refactor(migration-to-aws): tf-best-practices owns AWS authoring posture; gcp-to-aws consumes it as a black box#145
Merged
icarthick merged 1 commit intoJul 15, 2026
Conversation
…authoring posture; gcp-to-aws consumes it as a black box Moves "what good AWS Terraform looks like" out of gcp-to-aws's generate phase and into the tf-best-practices skill, so the posture evolves independently of any one caller and both current/future callers (gcp-to-aws now, heroku-to-aws later) share one source of truth. tf-best-practices (the "what"): - SKILL.md gains a routing contract: callers enter by NAME and state their context (authoring/pre-generation vs post-writing validation); the skill routes to its own reference files. Scope broadened to three tiers (gate-enforced / authoring-only / compliance-conditional). - security-posture-rules.md becomes the single source of AWS authoring truth: source-cloud-agnostic framing, a Caller-context signals contract (compliance, aws_config), the migrated authoring-only rules (deletion_protection, master- password-via-Secrets-Manager, S3 hardening, Fargate/EKS/ECR, subnet/NAT, monitoring), and a compliance-conditional section (rule lives in the skill; the compliance trigger is a caller-supplied signal). gcp-to-aws (the "wiring"): - Step 3.0 (new): before writing terraform, INVOKE tf-best-practices by name for the authoring context and pass caller context (compliance from preferences, aws_config values). Follow the posture it returns. - Step 3.1 + domain table: keep only GCP-source glue (authorized_networks warning, success_metrics alarms, resource wiring); posture removed. - Step 5 self-check + Step 6: reference the skill as a black box — invoke by name for validation, no internal file paths, no rule enumeration, no Part 1/Part 2 structure. Black-box boundary: gcp-to-aws no longer references any tf-best-practices internal file, its part structure, or its rule list — only invokes by name and passes context. Verified end-to-end: a live gcp-to-aws run invoked the skill at both touchpoints; the Step 3.0 posture landed in the generated .tf (storage_encrypted/publicly_accessible= false/deletion_protection, Secrets-Manager master-password recipe, scoped SG + IAM), compliance-conditionals correctly suppressed for empty compliance, and Step 6 returned POLICY_OK. mise build green.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Makes the tf-best-practices skill the single source of truth for "what good AWS Terraform looks like," and has gcp-to-aws consume it as a black box — invoking it by name and passing context, with no knowledge of its internal files, part structure, or rule list. This lets the posture evolve independently of any one caller and prepares it for reuse by future callers (heroku-to-aws).
Builds on #142 (which introduced the tf-best-practices policy gate).
What moved
tf-best-practices — the "what":
SKILL.mdgains a routing contract: callers enter by name and state their context (authoring/pre-generation vs post-writing validation); the skill routes to its own reference files. Scope broadened to three tiers: gate-enforced / authoring-only / compliance-conditional.security-posture-rules.mdbecomes the single source of AWS authoring truth — source-cloud-agnostic framing, a Caller-context signals contract (compliance,aws_config), the migrated authoring-only rules (deletion_protection, master-password-via-Secrets-Manager, S3 hardening, Fargate/EKS/ECR, subnet/NAT, monitoring), and a compliance-conditional section (the rule lives in the skill; the compliance trigger is a caller-supplied signal).gcp-to-aws — the "wiring":
compliancefrom preferences,aws_configvalues); follow the returned posture.authorized_networkswarning,success_metricsalarms, resource wiring); posture removed.Black-box boundary
gcp-to-aws no longer references any tf-best-practices internal file, its part structure, or its rule list — it only invokes by name and passes context. The skill can reorganize files, rename parts, or add rules without touching the caller.
Verification
Verified end-to-end with a live gcp-to-aws run (not just build-green):
.tf:storage_encrypted=true,publicly_accessible=false,deletion_protection=true, the Secrets-Manager master-password recipe, scoped SG + least-privilege IAM.mise buildgreen.Not covered (follow-up)
The compliance-conditional branch was verified only in the suppressed direction (empty compliance). Emitting flow logs / rotation / KMS for a declared
pci/hipaastack uses the same delegation mechanism but was not exercised in this run.