Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
Provides Terraform HCL snippets for AWS compute (ECS/Fargate, EKS, Lambda) and storage (S3) with security-first and production-ready patterns. Useful for infrastructure automation.
npx claudepluginhub fortiumpartners/ensemble --plugin ensemble-infrastructureHow this skill is triggered — by the user, by Claude, or both
Slash command
/ensemble-infrastructure:aws-cloudThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**Quick reference for AWS infrastructure automation with Terraform, security-first design, and production-ready patterns.**
Provides AWS cloud infrastructure patterns and best practices for EC2, Lambda, S3, RDS, ECS/EKS, including Well-Architected Framework, security, cost optimization, and Terraform IaC examples.
Provides deep AWS expertise for IAM policies, VPC networking, EKS/ECS/Lambda compute, RDS/DynamoDB/S3 storage, security hardening, monitoring, and multi-account production strategies.
Provides AWS production patterns for ECS Fargate with Terraform, 3-tier VPC architecture, IAM least privilege via OIDC, Multi-AZ RDS/ElastiCache, S3 lifecycle, CloudWatch alarms, Secrets Manager rotation. Use for designing architectures, writing Terraform, reviewing IAM.
Share bugs, ideas, or general feedback.
Quick reference for AWS infrastructure automation with Terraform, security-first design, and production-ready patterns.
ECS/Fargate (Managed Containers):
resource "aws_ecs_cluster" "app" {
name = "app-cluster"
setting {
name = "containerInsights"
value = "enabled"
}
}
resource "aws_ecs_task_definition" "app" {
family = "app"
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
cpu = "256"
memory = "512"
execution_role_arn = aws_iam_role.ecs_execution.arn
task_role_arn = aws_iam_role.ecs_task.arn
container_definitions = jsonencode([{
name = "app"
image = "123456789012.dkr.ecr.us-east-1.amazonaws.com/app:latest"
portMappings = [{
containerPort = 8080
protocol = "tcp"
}]
logConfiguration = {
logDriver = "awslogs"
options = {
"awslogs-group" = "/ecs/app"
"awslogs-region" = "us-east-1"
"awslogs-stream-prefix" = "app"
}
}
}])
}
EKS (Managed Kubernetes):
resource "aws_eks_cluster" "main" {
name = "production-cluster"
role_arn = aws_iam_role.eks_cluster.arn
version = "1.28"
vpc_config {
subnet_ids = aws_subnet.private[*].id
endpoint_private_access = true
endpoint_public_access = false
security_group_ids = [aws_security_group.eks_cluster.id]
}
encryption_config {
provider {
key_arn = aws_kms_key.eks.arn
}
resources = ["secrets"]
}
}
resource "aws_eks_node_group" "main" {
cluster_name = aws_eks_cluster.main.name
node_group_name = "main-node-group"
node_role_arn = aws_iam_role.eks_nodes.arn
subnet_ids = aws_subnet.private[*].id
scaling_config {
desired_size = 3
max_size = 10
min_size = 2
}
instance_types = ["t3.large"]
labels = {
Environment = "production"
}
}
Lambda (Serverless Functions):
resource "aws_lambda_function" "api" {
filename = "lambda.zip"
function_name = "api-handler"
role = aws_iam_role.lambda_execution.arn
handler = "index.handler"
runtime = "nodejs18.x"
timeout = 30
memory_size = 512
environment {
variables = {
DB_HOST = aws_db_instance.main.endpoint
BUCKET = aws_s3_bucket.data.id
}
}
vpc_config {
subnet_ids = aws_subnet.private[*].id
security_group_ids = [aws_security_group.lambda.id]
}
}
S3 (Object Storage):
resource "aws_s3_bucket" "data" {
bucket = "company-data-bucket"
}
resource "aws_s3_bucket_versioning" "data" {
bucket = aws_s3_bucket.data.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
bucket = aws_s3_bucket.data.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_s3_bucket_public_access_block" "data" {
bucket = aws_s3_bucket.data.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
RDS (Managed Databases):
resource "aws_db_instance" "postgres" {
identifier = "app-postgres"
engine = "postgres"
engine_version = "15.4"
instance_class = "db.t3.medium"
allocated_storage = 100
storage_type = "gp3"
storage_encrypted = true
kms_key_id = aws_kms_key.rds.arn
db_name = "app"
username = "admin"
password = random_password.db_password.result
multi_az = true
db_subnet_group_name = aws_db_subnet_group.main.name
vpc_security_group_ids = [aws_security_group.rds.id]
backup_retention_period = 7
backup_window = "03:00-04:00"
maintenance_window = "mon:04:00-mon:05:00"
enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
deletion_protection = true
skip_final_snapshot = false
final_snapshot_identifier = "app-postgres-final-snapshot"
}
VPC (Virtual Private Cloud):
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = "production-vpc"
}
}
resource "aws_subnet" "public" {
count = 3
vpc_id = aws_vpc.main.id
cidr_block = "10.0.${count.index}.0/24"
availability_zone = data.aws_availability_zones.available.names[count.index]
map_public_ip_on_launch = true
tags = {
Name = "public-subnet-${count.index + 1}"
Type = "public"
}
}
resource "aws_subnet" "private" {
count = 3
vpc_id = aws_vpc.main.id
cidr_block = "10.0.${count.index + 10}.0/24"
availability_zone = data.aws_availability_zones.available.names[count.index]
tags = {
Name = "private-subnet-${count.index + 1}"
Type = "private"
}
}
resource "aws_internet_gateway" "main" {
vpc_id = aws_vpc.main.id
}
resource "aws_nat_gateway" "main" {
count = 3
allocation_id = aws_eip.nat[count.index].id
subnet_id = aws_subnet.public[count.index].id
}
Security Groups:
resource "aws_security_group" "alb" {
name = "alb-security-group"
vpc_id = aws_vpc.main.id
description = "Security group for Application Load Balancer"
ingress {
description = "HTTPS from internet"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
description = "Allow all outbound"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "app" {
name = "app-security-group"
vpc_id = aws_vpc.main.id
description = "Security group for application containers"
ingress {
description = "HTTP from ALB"
from_port = 8080
to_port = 8080
protocol = "tcp"
security_groups = [aws_security_group.alb.id]
}
egress {
description = "Allow all outbound"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
CloudFront (CDN):
resource "aws_cloudfront_distribution" "cdn" {
enabled = true
is_ipv6_enabled = true
http_version = "http2and3"
price_class = "PriceClass_100"
origin {
domain_name = aws_s3_bucket.static.bucket_regional_domain_name
origin_id = "S3-static-content"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.main.cloudfront_access_identity_path
}
}
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "S3-static-content"
viewer_protocol_policy = "redirect-to-https"
compress = true
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
viewer_certificate {
acm_certificate_arn = aws_acm_certificate.main.arn
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.2_2021"
}
}
Route53 (DNS):
resource "aws_route53_zone" "main" {
name = "example.com"
}
resource "aws_route53_record" "www" {
zone_id = aws_route53_zone.main.zone_id
name = "www.example.com"
type = "A"
alias {
name = aws_cloudfront_distribution.cdn.domain_name
zone_id = aws_cloudfront_distribution.cdn.hosted_zone_id
evaluate_target_health = false
}
}
Least Privilege Principle:
resource "aws_iam_role" "ecs_task" {
name = "ecs-task-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ecs-tasks.amazonaws.com"
}
}]
})
}
resource "aws_iam_role_policy" "ecs_task_s3" {
name = "ecs-task-s3-access"
role = aws_iam_role.ecs_task.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = [
"s3:GetObject",
"s3:PutObject"
]
Resource = [
"${aws_s3_bucket.data.arn}/*"
]
}]
})
}
KMS Keys:
resource "aws_kms_key" "main" {
description = "Main encryption key"
deletion_window_in_days = 30
enable_key_rotation = true
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Sid = "Enable IAM User Permissions"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
}
Action = "kms:*"
Resource = "*"
}]
})
}
resource "aws_kms_alias" "main" {
name = "alias/main-key"
target_key_id = aws_kms_key.main.key_id
}
terraform {
backend "s3" {
bucket = "company-terraform-state"
key = "production/terraform.tfstate"
region = "us-east-1"
encrypt = true
dynamodb_table = "terraform-state-lock"
}
}
variable "environment" {
description = "Environment name"
type = string
validation {
condition = contains(["dev", "staging", "production"], var.environment)
error_message = "Environment must be dev, staging, or production."
}
}
variable "allowed_cidr_blocks" {
description = "CIDR blocks allowed to access resources"
type = list(string)
sensitive = true
}
infrastructure/
├── modules/
│ ├── networking/
│ ├── compute/
│ ├── database/
│ └── security/
├── environments/
│ ├── dev/
│ ├── staging/
│ └── production/
└── terraform.tfvars.example
When to use ECS vs EKS vs Lambda?
Database Selection:
Storage Selection: