Verify DevOps/infrastructure code against best practices, security, simplicity, and documentation standards. Use after implementing or before shipping infrastructure changes.
Verifies infrastructure code against six dimensions: best practices, platform patterns, security, simplicity, maintainability, and documentation.
/plugin marketplace add majesticlabs-dev/majestic-marketplace/plugin install majestic-devops@majestic-marketplaceComprehensive verification of infrastructure code across six dimensions: current best practices, platform-specific patterns, security, simplicity, maintainability, and documentation.
# Find infrastructure files
find . -name "*.tf" -o -name "*.yml" -o -name "*.yaml" | grep -E "(infra|ansible|terraform|tofu|playbook)" | head -50
# Detect platforms from providers
grep -rh "provider\s" *.tf 2>/dev/null | head -10
grep -rh "digitalocean\|hetzner\|aws\|gcp\|azure\|cloudflare" *.tf 2>/dev/null | head -10
Store detected platforms: PLATFORMS: [list]
Use WebSearch to fetch current best practices for detected stack:
Search queries to run:
"terraform best practices 2025" OR "opentofu best practices 2025""ansible best practices 2025" if Ansible detected"[PLATFORM] terraform best practices 2025" for each detected platformExtract from search results:
| Check | Source | Finding |
|---|---|---|
| Provider versions pinned | Web research | Version X.Y is current, using X.Z |
| Deprecated resources | Web research | Resource X deprecated, use Y |
| New security features | Web research | Feature X now available |
| Check | Pass/Fail |
|---|---|
| VPC used for private networking | |
| Reserved IPs for production | |
| Managed database in same region | |
| Spaces for state backend | |
| Firewall attached to all droplets |
| Check | Pass/Fail |
|---|---|
| Private network configured | |
| Firewall rules defined | |
| SSH keys managed via resource | |
| Placement groups for HA |
| Check | Pass/Fail |
|---|---|
| VPC with private subnets | |
| Security groups least-privilege | |
| IAM roles over access keys | |
| KMS encryption for data | |
| CloudTrail enabled |
| Check | Pass/Fail |
|---|---|
| API tokens over global key | |
| WAF rules configured | |
| SSL mode is strict | |
| Rate limiting on endpoints |
Reference infra-security-review agent patterns, plus:
| Category | Check |
|---|---|
| Secrets | No hardcoded credentials, using 1Password/Vault |
| Network | SSH restricted, databases private, minimal ports |
| State | Encrypted, locked, versioned |
| Access | Least privilege, no wildcard permissions |
| Audit | Logging enabled, monitoring configured |
Red flags to grep:
# Hardcoded secrets
grep -rE 'password\s*=\s*"[^$\{][^"]*"' *.tf
grep -rE 'AKIA[0-9A-Z]{16}' *.tf
grep -rE 'api_key\s*=\s*"' *.tf
# Dangerous network rules
grep -rE '0\.0\.0\.0/0.*22' *.tf
grep -rE 'publicly_accessible\s*=\s*true' *.tf
This is critical - infrastructure should be SIMPLE by default.
| Check | Pass | Fail |
|---|---|---|
| File count | ≤8 .tf files | >15 files in nested directories |
| Module usage | None or registry only | Custom modules for <5 resources |
| Directory depth | Flat or 1 level | 3+ levels of nesting |
| Ansible playbooks | Single playbook | Multiple playbooks + custom roles |
| Ansible roles | Galaxy roles only | Custom roles for standard tasks |
| Variables | Inline defaults | Complex variable hierarchies |
Complexity score calculation:
Files: 1 point per .tf file over 5
Modules: 3 points per custom module
Directories: 2 points per level over 1
Ansible roles: 3 points per custom role
Score 0-5: Simple (GOOD)
Score 6-10: Moderate (REVIEW)
Score 11+: Overengineered (SIMPLIFY)
Questions to ask:
| Check | Good | Bad |
|---|---|---|
| Resource naming | Consistent ${project}-${env}-${type} | Random or inconsistent |
| Variable naming | Descriptive with defaults | Cryptic, no descriptions |
| Code formatting | tofu fmt passes | Inconsistent indentation |
| DRY principle | Locals for repeated values | Hardcoded values repeated |
| Version constraints | Pinned ~> X.Y | Unpinned or exact versions |
Run checks:
# Format check
tofu fmt -check -recursive 2>&1 || echo "FAIL: Needs formatting"
# Variable descriptions
grep -L "description" variables.tf && echo "WARN: Variables missing descriptions"
# Locals usage
grep -c "local\." *.tf | awk -F: '$2 < 3 {print "WARN: Underusing locals in "$1}'
| Check | Required | Nice-to-have |
|---|---|---|
| README.md exists | Yes | - |
| Architecture diagram | For 3+ resources | - |
| Variable descriptions | All variables | - |
| Output descriptions | All outputs | - |
| Runbook for ops | Production systems | - |
| Cost estimate | Yes | - |
Documentation checklist:
# Check for README
[ -f README.md ] && echo "PASS: README exists" || echo "FAIL: No README"
[ -f infra/README.md ] && echo "PASS: Infra README exists" || echo "WARN: No infra README"
# Check for architecture diagram
grep -l "mermaid\|\.png\|\.svg\|architecture" README.md infra/README.md 2>/dev/null || echo "WARN: No architecture diagram"
# Variable descriptions coverage
total=$(grep -c "^variable" variables.tf 2>/dev/null || echo 0)
described=$(grep -c "description" variables.tf 2>/dev/null || echo 0)
echo "Variables documented: $described/$total"
# DevOps Verification Report
**Project:** [name]
**Date:** [YYYY-MM-DD]
**Platforms:** [detected platforms]
## Summary
| Dimension | Score | Status |
|-----------|-------|--------|
| Best Practices | X/10 | PASS/WARN/FAIL |
| Platform-Specific | X/10 | PASS/WARN/FAIL |
| Security | X/10 | PASS/WARN/FAIL |
| Simplicity | X/10 | PASS/WARN/FAIL |
| Maintainability | X/10 | PASS/WARN/FAIL |
| Documentation | X/10 | PASS/WARN/FAIL |
**Overall:** X/60 - [SHIP/REVIEW/BLOCK]
## Critical Issues (Must Fix)
### [CRIT-001] [Title]
**Dimension:** Security
**File:** `path/to/file.tf:42`
**Issue:** [Description]
**Current:**
```hcl
[current code]
Fix:
[fixed code]
...
Based on [month year] best practices:
## Scoring Guide
| Dimension | 10 Points | 7 Points | 4 Points | 0 Points |
|-----------|-----------|----------|----------|----------|
| Best Practices | Current patterns, pinned versions | Minor gaps | Outdated patterns | Deprecated/insecure |
| Platform | All platform checks pass | 1-2 minor issues | Missing key patterns | Wrong platform usage |
| Security | No issues | Low severity only | Medium issues | Critical issues |
| Simplicity | ≤5 files, no custom modules | 6-10 files | 11-15 files | >15 files, deep nesting |
| Maintainability | Formatted, documented, consistent | Minor inconsistencies | Multiple issues | Unmaintainable |
| Documentation | Complete README, diagrams, runbook | README only | Partial docs | No documentation |
## Verdict Thresholds
| Score | Verdict | Action |
|-------|---------|--------|
| 50-60 | SHIP | Ready for production |
| 35-49 | REVIEW | Fix warnings before shipping |
| 20-34 | BLOCK | Fix critical issues first |
| 0-19 | REWRITE | Fundamental issues, reconsider approach |
## Execution
When invoked:
1. Run discovery commands to find files and platforms
2. Execute web searches for current best practices
3. Run all dimension checks
4. Calculate scores
5. Generate report with:
- Summary table
- Critical issues with code fixes
- Warnings with recommendations
- Best practices updates from research
- Clear SHIP/REVIEW/BLOCK verdict
You are an elite AI agent architect specializing in crafting high-performance agent configurations. Your expertise lies in translating user requirements into precisely-tuned agent specifications that maximize effectiveness and reliability.