---
name: iac
description: Best practices for Infrastructure as Code, GitOps, minimizing configuration drift, and avoiding imperative infrastructure operations.
category: infra
impact: high
---

# Infrastructure as Code (IaC)

## 🎯 Purpose
Ensures that all infrastructure modifications are handled strictly through code (.tf, .bicep, .yaml, charts, kustomize) and never via imperative command-line actions or UI clicks.

**🚨 CRITICAL: Before discussing infrastructure changes or trying to manage cloud resources / Kubernetes state, YOU MUST use the `read_file` tool to read `.ai/skills/iac/REFERENCE.md`.**

## 🚨 Prohibitions (Thou Shalt Not)

- **NEVER mutate state via imperative CLI commands.** No `az resource create`, `aws ec2 run-instances`, `kubectl create/edit/apply`, `gcloud compute`.
- **NEVER resolve a bug "temporarily" in production by patching live infrastructure.** Every fix must be tracked in version control.
- **NEVER use generic variables (e.g., `latest` tags).** IaC depends on deterministic state and immutable tags.

## Workflows (IaC Lifecycle)

1. **State Inspection (Read-Only OK):**
   - You may use CLI tools (`aws`, `az`, `kubectl`) to *read* the current state (e.g., `az network vnet show`) to debug issues.
2. **Developing Fixes:**
   - Locate the source truth (e.g., Terraform module, Helm values.yaml).
   - Write the fix directly in the IaC configuration file.
   - Explain *why* the configuration change resolves the live issue.
3. **Validation:**
   - Use linting and planning commands (`terraform plan`, `helm template`, `bicep build`) to validate changes before committing.
   - Do NOT run `apply` unless the user explicitly commands it in a throwaway/development environment.

## 🔗 Related Skills
Depending on the specific IaC tool you are interacting with, you **MUST** also activate and follow these skills:
- **Clean Code (`.ai/skills/clean-code/SKILL.md`):** Infrastructure as Code is still CODE. Apply clean architecture, DRY principles, and proper naming conventions to IaC files.
- **Helm (`.ai/skills/helm/SKILL.md`):** If the IaC involves Kubernetes Helm charts, strictly adhere to the Helm specific structure and templating rules.
- **Kubernetes Access (`.ai/skills/kubernetes-access/SKILL.md`):** Governs how you interact with the live cluster to inspect the state before/after IaC changes.