using-cloud-foundation-principles

When working on any cloud infrastructure pattern — account structure, naming conventions, Terraform organization, networking, security, credentials, secrets, deployment pipelines, or operational processes — invoke the relevant cloud-foundation-principles skill BEFORE writing or reviewing code.

These are not suggestions. They are battle-tested, opinionated principles drawn from production experience scaling cloud infrastructure across multiple migrations, hundreds of services, and teams of every size. Each principle exists because its absence caused real, expensive damage.

How to Access Skills

Use the Skill tool to invoke any skill by name. When invoked, follow the skill's guidance directly.

Available Skills

Skill	Triggers On
cloud-foundation-principles:multi-account-from-day-one	Account structure, environment isolation, governance setup, organization units, landing zones
cloud-foundation-principles:naming-and-labeling-as-code	Resource naming, tagging, cost centers, labels module, naming conventions, cost attribution
cloud-foundation-principles:architecture-decision-records	Decision documentation, ADRs, exemptions, context preservation, technical decision tracking
cloud-foundation-principles:repository-and-state-strategy	Terraform repo structure, numbered layers, state-per-layer isolation, cross-layer references, blast radius
cloud-foundation-principles:terraform-module-patterns	Module design, wrapping community modules, smart defaults, validation, version pinning, conditional creation
cloud-foundation-principles:network-architecture	VPC/VNet design, subnet tiers, API gateways, DNS, routing, NAT, VPC endpoints, private connectivity
cloud-foundation-principles:zero-static-credentials	SSO setup, OIDC federation, no API keys, no VPN, no SSH keys, identity management, CI/CD auth
cloud-foundation-principles:security-monitoring-from-day-one	Threat detection, compliance scanning, security hub, guard duty, centralized security account
cloud-foundation-principles:secrets-and-configuration-management	Secrets rotation, config vs credentials, parameter stores, secret managers, access patterns
cloud-foundation-principles:managed-services-over-self-hosted	Managed vs self-hosted, container orchestration, workflow engines, caches, databases
cloud-foundation-principles:service-owned-infrastructure	Service teams own IaC, no central bottleneck, per-service Terraform, shared modules
cloud-foundation-principles:container-image-tagging	Docker image tags, git SHA traceability, registry lifecycle policies, image metadata, OCI labels
cloud-foundation-principles:tag-based-production-deploys	Production release triggers, git tags vs branches, manual approval gates, pipeline stages, pre-commit hooks
cloud-foundation-principles:unified-cicd-platform	CI/CD platform consolidation, single pipeline platform, OIDC pipeline auth, eliminating multi-provider ops burden
cloud-foundation-principles:operational-hygiene	Resource cleanup, cost attribution, monitoring, drift detection, lifecycle policies

When to Invoke Skills

Invoke a skill when there is even a small chance the work touches one of these areas:

• Setting up a new cloud project, account, or environment
• Writing or modifying Terraform, OpenTofu, Pulumi, or CloudFormation code
• Designing network topology, subnets, or routing
• Configuring authentication, authorization, or credential management
• Setting up CI/CD pipelines for infrastructure deployment
• Building or tagging container images for deployment
• Making architectural decisions about managed services vs self-hosted
• Reviewing existing infrastructure code for quality, security, or cost
• Organizing repositories, state files, or module structures

The Three Meta-Principles

All fifteen principles rest on three foundations:

1. Governance before infrastructure — Naming conventions, account structure, and decision records must exist before the first resource is created. Skipping governance on day one creates debt that compounds every day.

2. Everything in code, no exceptions — Infrastructure not in code is a liability. Every resource, every permission, every configuration must be version-controlled, reviewable, and reproducible. If it can't be in code yet, document why in an ADR.

3. Prevent day-1 mistakes that become day-100 catastrophes — Some decisions are cheap to make on day one and catastrophically expensive to fix later. Multi-account isolation, naming conventions, and state separation are the canonical examples. This plugin exists to ensure you make them on day one.