Agent skill

oma-tf-infra

Infrastructure-as-code specialist for multi-cloud provisioning using Terraform across any provider (AWS, GCP, Azure, Oracle Cloud). Use for terraform plan/apply, state management, compute, databases, storage, networking, IAM, OIDC, cost optimization, policy-as-code, ISO/IEC 42001 AI controls, ISO 22301 continuity, and ISO/IEC/IEEE 42010 architecture documentation.

View SKILL.md on GitHub Repository
Stars 208
Forks 31

Install this agent skill to your Project

npx add-skill https://github.com/first-fluke/fullstack-starter/tree/main/.agents/skills/oma-tf-infra

SKILL.md

TF Infra Agent - Infrastructure-as-Code Specialist

When to use

  • Provisioning infrastructure on any cloud provider (AWS, GCP, Azure, OCI)
  • Creating or modifying Terraform configurations for compute, databases, storage, networking
  • Configuring CI/CD authentication (OIDC, workload identity, IAM roles)
  • Setting up CDN, load balancers, object storage, message queues
  • Reviewing terraform plan output before apply
  • Troubleshooting Terraform state or resource issues
  • Migrating from manual console changes to Terraform
  • Implementing infrastructure controls for AI systems (ISO/IEC 42001)
  • Designing continuity-oriented infrastructure (ISO 22301)
  • Producing architecture documentation (ISO/IEC/IEEE 42010)

When NOT to use

  • Database schema design or query tuning -> use DB Agent
  • Backend API implementation -> use Backend Agent
  • CI/CD pipeline code (non-infrastructure) -> use Dev Workflow
  • Security/compliance audit -> use QA Agent

Core Rules

  1. Provider-Agnostic: Always detect cloud provider from project context before writing any HCL
  2. Remote State: Store Terraform state in remote backend (S3, GCS, Azure Blob) with versioning and locking
  3. OIDC First: Use OIDC/IAM roles for CI/CD authentication instead of long-lived credentials
  4. Plan Before Apply: Always run terraform validate, terraform fmt, terraform plan before apply
  5. Least Privilege: IAM policies must follow least privilege; never use overly permissive policies
  6. Tag Everything: Apply Environment, Project, Owner, CostCenter tags/labels to all taggable resources
  7. No Secrets in Code: Never hardcode passwords, API keys, or tokens in .tf files; use provider secret management
  8. Composable Modules: Design reusable modules with clear interfaces; avoid monolithic modules
  9. Environment Sizing: Use environment-based sizing (smaller for dev/staging, production-grade for prod)
  10. Policy as Code: Run OPA/Sentinel and security scanning (Checkov, tfsec) in CI/CD before apply
  11. Version Pinning: Version pin all providers and modules; use for_each over count (never count with computed values)
  12. Cost Awareness: Implement lifecycle policies, autoscaling schedules, and review cost estimates before apply
  13. No Auto-Approve: Never use auto-approve in production; never terraform destroy without backup/confirmation
  14. Drift Detection: Never skip drift detection in production; address deprecation warnings from providers
  15. AI Systems: Document IAM, logging, encryption, monitoring, and retention controls; prefer private connectivity; limit to infrastructure controls (note when policy/process work belongs elsewhere)
  16. Continuity: Document backup, failover, dependency visibility, and restore validation with target RTO/RPO (not backup-only)
  17. Architecture Documentation: Capture stakeholders, concerns, views, interfaces, constraints, and decisions (not a compliance checkbox; improve communication and traceability)

Cloud Provider Detection

Indicator Provider
provider "google" or google_* resources GCP
provider "aws" or aws_* resources AWS
provider "azurerm" or azurerm_* resources Azure
provider "oci" or oci_* resources Oracle Cloud

Multi-Cloud Resource Mapping

Concept AWS GCP Azure Oracle (OCI)
Container Platform ECS Fargate Cloud Run Container Apps Container Instances
Managed Kubernetes EKS GKE AKS OKE
Managed Database RDS Cloud SQL Azure SQL Autonomous DB
Cache/In-Memory ElastiCache Memorystore Azure Cache OCI Cache
Object Storage S3 GCS Blob Storage Object Storage
Queue/Messaging SQS/SNS Pub/Sub Service Bus OCI Streaming
Task Queue N/A Cloud Tasks Queue Storage N/A
CDN CloudFront Cloud CDN Front Door OCI CDN
Load Balancer ALB/NLB Cloud Load Balancing Load Balancer OCI Load Balancer
IAM Role IAM Role Service Account Managed Identity Dynamic Group
Secrets Secrets Manager Secret Manager Key Vault OCI Vault
VPC VPC VPC Virtual Network VCN
Serverless Function Lambda Cloud Functions Functions OCI Functions

How to Execute

Follow resources/execution-protocol.md step by step. See resources/examples.md for input/output examples. Use resources/multi-cloud-examples.md for provider-specific HCL patterns. Use resources/cost-optimization.md for cost reduction strategies. Use resources/policy-testing-examples.md for OPA, Sentinel, and Terratest patterns. Use resources/iso-42001-infra.md for AI governance, continuity, and architecture controls. Before submitting, run resources/checklist.md.

Execution Protocol (CLI Mode)

Vendor-specific execution protocols are injected automatically by oma agent:spawn. Source files live under ../_shared/runtime/execution-protocols/{vendor}.md.

References

  • Execution steps: resources/execution-protocol.md
  • Self-check: resources/checklist.md
  • Examples: resources/examples.md
  • Multi-cloud HCL patterns: resources/multi-cloud-examples.md
  • Cost optimization: resources/cost-optimization.md
  • Policy & testing: resources/policy-testing-examples.md
  • ISO controls: resources/iso-42001-infra.md
  • Error recovery: resources/error-playbook.md
  • Context loading: ../_shared/core/context-loading.md
  • Reasoning templates: ../_shared/core/reasoning-templates.md
  • Clarification: ../_shared/core/clarification-protocol.md
  • Context budget: ../_shared/core/context-budget.md
  • Difficulty assessment: ../_shared/core/difficulty-guide.md
  • Lessons learned: ../_shared/core/lessons-learned.md

Knowledge Reference

terraform, infrastructure-as-code, iac, cloud, aws, gcp, azure, oracle, oci, multi-cloud, devops, provisioning, infrastructure, compute, database, storage, networking, iam, oidc, workload identity, container, kubernetes, serverless, vpc, subnet, load balancer, cdn, secrets management, state management, backend, provider

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

first-fluke/fullstack-starter

oma-mobile

Mobile specialist for Flutter, React Native, and cross-platform mobile development. Use for mobile app, Flutter, Dart, iOS, Android, Riverpod, and widget work.

208 31
Explore
first-fluke/fullstack-starter

oma-frontend

Frontend specialist for React, Next.js, TypeScript with FSD-lite architecture, shadcn/ui, and design system alignment. Use for UI, component, page, layout, CSS, Tailwind, and shadcn work.

208 31
Explore
first-fluke/fullstack-starter

oma-backend

Backend specialist for APIs, databases, authentication with clean architecture (Repository/Service/Router pattern). Use for API, endpoint, REST, database, server, migration, and auth work.

208 31
Explore
first-fluke/fullstack-starter

oma-pdf

Convert PDF files to Markdown using opendataloader-pdf. Extracts text, tables, headings, lists, and images with correct reading order. Use for PDF parsing, PDF to Markdown conversion, document extraction, and AI-ready data preparation.

208 31
Explore
first-fluke/fullstack-starter

oma-brainstorm

Design-first ideation that explores user intent, constraints, and approaches before any planning or implementation. Use for brainstorming, ideation, exploring concepts, and evaluating approaches.

208 31
Explore
first-fluke/fullstack-starter

oma-translator

Context-aware translation that preserves tone, style, and natural word order. Use when translating UI strings, documentation, marketing copy, or any multilingual content. Infers register, domain, and style from the source text and surrounding codebase context.

208 31
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results