38 lines
2.3 KiB
Markdown
38 lines
2.3 KiB
Markdown
---
|
|
name: iac
|
|
description: Best practices for Infrastructure as Code, GitOps, minimizing configuration drift, and avoiding imperative infrastructure operations.
|
|
category: infra
|
|
impact: high
|
|
---
|
|
|
|
# Infrastructure as Code (IaC)
|
|
|
|
## 🎯 Purpose
|
|
Ensures that all infrastructure modifications are handled strictly through code (.tf, .bicep, .yaml, charts, kustomize) and never via imperative command-line actions or UI clicks.
|
|
|
|
**🚨 CRITICAL: Before discussing infrastructure changes or trying to manage cloud resources / Kubernetes state, YOU MUST use the `read_file` tool to read `.ai/skills/iac/REFERENCE.md`.**
|
|
|
|
## 🚨 Prohibitions (Thou Shalt Not)
|
|
|
|
- **NEVER mutate state via imperative CLI commands.** No `az resource create`, `aws ec2 run-instances`, `kubectl create/edit/apply`, `gcloud compute`.
|
|
- **NEVER resolve a bug "temporarily" in production by patching live infrastructure.** Every fix must be tracked in version control.
|
|
- **NEVER use generic variables (e.g., `latest` tags).** IaC depends on deterministic state and immutable tags.
|
|
|
|
## Workflows (IaC Lifecycle)
|
|
|
|
1. **State Inspection (Read-Only OK):**
|
|
- You may use CLI tools (`aws`, `az`, `kubectl`) to *read* the current state (e.g., `az network vnet show`) to debug issues.
|
|
2. **Developing Fixes:**
|
|
- Locate the source truth (e.g., Terraform module, Helm values.yaml).
|
|
- Write the fix directly in the IaC configuration file.
|
|
- Explain *why* the configuration change resolves the live issue.
|
|
3. **Validation:**
|
|
- Use linting and planning commands (`terraform plan`, `helm template`, `bicep build`) to validate changes before committing.
|
|
- Do NOT run `apply` unless the user explicitly commands it in a throwaway/development environment.
|
|
|
|
## 🔗 Related Skills
|
|
Depending on the specific IaC tool you are interacting with, you **MUST** also activate and follow these skills:
|
|
- **Clean Code (`.ai/skills/clean-code/SKILL.md`):** Infrastructure as Code is still CODE. Apply clean architecture, DRY principles, and proper naming conventions to IaC files.
|
|
- **Helm (`.ai/skills/helm/SKILL.md`):** If the IaC involves Kubernetes Helm charts, strictly adhere to the Helm specific structure and templating rules.
|
|
- **Kubernetes Access (`.ai/skills/kubernetes-access/SKILL.md`):** Governs how you interact with the live cluster to inspect the state before/after IaC changes.
|