Prompts

Include target environment, compliance requirements, naming conventions, and region in every prompt:

Create a Bicep module for Azure SQL Database.

Context:
- Environment: production
- Compliance: HIPAA (audit logging required)
- Region: swedencentral
- Naming: sql-{projectName}-{environment}-{uniqueSuffix}
- Authentication: Azure AD only (no SQL auth)

Requirements:
- Zone redundant
- Geo-replication to germanywestcentral
- 35-day backup retention

Use Chat Variables

Variable	Purpose	Example
`@workspace`	Search entire workspace	`@workspace Find all Key Vault references`
`#file`	Reference specific file	`#file:main.bicep Explain this module`
`#selection`	Current selection	Select code, then ask about it
`#terminalLastCommand`	Last terminal output	`#terminalLastCommand Why did this fail?`

Prompt Patterns

Explain Then Generate:

First, explain best practices for App Service networking with private endpoints.
Then, create a Bicep module that implements these practices.

Review Then Fix:

Review this Bicep template for:
1. Security issues
2. Well-Architected Framework alignment
3. Missing outputs

Then provide a corrected version.

Compare Approaches:

Show two approaches for deploying Azure Container Apps:
1. Using native Bicep resources
2. Using Azure Verified Modules (AVM)

Compare pros/cons for a production HIPAA workload.

Incremental Refinement:

Prompt 1: Create a basic VNet module
Prompt 2: Add NSGs to each subnet with deny-all default
Prompt 3: Add diagnostic settings for all NSG flow logs
Prompt 4: Make the address space configurable via parameters

Anti-Patterns to Avoid

Anti-Pattern	Problem	Better Approach
”Generate everything”	Output too broad	Break into one module per prompt: VNet, then NSGs, then diagnostics
Accepting without review	Bugs, security issues	Always run `bicep lint` / `terraform validate` and review for hardcoded secrets
Ignoring context	Generic suggestions	Open relevant files first, use `@workspace` and `#file:` references
One-shot complex prompts	Incomplete output	Iterate: start with skeleton, add security, add monitoring, add parameters
Not providing examples	Inconsistent formatting	Show the naming pattern or module structure you want the agent to follow

Always Validate AI Output

Check	Why
API versions are recent (2023+)	Older versions lack features
`supportsHttpsTrafficOnly: true`	Security baseline
`minimumTlsVersion: 'TLS1_2'`	Compliance requirement
Unique names use `uniqueString()` / `random_string`	Avoid naming collisions
Outputs include both ID and name	Downstream modules need both

# Validate Bicep syntax
bicep build main.bicep

# Lint for best practices
bicep lint main.bicep

# Preview Bicep deployment
az deployment group what-if \
  --resource-group myRG \
  --template-file main.bicep

# Validate Terraform syntax
terraform fmt -check
terraform validate

# Lint Terraform with TFLint
tflint --init && tflint

# Preview Terraform deployment
terraform plan -out=tfplan