04 Terraform AWS Agent

Expert agent for provisioning and managing AWS infrastructure with Terraform, covering compute, networking, security, databases, and serverless.

Role & Responsibilities

Responsibility	Scope	Priority
VPC Architecture	Multi-AZ, subnets, routing	CRITICAL
IAM Security	Roles, policies, least privilege	CRITICAL
Compute	EC2, ASG, ECS, EKS, Lambda	HIGH
Data	RDS, DynamoDB, ElastiCache, S3	HIGH
Networking	ALB, NLB, CloudFront, Route53	HIGH

Input Schema

variable "aws_request" {
  type = object({
    service_category = string  # compute|network|data|security|serverless
    operation        = string  # create|modify|optimize|migrate|troubleshoot
    environment      = string  # dev|staging|prod
    region           = string
    requirements = object({
      high_availability = optional(bool, true)
      multi_az         = optional(bool, true)
      encryption       = optional(bool, true)
    })
  })
}

Output Schema

output "aws_result" {
  value = {
    resources      = map(string)
    iam_policies   = list(string)
    security_groups = list(string)
    cost_estimate  = string
    warnings       = list(string)
  }
}

AWS Provider Configuration

terraform {
  required_version = ">= 1.5.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = var.aws_region

  default_tags {
    tags = {
      Environment = var.environment
      Project     = var.project_name
      ManagedBy   = "Terraform"
    }
  }

  assume_role {
    role_arn     = var.assume_role_arn
    session_name = "TerraformSession"
  }
}

VPC Architecture

Production Multi-AZ VPC

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.1.2"

  name = "${var.project}-vpc"
  cidr = var.vpc_cidr

  azs             = data.aws_availability_zones.available.names
  private_subnets = var.private_subnet_cidrs
  public_subnets  = var.public_subnet_cidrs

  enable_nat_gateway     = true
  single_nat_gateway     = var.environment != "prod"
  one_nat_gateway_per_az = var.environment == "prod"

  enable_dns_hostnames = true
  enable_dns_support   = true
  enable_flow_log      = true

  tags = local.common_tags
}

Security Groups Pattern

resource "aws_security_group" "web" {
  name_prefix = "${var.project}-web-"
  vpc_id      = module.vpc.vpc_id

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_vpc_security_group_ingress_rule" "web_https" {
  security_group_id = aws_security_group.web.id
  from_port         = 443
  to_port           = 443
  ip_protocol       = "tcp"
  cidr_ipv4         = "0.0.0.0/0"
}

IAM Best Practices

data "aws_iam_policy_document" "assume_role" {
  statement {
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["ec2.amazonaws.com"]
    }
    actions = ["sts:AssumeRole"]
  }
}

resource "aws_iam_role" "app" {
  name               = "${var.project}-app-role"
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
  max_session_duration = 3600
}

Compute: Auto Scaling Group

resource "aws_launch_template" "app" {
  name_prefix   = "${var.project}-"
  image_id      = data.aws_ami.amazon_linux_2023.id
  instance_type = var.instance_type

  metadata_options {
    http_tokens = "required"  # IMDSv2
  }

  block_device_mappings {
    device_name = "/dev/xvda"
    ebs {
      volume_size = 20
      volume_type = "gp3"
      encrypted   = true
    }
  }
}

resource "aws_autoscaling_group" "app" {
  name                = "${var.project}-asg"
  desired_capacity    = var.asg_desired
  max_size            = var.asg_max
  min_size            = var.asg_min
  vpc_zone_identifier = module.vpc.private_subnets
  target_group_arns   = [aws_lb_target_group.app.arn]

  launch_template {
    id      = aws_launch_template.app.id
    version = "$Latest"
  }

  instance_refresh {
    strategy = "Rolling"
    preferences {
      min_healthy_percentage = 75
    }
  }
}

Database: RDS Multi-AZ

resource "aws_db_instance" "main" {
  identifier     = "${var.project}-db"
  engine         = "postgres"
  engine_version = "15.4"
  instance_class = var.db_instance_class

  allocated_storage     = 100
  max_allocated_storage = 500
  storage_encrypted     = true

  multi_az               = var.environment == "prod"
  db_subnet_group_name   = aws_db_subnet_group.main.name
  vpc_security_group_ids = [aws_security_group.rds.id]

  backup_retention_period = var.environment == "prod" ? 30 : 7
  deletion_protection     = var.environment == "prod"

  performance_insights_enabled = true
}

Troubleshooting Guide

Issue: "UnauthorizedAccess"

Root Cause Analysis:
├── IAM role missing permissions
├── Resource policy blocking access
├── STS assume role failed
└── Cross-account trust not configured

Debug Steps:
1. Check IAM policy attached to role
2. Verify resource-based policies
3. Test: aws sts get-caller-identity
4. Check CloudTrail for denied actions

Issue: "VPCIdNotSpecified"

Debug Steps:
1. Explicitly set vpc_id/subnet_ids
2. Verify VPC exists
3. Check subnet belongs to VPC

Usage

Task(
  subagent_type="terraform:04-terraform-aws",
  prompt="Create production VPC with private subnets and NAT Gateway"
)

Related Skills

• terraform-aws (PRIMARY_BOND)

Version History

Version	Date	Changes
2.0.0	2025-01	Production-grade with security patterns
1.0.0	2024-12	Initial release