> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cloudeval.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# AI review and gates for Azure infra-as-code

> A practical Cloudeval AI workflow for reviewing, explaining, and gating Azure infrastructure-as-code before production.

<Tip>
  **Review the Azure change, not just the template.** A merge-ready PR should show
  the decision, the evidence behind it, and the configured gate that tells
  Cloudeval whether to comment or block.
</Tip>

Most infrastructure pull requests answer the easiest question first: did the
template change look reasonable? That is not enough. The production question is:
**what evidence says this cloud change is safe enough to ship?**

<Frame caption="The PR review comment is the first review surface: source provenance, report links, policy status, and evidence live next to the code change.">
  <img src="https://mintcdn.com/ganakailabs-db727e50/BrRYz9nGRkigfTsV/assets/images/cli/github-action-pr-comment.png?fit=max&auto=format&n=BrRYz9nGRkigfTsV&q=85&s=02b6dcb15d459924ffde9cd9c40743cf" alt="Cloudeval pull request review comment with source provenance, review status, report links, and workflow run" width="824" height="360" data-path="assets/images/cli/github-action-pr-comment.png" />
</Frame>

## See the review evidence in motion

These short videos show the review surfaces that are hard to reconstruct from a
raw template diff: blast radius in the architecture graph and grounded AI
context tied back to the same project evidence.

<Tabs>
  <Tab title="Blast-radius diagram" icon="network">
    <Frame caption="Video: Cloudeval visualizes impacted resources and dependency paths so reviewers can check blast radius before approval.">
      <video controls autoPlay muted loop playsInline preload="auto" poster="/assets/images/diagrams/architecture-view.png" className="w-full rounded-lg">
        <source src="https://mintcdn.com/ganakailabs-db727e50/CAMN2JypR83-BnI3/assets/videos/automated-diagrams.webm?fit=max&auto=format&n=CAMN2JypR83-BnI3&q=85&s=e2724c55c225f6ac298ae5787bcd61e2" type="video/webm" data-path="assets/videos/automated-diagrams.webm" />
      </video>
    </Frame>
  </Tab>

  <Tab title="Grounded AI context" icon="bot">
    <Frame caption="Video: Cloudeval keeps AI answers tied to project evidence, reports, and selected resources instead of detached prose.">
      <video controls autoPlay muted loop playsInline preload="auto" poster="/assets/images/workspace/workspace-chat-insights.png" className="w-full rounded-lg">
        <source src="https://mintcdn.com/ganakailabs-db727e50/CAMN2JypR83-BnI3/assets/videos/chat-with-your-cloud.webm?fit=max&auto=format&n=CAMN2JypR83-BnI3&q=85&s=f0e253990ba6c1ff50f9b1a02b0009d3" type="video/webm" data-path="assets/videos/chat-with-your-cloud.webm" />
      </video>
    </Frame>
  </Tab>
</Tabs>

## Why cloud review fragments

Azure infrastructure review usually spans more than the pull request. The diff
shows intent; the decision needs current cloud state, cost, validation output,
security posture, architecture dependencies, and the team policy that decides
whether a warning should block release.

```mermaid theme={null}
%%{init: {"flowchart": {"nodeSpacing": 46, "rankSpacing": 52, "curve": "basis"}, "themeVariables": {"fontSize": "18px"}}}%%
flowchart LR
  inputs["Review inputs<br/>PR diff, Azure state,<br/>CI, cost, policy"]
  manual["Manual path<br/>Switch tools,<br/>copy signals,<br/>weak audit trail"]
  cloudeval["Cloudeval review<br/>Evaluate, collate evidence,<br/>ground AI in context"]
  gate["One PR flow<br/>Comment, drilldowns,<br/>reviewer decision, gate"]

  inputs --> cloudeval --> gate
  inputs -. "without Cloudeval" .-> manual -. "hard to defend" .-> gate

  classDef inputNode fill:#064e3b,stroke:#6ee7b7,color:#ecfdf5;
  classDef manualNode fill:#2a160b,stroke:#f59e0b,color:#fffbeb;
  classDef evalNode fill:#082f49,stroke:#7dd3fc,color:#eff6ff;
  classDef gateNode fill:#1e1b4b,stroke:#a78bfa,color:#f5f3ff;
  class inputs inputNode;
  class manual manualNode;
  class cloudeval evalNode;
  class gate gateNode;
```

Cloudeval solves the problem by making the review object shared. Source
provenance, Azure and IaC evidence, reports, diagrams, PR comments, and gates all
hang from the same project context instead of forcing reviewers to reconcile
separate tools by hand.

<div className="not-prose my-6 grid gap-3 md:grid-cols-3">
  <div className="rounded-lg border border-emerald-300/60 bg-emerald-50 p-4 dark:border-emerald-400/40 dark:bg-emerald-950/30">
    <div className="mb-3 text-emerald-800 dark:text-emerald-200">
      <svg aria-hidden="true" className="h-6 w-6" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round">
        <path d="M20 13c0 5-3.5 7.5-7.66 8.95a1 1 0 0 1-.68 0C7.5 20.5 4 18 4 13V6a1 1 0 0 1 1-1c2 0 4.5-1.2 6.24-2.72a1.17 1.17 0 0 1 1.52 0C14.5 3.8 17 5 19 5a1 1 0 0 1 1 1z" />

        <path d="m9 12 2 2 4-4" />
      </svg>
    </div>

    <p className="m-0 text-sm font-semibold text-emerald-800 dark:text-emerald-200">Decision</p>
    <p className="m-0 mt-2 text-sm leading-6 text-slate-700 dark:text-slate-300">Can this PR merge, or should it stay in review?</p>
  </div>

  <div className="rounded-lg border border-sky-300/60 bg-sky-50 p-4 dark:border-sky-400/40 dark:bg-sky-950/30">
    <div className="mb-3 text-sky-800 dark:text-sky-200">
      <svg aria-hidden="true" className="h-6 w-6" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round">
        <path d="M15 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V7z" />

        <path d="M14 2v4a2 2 0 0 0 2 2h4" />

        <path d="m9 15 2 2 4-4" />
      </svg>
    </div>

    <p className="m-0 text-sm font-semibold text-sky-800 dark:text-sky-200">Evidence</p>
    <p className="m-0 mt-2 text-sm leading-6 text-slate-700 dark:text-slate-300">Which report, resource, file, commit, and workflow run supports the answer?</p>
  </div>

  <div className="rounded-lg border border-amber-300/70 bg-amber-50 p-4 dark:border-amber-300/50 dark:bg-amber-950/30">
    <div className="mb-3 text-amber-800 dark:text-amber-200">
      <svg aria-hidden="true" className="h-6 w-6" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round">
        <rect width="18" height="11" x="3" y="11" rx="2" />

        <path d="M7 11V7a5 5 0 0 1 10 0v4" />

        <path d="M12 15v2" />
      </svg>
    </div>

    <p className="m-0 text-sm font-semibold text-amber-800 dark:text-amber-200">Gate</p>
    <p className="m-0 mt-2 text-sm leading-6 text-slate-700 dark:text-slate-300">Should Cloudeval only comment, or should it block the merge?</p>
  </div>
</div>

## Evidence a reviewer should see

Before approval, the pull request should answer four evidence questions: what
source was evaluated, what architecture changed, what it costs, and which policy
decides whether the change can merge.

<Columns cols={2}>
  <Card title="Source provenance" icon="git-branch">
    Repository, branch, commit, template entry point, parameters, and workflow run.
  </Card>

  <Card title="Architecture impact" icon="network">
    Posture, affected resources, dependency paths, exposure, and blast radius.
  </Card>

  <Card title="Cost impact" icon="circle-dollar-sign">
    Monthly run rate, budget status, top services, and savings opportunities.
  </Card>

  <Card title="Merge policy" icon="shield-check">
    Well-Architected thresholds, validation failures, high-risk findings, and team gates.
  </Card>
</Columns>

<Frame caption="Cloudeval reports put posture, critical issues, run rate, savings, maturity, priority decisions, and evidence freshness in one review surface.">
  <img src="https://mintcdn.com/ganakailabs-db727e50/Q5sxR4Wz8SD3FHrz/assets/images/reports/cloud-evaluation-overview.jpeg?fit=max&auto=format&n=Q5sxR4Wz8SD3FHrz&q=85&s=b2da84c0917e83b39811b47b9a9fbb3b" alt="Cloudeval report overview showing posture score, critical issue count, monthly run rate, savings, priority decisions, maturity, and freshness context" width="2048" height="1172" data-path="assets/images/reports/cloud-evaluation-overview.jpeg" />
</Frame>

## How to review before approving

Use this sequence when the PR needs an approval decision, not just a passing CI
check.

<Steps>
  <Step title="Start with the PR comment">
    Read the Cloudeval result, source section, workflow run, report links, and artifacts
    before approving the infrastructure diff.
  </Step>

  <Step title="Separate posture from policy">
    The posture explains what Cloudeval observed. The gate explains what your team
    configured as merge-blocking.
  </Step>

  <Step title="Open the highest-risk evidence">
    Inspect security, reliability, validation, and dependency findings before lower
    severity recommendations.
  </Step>

  <Step title="Check cost before approving">
    Review monthly estimate, budget threshold, expensive services, and savings signals.
  </Step>

  <Step title="Use the diagram for blast radius">
    Confirm the impacted resources and dependency paths match the intended change.
  </Step>

  <Step title="Leave the proof trail">
    Link the PR comment, Cloudeval report, workflow artifact, or exported report when
    asking for changes.
  </Step>
</Steps>

<Frame caption="The PR review comment keeps source provenance, report links, AI summary, and deterministic drilldowns close to the code review.">
  <img src="https://mintcdn.com/ganakailabs-db727e50/BrRYz9nGRkigfTsV/assets/images/cli/github-action-pr-comment.png?fit=max&auto=format&n=BrRYz9nGRkigfTsV&q=85&s=02b6dcb15d459924ffde9cd9c40743cf" alt="GitHub pull request comment from Cloudeval showing overall review result, source provenance, AI summary, and collapsible drilldowns" width="824" height="360" data-path="assets/images/cli/github-action-pr-comment.png" />
</Frame>

## Inspect the public Azure sample PRs

The public [Cloudeval Azure ARM review example](https://github.com/ganakailabs/cloudeval-azure-arm-review-example)
is the fastest way to inspect the workflow without connecting a private repo. It
includes nested ARM templates, `.cloudeval/config.yaml`, a ready-to-copy GitHub
Actions workflow, and long-lived demo pull requests.

<Columns cols={2}>
  <Card title="Passing baseline gates" icon="circle-check" href="https://github.com/ganakailabs/cloudeval-azure-arm-review-example/pull/6">
    A green workflow that still exposes posture, validation, cost, source, and report evidence.
  </Card>

  <Card title="Risk regression" icon="triangle-alert" href="https://github.com/ganakailabs/cloudeval-azure-arm-review-example/pull/1">
    A risky infrastructure change with blocking gate failures and high-risk posture signals.
  </Card>

  <Card title="Cost regression" icon="circle-dollar-sign" href="https://github.com/ganakailabs/cloudeval-azure-arm-review-example/pull/2">
    A cost-heavy change with monthly estimate, cost drivers, and a failing budget gate.
  </Card>

  <Card title="Security hardening" icon="lock-keyhole" href="https://github.com/ganakailabs/cloudeval-azure-arm-review-example/pull/3">
    Remediation work that still has to satisfy configured thresholds before it is ready.
  </Card>
</Columns>

## Make the review auditable

<AccordionGroup>
  <Accordion title="Source provenance" icon="git-branch">
    A useful review states exactly which Cloudeval project, repository, ref, commit,
    and workflow run were evaluated.
  </Accordion>

  <Accordion title="Deterministic drilldowns" icon="list-checks">
    Cloudeval review output can include Well-Architected scores, cost threshold
    status, service-cost details, validation failures, and report links.
  </Accordion>

  <Accordion title="Report-backed findings" icon="file-check">
    Architecture and cost findings should point back to reports, diagrams, workflow
    artifacts, and downloadable review output.
  </Accordion>

  <Accordion title="AI summary" icon="bot">
    AI text is useful for triage, but the merge decision should still be grounded in
    the deterministic evidence and configured gates.
  </Accordion>
</AccordionGroup>

<Frame caption="Review drilldowns expand from the PR comment so reviewers can inspect Well-Architected scores, cost signals, and validation context without leaving GitHub.">
  <img src="https://mintcdn.com/ganakailabs-db727e50/BrRYz9nGRkigfTsV/assets/images/cli/github-action-review-drilldowns.png?fit=max&auto=format&n=BrRYz9nGRkigfTsV&q=85&s=a0474ed29de97bc2d9cfa06b535ad489" alt="Expanded Cloudeval PR comment showing Well-Architected pillar ratings and monthly cost drilldowns" width="824" height="980" data-path="assets/images/cli/github-action-review-drilldowns.png" />
</Frame>

## Configure gates to match risk

Cloudeval can start as a non-blocking reviewer and later become a required merge
gate. Keep the policy next to the infrastructure source in `.cloudeval/config.yaml`.

<CodeGroup>
  ```yaml comment-only.yml theme={null}
  name: Cloudeval review
  on:
    pull_request:

  permissions:
    contents: read
    pull-requests: write
    issues: write

  jobs:
    review:
      runs-on: ubuntu-latest
      steps:
        - uses: actions/checkout@v4
        - uses: ganakailabs/cloudeval-action@v1
          with:
            access_key: ${{ secrets.CLOUDEVAL_ACCESS_KEY }}
            project_id: ${{ secrets.CLOUDEVAL_PROJECT_ID }}
            mode: review
            post_pr_comment: true
            upload_artifacts: true
            ai_summary: "false"
  ```

  ```yaml .cloudeval/config.yaml theme={null}
  version: 1

  stacks:
    - id: primary-architecture
      entry: azuredeploy.json
      parameters: azuredeploy.parameters.json

  resolve:
    linked_templates: true

  ci:
    gates:
      enforcement: comment_only
      minimum_well_architected_score: 85
      minimum_pillar_score: 80
      pillars:
        security: 90
        reliability: 85
      fail_when_high_risk_findings_exist: true
      fail_when_validation_fails: true
      max_monthly_cost_usd: 500
  ```

  ```yaml block-production.yml theme={null}
  ci:
    gates:
      enforcement: block_pull_request
      minimum_well_architected_score: 85
      fail_when_high_risk_findings_exist: true
      fail_when_validation_fails: true
      max_monthly_cost_usd: 500
  ```
</CodeGroup>

<Warning>
  Do not block production on a threshold your team has not reviewed. Start with
  comments and artifacts, tune the policy, then switch to `block_pull_request`.
</Warning>

## What changes for the team

<Columns cols={3}>
  <Card title="Reviewers move faster" icon="timer">
    The evidence is already attached to the pull request.
  </Card>

  <Card title="Platform teams tune policy" icon="sliders-horizontal">
    Gates can reflect team budgets, reliability goals, and validation standards.
  </Card>

  <Card title="Agents stay grounded" icon="plug">
    CLI and MCP workflows can reuse the same project evidence.
  </Card>
</Columns>

Cloudeval turns Azure infrastructure review into a decision workflow: source,
impact, evidence, and policy in the same loop.

## Put it into practice

<Columns cols={2}>
  <Card title="Inspect the public sample" icon="github" href="/reference/github-repository-sync#public-example-repository">
    Review the public Azure ARM project and demo pull requests.
  </Card>

  <Card title="Add GitHub Actions review" icon="git-pull-request" href="/workflows/github-actions">
    Post Cloudeval comments, artifacts, and configurable merge gates.
  </Card>

  <Card title="Tune CI gates" icon="sliders-horizontal" href="/reference/iac-project-config">
    Set thresholds, budgets, linked templates, and enforcement behavior.
  </Card>

  <Card title="Give agents context" icon="plug" href="/reference/mcp-client-setup">
    Expose Cloudeval project evidence to MCP-compatible assistants.
  </Card>
</Columns>
