docs(azure): replace ARM template deployment with pure az CLI commands

[johnsonshi]

Summary

• Problem: The Azure install guide referenced ARM templates in infra/azure/templates/ which have been removed upstream. The guide was broken (404 template URIs).
• Why it matters: Users following the Azure install guide could not complete the deployment.
• What changed: Rewrote docs/install/azure.md to use pure az CLI commands instead of ARM templates. Added cost considerations and cleanup sections. Removed stale redirect from docs.json.
• What did NOT change (scope boundary): No Gateway/runtime code, auth logic, provider behavior, or installer execution behavior changed. Security posture (Bastion-only SSH, no public IP, NSG hardening) is identical.

Change Type (select all)

• Docs

Scope (select all touched areas)

• UI / DX

Linked Issue/PR

• Follow-up to docs: add Azure VM deployment guide with in-repo ARM templates and bootstrap script #47898 (addresses review feedback from @BradGroux)

User-visible / Behavior Changes

• Azure install guide now uses 13 explicit az CLI steps instead of a single ARM template deployment
• New "Cost considerations" section documents Bastion ($140/mo) and VM ($55/mo) pricing with cost-saving tips
• New "Cleanup" section with az group delete for easy teardown
• Removed stale /install/azure/azure redirect from docs.json
• Removed all references to infra/azure/templates/ (directory no longer exists)

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: macOS
• Runtime/container: N/A (docs-only)

Steps

1. Review the diff for docs/install/azure.md — all ARM template references replaced with az CLI commands
2. Verify docs.json is valid JSON with stale redirect removed
3. Confirm no remaining references to infra/azure/templates/ in the docs directory
4. Verify the az CLI commands match the resources previously created by the ARM template (NSG with 3 rules, VNet with 2 subnets, VM with no public IP, Bastion Standard with tunneling)

Expected

• Azure guide is self-contained with pure az CLI commands
• No broken references to removed ARM templates
• Cost and cleanup sections present
• Security posture unchanged (Bastion-only SSH, NSG rules, no public IP)

Actual

• All above checks passed

Evidence

• Prior PR screenshots from docs: add Azure VM deployment guide with in-repo ARM templates and bootstrap script #47898 show the same infrastructure deployed end-to-end
• CLI commands verified against Azure CLI documentation

Human Verification (required)

• Verified scenarios:
  • Reviewed full diff (docs/install/azure.md, docs/docs.json)
  • Confirmed az CLI commands create identical resources to the removed ARM template
  • Validated docs.json remains valid JSON
  • Grep confirmed zero remaining references to infra/azure/templates/ in docs
• Edge cases checked:
  • NSG rule priority ordering preserved (100 Allow Bastion → 110 Deny Internet → 120 Deny VNet)
  • --public-ip-address "" and --nsg "" flags verified for VM creation
  • Bastion Standard SKU with --enable-tunneling true for CLI SSH support
• What you did not verify:
  • Full end-to-end Azure deployment with these exact commands (ARM template version was verified in docs: add Azure VM deployment guide with in-repo ARM templates and bootstrap script #47898)

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: Revert this PR/commit
• Files/config to restore: docs/install/azure.md, docs/docs.json
• Known bad symptoms reviewers should watch for: N/A

Risks and Mitigations

None — docs-only change with no runtime impact.

[greptile-apps]

Greptile Summary

This PR rewrites docs/install/azure.md to replace a broken ARM template deployment (referencing infra/azure/templates/ which no longer exists) with 13 explicit az CLI steps, and removes a stale redirect from docs.json. The new guide is well-structured, technically accurate, and adds valuable "Cost considerations" and "Cleanup" sections.

Key observations:

• NSG rule priority ordering is correct (100 Allow Bastion → 110 Deny Internet → 120 Deny VNet)
• --public-ip-address "" and --nsg "" flags are used correctly to prevent public IP assignment and per-NIC NSG creation
• AzureBastionSubnet naming requirement is correctly documented
• Standard SKU with --enable-tunneling true is correctly required for CLI-based az network bastion ssh
• The "Cost considerations" and "Cleanup" sections use hardcoded resource names (rg-openclaw, vm-openclaw) instead of the ${RG} and ${VM_NAME} variables defined in Step 3 — users who customized their deployment names will get errors running those snippets

Confidence Score: 4/5

• Safe to merge — docs-only change fixing a broken guide; one minor variable consistency issue in out-of-steps sections.
• The core deployment steps are technically accurate and well-organized. The only issue is a minor inconsistency where the Cost considerations and Cleanup sections use hardcoded resource names instead of the shell variables defined earlier, which could trip up users who customized their deployment.
• docs/install/azure.md — review the hardcoded resource names in the Cost considerations and Cleanup sections.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: docs/install/azure.md
Line: 277-281

Comment:
**Hardcoded resource names instead of variables**

The guide explicitly encourages users to "Adjust names and CIDR ranges to fit your environment" in Step 3, but these commands use hardcoded `rg-openclaw` and `vm-openclaw` instead of the `${RG}` and `${VM_NAME}` variables defined earlier. A user who customized their resource names will copy these snippets and get a "resource not found" error.

The same issue appears in the Cleanup section at line 290 (`az group delete -n rg-openclaw`).

```suggestion
- **Deallocate the VM** when not in use (stops compute billing; disk charges remain):
  ```bash
  az vm deallocate -g "${RG}" -n "${VM_NAME}"
  az vm start -g "${RG}" -n "${VM_NAME}"   # restart later
  ```
```

And for the Cleanup section:
```bash
az group delete -n "${RG}" --yes --no-wait
```

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: "docs(azure): replace..."}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0db332562f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ec1862fb79

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[johnsonshi]

@BradGroux / @fabianwilliams here are the changes:

Docs Changes Rendered

AZ CLI Install Commands Validated

OpenClaw Install and Onboarding Validated after Bastion SSH

[johnsonshi]

@BradGroux removed the redundant redirect as you mentioned in the prior PR #47898

[johnsonshi]

@BradGroux I've converted the Azure Linux VM installation scripts to use az CLI instead of ARM templates to avoid external ARM template dependencies, as well as to align with other platform docs that use CLI commands when deploying OpenClaw on cloud instances.

I have also addressed all of the comments in my prior PR: #47898

[BradGroux]

Clean improvement over the ARM template approach, pure az CLI is much easier to follow and debug. Each resource creation step is explicit, the NSG rule priority explanations are helpful, and the cost considerations section is a great addition (Bastion at ~$140/month catches people off guard).

One thing to flag: the ARM templates in infra/azure/templates/ from #47898 are now orphaned since nothing references them. Worth a follow-up PR to remove them or add a note that they're kept as an alternative.

Good job.