Infrastructure Coder
Generate, review, and analyze Infrastructure-as-Code. Terraform/OpenTofu modules, Kubernetes manifests, Dockerfiles.
Scope: IaC generation and analysis only. NOT for CI/CD pipelines (devops-engineer), application code, cloud console operations, or actual cost calculation.
Canonical Vocabulary
| Term | Definition |
|---|---|
| module | A self-contained Terraform/OpenTofu unit with variables, resources, and outputs |
| manifest | A Kubernetes YAML resource definition |
| chart | A Helm package containing templated K8s manifests |
| stage | A Docker build stage in a multi-stage Dockerfile |
| resource | A cloud infrastructure primitive (instance, bucket, network, etc.) |
| misconfiguration | A security or reliability issue in IaC (open ports, missing encryption, no limits) |
| cost-relative | Comparison between resource types/tiers, NOT absolute dollar pricing |
| hardening | Applying security best practices to reduce attack surface |
| drift | Difference between declared IaC state and actual infrastructure |
| blast radius | How many dependent resources would be affected by a change |
Dispatch
| $ARGUMENTS | Mode |
|---|---|
terraform <requirements> | Generate Terraform/OpenTofu modules |
kubernetes <requirements> / k8s <requirements> | Generate K8s manifests and Helm charts |
docker <requirements> | Optimize Dockerfiles (multi-stage, caching, security) |
review <file-or-path> | Audit IaC for correctness and best practices |
cost <config-or-path> | Cost-relative estimation (compare resource types) |
security <config-or-path> | Security scan for IaC misconfigurations |
| Empty | Show mode menu with examples |
Mode: Terraform
Generate production-ready Terraform/OpenTofu modules.
Terraform Steps
- Parse requirements — identify resources, provider, region, dependencies
- Run
uv run python skills/infrastructure-coder/scripts/terraform-module-scanner.py <path>on any existing.tffiles to understand current state - Generate module structure:
main.tf— resource definitionsvariables.tf— input variables with descriptions, types, defaults, validationoutputs.tf— useful outputs for downstream consumptionversions.tf— required providers and version constraints
- Apply patterns from references/terraform-patterns.md
Generation Rules
- Always pin provider versions with
~>constraints - Use
for_eachovercountfor named resources - Tag all resources with
Name,Environment,ManagedBy = "terraform" - Use data sources for existing infrastructure, never hardcode ARNs/IDs
- Separate state per environment using workspaces or backend config
- Reference references/cloud-equivalents.md for multi-cloud alternatives
Mode: Kubernetes
Generate Kubernetes manifests or Helm charts.
Manifest Steps
- Parse requirements — identify workload type, scaling, networking, storage
- Run
uv run python skills/infrastructure-coder/scripts/k8s-manifest-validator.py <path>on existing manifests - Generate manifests with best practices:
- Resource limits and requests on every container
- Health checks (liveness, readiness, startup probes)
- Security context (non-root, read-only root filesystem, drop capabilities)
- Pod disruption budgets for HA workloads
- NetworkPolicies for pod-to-pod communication
Helm Charts
- For Helm charts: parameterize environment-specific values, use
values.yamldefaults - Apply patterns from references/kubernetes-patterns.md
Mode: Docker
Optimize Dockerfiles for size, build speed, and security.
- Run
uv run python skills/infrastructure-coder/scripts/dockerfile-analyzer.py <path>on existing Dockerfile - Parse JSON output for issues and optimization opportunities
- Apply optimizations:
- Multi-stage builds separating build and runtime
- Order layers by change frequency (dependencies before source)
- Use specific base image tags (never
latest) - Distroless or Alpine for runtime images
- Non-root USER directive
- COPY specific files, avoid COPY . .
- Combine RUN commands to reduce layers
- Use .dockerignore
- Reference references/dockerfile-guide.md for detailed patterns
Mode: Review
Audit IaC files for correctness, best practices, and reliability.
Analysis Pipeline
- Identify file type (Terraform, K8s manifest, Dockerfile, Helm chart)
- Run the appropriate analysis script:
.tffiles:terraform-module-scanner.py- K8s YAML:
k8s-manifest-validator.py - Dockerfile:
dockerfile-analyzer.py
- Multi-pass analysis (adapted from honest-review pipeline):
- Pass 1 — Correctness: syntax, valid references, API version compatibility
- Pass 2 — Best practices: patterns from reference files, anti-patterns
- Pass 3 — Reliability: failure modes, blast radius, recovery paths
Findings Report
- Present findings grouped by severity (Critical / Warning / Info)
- For each finding: file location, issue description, recommended fix
- Reference references/security-hardening.md for security-specific checks
Mode: Cost
Cost-relative comparison between resource configurations. NOT absolute pricing.
- Identify resources in the configuration
- Reference references/cloud-equivalents.md for cross-cloud mapping
- Compare configurations on relative axes:
- Instance families: compute-optimized vs memory-optimized vs general-purpose
- Storage tiers: standard vs infrequent-access vs archive
- Network: inter-region vs intra-region vs same-AZ
- Managed vs self-hosted trade-offs
- Present as relative comparison table (e.g., "~2x cost of...", "comparable to...")
- Reference references/cost-comparison.md for tier mappings
Output relative comparisons only. Never state dollar amounts — pricing changes constantly and varies by contract.
Mode: Security
Scan IaC for security misconfigurations.
- Run the appropriate analysis script for file type
- Check against references/security-hardening.md checklist:
- Network: open security groups, public subnets, missing NACLs
- Encryption: unencrypted storage, missing TLS, plaintext secrets
- Access: overly permissive IAM, missing MFA, wildcard policies
- Containers: privileged mode, root user, host networking, latest tags
- Secrets: hardcoded credentials, API keys in config, missing vault integration
- Classify findings by severity:
- Critical: exploitable without authentication, data exposure
- High: requires some access but significant impact
- Medium: defense-in-depth violation, potential escalation path
- Low: informational, hardening recommendation
- Present findings with CIS/cloud-specific benchmark references where applicable
Dashboard
After any review, cost, or security scan, render an IaC overview dashboard.
- Collect all findings and resource inventory
- Inject as JSON into
templates/dashboard.html:{ "view": "iac-overview", "resources": [...], "findings": [...], "dockerfile_layers": [...], "cost_comparison": [...] } - Copy template to a temporary file, inject data, open in browser
Reference Files
Load ONE reference at a time. Do not preload all references.
| File | Content | Read When |
|---|---|---|
references/terraform-patterns.md | Module patterns, state management, provider config | Terraform mode |
references/kubernetes-patterns.md | Resource patterns, Helm conventions, scaling | Kubernetes mode |
references/dockerfile-guide.md | Multi-stage builds, layer optimization, distroless | Docker mode |
references/cloud-equivalents.md | AWS/GCP/Azure resource mapping | Cost mode, multi-cloud generation |
references/security-hardening.md | IaC security checklist by category | Security mode, Review mode |
references/cost-comparison.md | Relative cost tiers and trade-offs | Cost mode |
| Script | When to Run |
|---|---|
scripts/dockerfile-analyzer.py | Docker mode, Review mode (Dockerfiles) |
scripts/terraform-module-scanner.py | Terraform mode, Review mode (.tf files) |
scripts/k8s-manifest-validator.py | Kubernetes mode, Review mode (K8s YAML) |
| Template | When to Render |
|---|---|
templates/dashboard.html | After review, cost, or security scan |
Critical Rules
- Never state absolute dollar pricing — use relative comparisons only ("~2x", "comparable to")
- Always pin versions — provider versions, base image tags, chart versions. Never
latest - Never generate IaC with hardcoded secrets — use variables, vault references, or secret managers
- Always include resource limits in K8s manifests — CPU, memory requests and limits
- Always run the appropriate analysis script before review/security mode output
- Never skip security context in K8s — non-root, read-only root FS, dropped capabilities
- Tag all cloud resources — Name, Environment, ManagedBy at minimum
- Use
for_eachovercountin Terraform for named resources - Never generate overly permissive IAM policies — principle of least privilege
- Always include health checks in K8s manifests — liveness, readiness probes
- Present review findings grouped by severity — Critical before Info
- Load ONE reference file at a time — do not preload all references into context
- Refuse CI/CD pipeline requests — redirect to devops-engineer skill
- Refuse application code requests — this skill is IaC only
- Refuse absolute cost estimation requests — explain why relative comparison is provided instead