cloud-foundation-principles

Review the current infrastructure code against cloud foundation principles — identifies violations and suggests improvements

Use this agent for comprehensive cloud infrastructure audits of Terraform code, IaC organization, security configuration, or cloud architecture decisions. Examples: <example>Context: User has set up cloud infrastructure and wants it reviewed. user: "Review my Terraform code against cloud best practices" assistant: "I'll use the cloud-foundation-reviewer agent to audit the infrastructure." <commentary>Infrastructure review involves governance, naming, state management, security, networking — the agent audits against all relevant principles.</commentary></example> <example>Context: User is setting up a new cloud project from scratch. user: "Check if my cloud setup follows best practices" assistant: "I'll use the cloud-foundation-reviewer agent to review the cloud foundation." <commentary>New cloud setup touches multi-account, naming, IaC organization, security, secrets — comprehensive audit needed.</commentary></example> <example>Context: User finished configuring CI/CD pipeline for infrastructure. user: "Does my deployment pipeline follow good infrastructure patterns?" assistant: "I'll use the cloud-foundation-reviewer agent to evaluate the deployment pipeline." <commentary>Deployment pipeline touches image tagging, release triggers, credential management — multi-principle audit.</commentary></example>

This skill should be used when the user is making significant infrastructure decisions, documenting architectural choices, creating decision records, tracking exemptions from IaC, establishing decision-making processes, or onboarding new team members to existing infrastructure. Covers ADR format, numbering, status lifecycle, exemption tracking, and decision governance.

This skill should be used when the user is building Docker images, configuring container registries, designing image tagging strategies, setting up registry lifecycle policies, debugging production incidents that require tracing running code, or discussing OCI labels and build metadata. Covers git SHA tagging, the traceability chain from container to source code, registry retention policies, OCI build labels, and why date-based or environment-based tags fail.

This skill should be used when the user is choosing between managed and self-hosted services, deciding whether to run Kubernetes or use managed containers, evaluating self-hosted databases vs managed databases, considering self-hosted monitoring or caches, designing for a small team (under 50 engineers), or justifying a self-hosted exception. Covers the operations tax of self-hosting, managed container orchestration over Kubernetes for small teams, managed workflow engines, managed caches and databases, managed monitoring, and the decision framework for when self-hosting is genuinely justified.

This skill should be used when the user is setting up a new cloud project, designing account or project structure, creating environment isolation, configuring organization units or management groups, implementing landing zones, or deciding how to separate dev and prod workloads. Covers multi-account strategy, blast radius isolation, landing zone setup, and organizational governance.

This skill should be used when the user is designing resource naming conventions, implementing tagging or labeling strategies, building a labels module, setting up cost center attribution, creating naming standards for cloud resources, or reviewing tag compliance. Covers naming patterns, labels modules, cost center validation, tag enforcement, and naming across resource types.

This skill should be used when the user is designing VPC or virtual network topology, planning subnet tiers, configuring NAT gateways, setting up DNS zones, creating private connectivity endpoints, designing API gateway routing, or planning CIDR ranges. Covers subnet tiers (baseline and optional), availability zone distribution, cost-optimized NAT, private service endpoints, DNS strategy, and API gateway patterns.

This skill should be used when the user is addressing cloud resource sprawl, implementing cost attribution and tagging enforcement, setting up monitoring and alerting defaults, configuring drift detection for Terraform, designing lifecycle policies for storage and artifacts, or cleaning up after migrations. Covers resource cleanup discipline, cost center enforcement, monitoring with sensible defaults, scheduled drift detection, and lifecycle automation.

This skill should be used when the user is structuring Terraform repositories, deciding between mono-repo and multi-repo strategies, organizing infrastructure into layers, designing state management architecture, setting up cross-layer dependencies, or evaluating blast radius of infrastructure changes. Covers multi-repository strategy, numbered layer architecture, state-per-layer-per-environment isolation, cross-layer remote state references, and deployment ordering.

This skill should be used when the user is storing credentials, managing API keys, setting up secret rotation, designing secret naming conventions, creating database users, managing environment-specific configuration, or deciding how applications should access secrets at runtime. Covers the one-secret-per-service pattern, account-based environment isolation, KMS encryption, role-based database users, and the infrastructure wiring exception for parameter stores.

This skill should be used when the user is setting up security monitoring, enabling threat detection, configuring compliance scanning, deploying vulnerability scanners, creating a security account, centralizing security findings, choosing between detective and preventive controls, or deciding when to enable security services. Covers the four security pillars (threat detection, compliance scanning, vulnerability scanning, configuration auditing), centralized security accounts with delegated admin, detective-before-preventive strategy, and managed security services over custom SIEM.

This skill should be used when the user is deciding where infrastructure code should live, structuring service repositories with Terraform, separating shared vs service-owned resources, designing module consumption patterns, or eliminating centralized deployment bottlenecks. Covers service-owned IaC directories, remote state consumption, shared module guardrails, and the boundary between platform and service infrastructure.

This skill should be used when the user is designing CI/CD pipelines, configuring deployment triggers, setting up production release processes, implementing approval gates, configuring pre-commit hooks for Terraform, or distinguishing between development and production deployment strategies. Covers the environment/trigger matrix, git tag naming conventions, manual approval gates, pre-commit validation, the full pipeline flow from commit to production, and why branch-based production deploys are dangerous.

This skill should be used when the user is designing Terraform modules, wrapping community modules, implementing conditional resource creation, structuring module variables and outputs, setting up pre-commit quality gates, versioning custom modules, building reusable infrastructure components, or reviewing module code for maintainability. Covers ten production-proven module design patterns, quality gate configuration, and version pinning strategies.

This skill should be used when the user is choosing a CI/CD platform, migrating between CI/CD providers, consolidating build and deployment pipelines, designing pipeline architecture across application and infrastructure code, setting up drift detection, configuring OIDC authentication for pipelines, or discussing the operational cost of multiple CI/CD systems. Covers platform selection, the cost of multi-platform CI/CD, what 'everything on one platform' means, OIDC pipeline authentication, Jenkins migration, and scheduled pipeline jobs like drift detection.

This skill should be used when the user asks "which cloud foundation skill should I use", "show me all cloud principles", "help me pick an infrastructure pattern", or at the start of any cloud infrastructure, Terraform, or IaC conversation. Provides the index of all fifteen principle skills and ensures the right ones are invoked before any cloud infrastructure work begins.

This skill should be used when the user is configuring SSO, setting up CI/CD authentication, designing OIDC federation, eliminating SSH keys or VPN, managing human or machine identity, or discussing credential lifecycle. Covers core access patterns (human SSO, pipeline OIDC, operator session-based), federated identity, workload identity federation, and the elimination of static API keys, SSH keys, and VPN files.

1 hook across 1 event