// Compare Bicep templates against a Draw.io Azure architecture diagram to detect resource-level divergence. Reports differences and offers resolution — update Bicep to match the diagram, update the diagram to match Bicep, or selectively resolve per resource.
Reverse-engineer a live Azure scope (resource group or filtered subscription) into a professional Draw.io architecture diagram. Discovers resources via Azure MCP, infers relationships from resource properties, filters infrastructure-only resources, and generates a diagram following established AzVerify conventions.
Reverse-engineer a live Azure scope (resource group or filtered subscription) into deployment-ready Bicep templates. Discovers resources via Azure MCP, extracts full configurations, generates modular Bicep with parameter files, and documents out-of-scope dependencies that require separate changes.
Check a Bicep template against the Azure Policy assignments in the target Azure environment to determine whether the resources would be compliant before deployment. Uses the checkPolicyRestrictions REST API for fast server-side evaluation, with a legacy CLI fallback. Produces a per-resource compliance report with remediation guidance.
Compare Bicep templates against a live Azure environment by querying Azure directly and parsing the Bicep template. Presents categorized change results (Create, Modify, Delete, No Change) without deploying anything. Does NOT use ARM what-if.
Deep-compare a Draw.io Azure architecture diagram against a live Azure environment — checks both resource existence AND every tracked configuration property (SKU, size, settings, etc.) against expected values. Reports existence drift and property-level drift with severity classification, and offers per-property resolution.
Compare a Draw.io Azure architecture diagram against a live Azure environment to detect drift. Supports quick mode (existence check) and deep mode (full property-level comparison). Reports differences and offers resolution — update the diagram, update Azure, or selectively resolve per resource.
| name | azv-bicep-diagram-sync |
| description | Compare Bicep templates against a Draw.io Azure architecture diagram to detect resource-level divergence. Reports differences and offers resolution — update Bicep to match the diagram, update the diagram to match Bicep, or selectively resolve per resource. |
| license | MIT |
| metadata | {"author":"AzVerify","version":"1.0","project":"AzVerify"} |
Compare Bicep templates in a solution folder against their source Draw.io diagram and resolve divergence.
Input: A solution folder containing Bicep templates (main.bicep, modules/*.bicep) and a Draw.io diagram file (.drawio or .drawio.xml). The user can specify the folder and diagram file, or the skill will auto-discover them.
Tools required: File system tools (read/write files), Draw.io MCP (mcp_drawio_create_diagram or mcp_draw_io_create_diagram), Bicep MCP server (for best-practice validation when regenerating Bicep)
Reference files:
.github/skills/shared/azure-resource-model.md — Shared resource metadata model definition.github/skills/shared/azure-stencil-mapping.json — Azure resource type to Draw.io stencil mapping (used for reverse-lookup and diagram generation).github/skills/shared/azure-resource-configs.md — Per-resource-type configuration schemas with defaults.github/skills/shared/azure-deployment-verification.md — Pre-deployment verification rules (MUST run before generating Bicep updates)Shared procedures (MUST follow):
.github/skills/shared/procedures/diagram-parsing.md — Diagram-to-resource-model parsing procedure.github/skills/shared/procedures/bicep-parsing.md — Bicep template parsing procedure.github/skills/shared/procedures/resource-matching.md — Resource matching algorithmIdentify the solution folder, the Bicep templates, and the Draw.io diagram to compare.
If the user specifies a folder path:
If no folder is specified:
.drawio file and a main.bicep fileIf the user specifies a diagram file:
.drawio or .drawio.xml fileIf no diagram file is specified:
.drawio files## No Diagram Found
No `.drawio` files found in the solution folder `<folder-path>`.
This skill requires a Draw.io diagram to compare against the Bicep templates.
main.bicepmodules/*.bicep filesmain.bicep is not found, report an error:## No Bicep Templates Found
No `main.bicep` file found in the solution folder `<folder-path>`.
This skill requires Bicep templates to compare against the diagram.
Follow the procedure in .github/skills/shared/procedures/diagram-parsing.md to parse the Draw.io XML into a structured resource model.
Display the parsed resource model as a table with columns: #, Resource, Type, Container.
Follow the procedure in .github/skills/shared/procedures/bicep-parsing.md to parse all .bicep files in the solution folder.
Display the parsed Bicep resource model as a table with columns: #, Resource, Type, Source File, Notes.
Follow the matching procedure in .github/skills/shared/procedures/resource-matching.md to compare the diagram resource model (Step 2) against the Bicep resource model (Step 3).
Additional classifications for this skill:
Bicep-specific rules:
Microsoft.Network/virtualNetworks in Bicepif conditions are classified normally but noted as "conditional"Display a clear drift report summarizing all differences.
Report format:
## Bicep-Diagram Sync Report: <diagram-name>
### Summary
- **In Sync:** N resources
- **Bicep Only:** N resources (in Bicep, not in diagram)
- **Diagram Only:** N resources (in diagram, not in Bicep)
### Details
| Resource | Type | Status | Notes |
|----------|------|--------|-------|
| my-vnet | VNet | ✅ In Sync | |
| my-vm | Virtual Machine | ✅ In Sync | |
| redis-cache | Redis Cache | ⬜ Bicep Only | In modules/data.bicep |
| cosmos-db | Cosmos DB | 🔷 Diagram Only | Not in Bicep templates |
| my-subnet | Subnet | ✅ In Sync (name differs) | Diagram: "default", Bicep: "snet-default" |
If fully in sync:
## Bicep-Diagram Sync Report: <diagram-name>
✅ **Fully in sync!** All N resources in the diagram match the Bicep templates.
No action needed.
If drift is detected, proceed to Step 6.
When drift is detected, present resolution options to the user.
### Resolution Options
Drift detected — how would you like to resolve it?
1. **Update Bicep** — Add diagram-only resources to Bicep templates, remove Bicep-only resources
2. **Update Diagram** — Add Bicep-only resources to diagram, remove diagram-only resources
3. **Selective** — Choose per-resource which direction to resolve
4. **No action** — Keep the report for reference, don't change anything
Which option? (1/2/3/4)
Wait for the user's choice before proceeding.
If the user chooses to update Bicep to match the diagram:
7a. Confirm changes
## Confirm Bicep Changes
The following changes will be made to the Bicep templates:
**Add to Bicep** (Diagram-only resources):
- cosmos-db (Microsoft.DocumentDB/databaseAccounts)
**Remove from Bicep** (Bicep-only resources):
- redis-cache (Microsoft.Cache/redis) — in modules/data.bicep
⚠️ Removing resources from Bicep templates means they will no longer be part of deployments.
Proceed? (yes/no)
Wait for explicit confirmation. If the user says no, return to Step 6.
7b. Run deployment verification
Before generating Bicep, read and run the verification rules from .github/skills/shared/azure-deployment-verification.md:
@secure() decorators7c. Apply Bicep changes
For Diagram-only resources (add to Bicep):
modules/networking.bicepmodules/compute.bicepmodules/data.bicep.github/skills/shared/bicep-best-practices.md.github/skills/shared/azure-resource-configs.mdmain.bicep and the .bicepparam file with descriptive commentsparent: for child resources, @secure(), @description(), symbolic referencesFor Bicep-only resources (remove from Bicep):
resource block from the module filemain.bicep and the .bicepparam filemain.bicep if the module file is now empty7d. Present result
## Bicep Updated ✓
**Added:** 1 resource (cosmos-db)
**Removed:** 1 resource (redis-cache)
The Bicep templates now match the diagram.
| File | Changes |
|------|---------|
| main.bicep | Added cosmos-db module reference; removed redis-cache reference |
| modules/data.bicep | Added Cosmos DB resource; removed Redis Cache resource |
| <name>.bicepparam | Added cosmos-db parameters; removed redis-cache parameters |
⚠️ Review the updated `.bicepparam` file — new parameters use defaults that you may want to customize.
If the user chooses to update the diagram to match Bicep:
8a. Confirm changes
## Confirm Diagram Changes
The following changes will be made to the diagram:
**Add to diagram** (Bicep-only resources):
- redis-cache (Redis Cache)
**Remove from diagram** (Diagram-only resources):
- cosmos-db (Cosmos DB)
⚠️ Removing resources from the diagram is irreversible unless you have a backup.
Proceed? (yes/no)
Wait for explicit confirmation. If the user says no, return to Step 6.
8b. Generate updated diagram
.github/skills/shared/azure-stencil-mapping.json for the correct icon and stylemxCell elements with proper Azure iconsmxCell elements from the XMLid ending in -icon)8c. Present result
## Diagram Updated ✓
**Added:** 1 resource (redis-cache)
**Removed:** 1 resource (cosmos-db)
The diagram now matches the Bicep templates.
Saved to `<diagram-path>`.
If the user chooses selective resolution:
For each drifted resource, present the options:
### Resource: cosmos-db (Cosmos DB) — Diagram Only
This resource exists in the diagram but not in the Bicep templates.
1. **Add to Bicep** — Generate a Cosmos DB resource block in modules/data.bicep
2. **Remove from Diagram** — Remove this resource from the diagram
3. **Skip** — Leave this resource unresolved
Choice? (1/2/3)
Apply the user's choice for each resource following the same logic as Steps 7 and 8.
After all resources are resolved, present a summary:
## Selective Resolution Complete ✓
| Resource | Type | Action |
|----------|------|--------|
| cosmos-db | Cosmos DB | Added to Bicep |
| redis-cache | Redis Cache | Removed from Bicep |
| old-function | Function App | Skipped |
Remaining drift: 1 resource (old-function)