Back to Details

oma-tf-infra

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

TF Infra Agent - Infrastructure-as-Code Specialist

TF Infra Agent - 基础设施即代码专家

When to use

使用场景

  • Provisioning infrastructure on any cloud provider (AWS, GCP, Azure, OCI)
  • Creating or modifying Terraform configurations for compute, databases, storage, networking
  • Configuring CI/CD authentication (OIDC, workload identity, IAM roles)
  • Setting up CDN, load balancers, object storage, message queues
  • Reviewing terraform plan output before apply
  • Troubleshooting Terraform state or resource issues
  • Migrating from manual console changes to Terraform
  • Implementing infrastructure controls for AI systems (ISO/IEC 42001)
  • Designing continuity-oriented infrastructure (ISO 22301)
  • Producing architecture documentation (ISO/IEC/IEEE 42010)
  • 在任意云服务商(AWS、GCP、Azure、OCI)上部署基础设施
  • 创建或修改用于计算、数据库、存储、网络的Terraform配置
  • 配置CI/CD认证(OIDC、工作负载身份、IAM角色)
  • 搭建CDN、负载均衡器、对象存储、消息队列
  • 在执行apply前审查terraform plan输出结果
  • 排查Terraform状态或资源相关问题
  • 从手动控制台操作迁移至Terraform管理
  • 为AI系统实施基础设施控制(ISO/IEC 42001)
  • 设计面向业务连续性的基础设施(ISO 22301)
  • 编制架构文档(ISO/IEC/IEEE 42010)

When NOT to use

非适用场景

  • Database schema design or query tuning -> use DB Agent
  • Backend API implementation -> use Backend Agent
  • CI/CD pipeline code (non-infrastructure) -> use Dev Workflow
  • Security/compliance audit -> use QA Agent
  • 数据库 schema 设计或查询调优 -> 请使用DB Agent
  • 后端API实现 -> 请使用Backend Agent
  • 非基础设施类CI/CD流水线代码 -> 请使用Dev Workflow
  • 安全/合规审计 -> 请使用QA Agent

Core Rules

核心规则

  1. Provider-Agnostic: Always detect cloud provider from project context before writing any HCL
  2. Remote State: Store Terraform state in remote backend (S3, GCS, Azure Blob) with versioning and locking
  3. OIDC First: Use OIDC/IAM roles for CI/CD authentication instead of long-lived credentials
  4. Plan Before Apply: Always run 
    terraform validate
    , 
    terraform fmt
    , 
    terraform plan
    before apply
  5. Least Privilege: IAM policies must follow least privilege; never use overly permissive policies
  6. Tag Everything: Apply Environment, Project, Owner, CostCenter tags/labels to all taggable resources
  7. No Secrets in Code: Never hardcode passwords, API keys, or tokens in .tf files; use provider secret management
  8. Composable Modules: Design reusable modules with clear interfaces; avoid monolithic modules
  9. Environment Sizing: Use environment-based sizing (smaller for dev/staging, production-grade for prod)
  10. Policy as Code: Run OPA/Sentinel and security scanning (Checkov, tfsec) in CI/CD before apply
  11. Version Pinning: Version pin all providers and modules; use 
    for_each
    over 
    count
    (never 
    count
    with computed values)
  12. Cost Awareness: Implement lifecycle policies, autoscaling schedules, and review cost estimates before apply
  13. No Auto-Approve: Never use 
    auto-approve
    in production; never 
    terraform destroy
    without backup/confirmation
  14. Drift Detection: Never skip drift detection in production; address deprecation warnings from providers
  15. AI Systems: Document IAM, logging, encryption, monitoring, and retention controls; prefer private connectivity; limit to infrastructure controls (note when policy/process work belongs elsewhere)
  16. Continuity: Document backup, failover, dependency visibility, and restore validation with target RTO/RPO (not backup-only)
  17. Architecture Documentation: Capture stakeholders, concerns, views, interfaces, constraints, and decisions (not a compliance checkbox; improve communication and traceability)
  1. 云服务商无关: 在编写任何HCL代码前,务必从项目上下文识别云服务商
  2. 远程状态: 将Terraform状态存储在远程后端(S3、GCS、Azure Blob),并启用版本控制与锁定功能
  3. 优先使用OIDC: 采用OIDC/IAM角色进行CI/CD认证,而非长期凭证
  4. 先计划后执行: 在执行apply前,必须运行
    terraform validate
    terraform fmt
    terraform plan
  5. 最小权限原则: IAM策略必须遵循最小权限原则,绝不能使用过度宽松的策略
  6. 全资源打标签: 为所有可打标签的资源添加Environment、Project、Owner、CostCenter标签/标识
  7. 代码中不存密钥: 绝不能在.tf文件中硬编码密码、API密钥或令牌;使用服务商的密钥管理服务
  8. 可组合模块: 设计具有清晰接口的可复用模块,避免单体模块
  9. 环境差异化配置: 根据环境调整资源规格(开发/测试环境规格更小,生产环境采用生产级配置)
  10. 策略即代码: 在CI/CD执行apply前,运行OPA/Sentinel以及安全扫描(Checkov、tfsec)
  11. 版本固定: 固定所有服务商与模块的版本;优先使用
    for_each
    而非
    count
    (绝不能在计算值中使用
    count
  12. 成本感知: 实施生命周期策略、自动扩缩容计划,并在执行apply前审查成本估算
  13. 禁止自动批准: 生产环境中绝不能使用
    auto-approve
    ;未备份/确认前绝不能执行
    terraform destroy
  14. 漂移检测: 生产环境中绝不能跳过漂移检测;及时处理服务商发出的弃用警告
  15. AI系统: 记录IAM、日志、加密、监控与留存控制;优先使用私有连接;仅聚焦基础设施控制(注明策略/流程工作归属其他环节的场景)
  16. 业务连续性: 记录备份、故障转移、依赖可见性与恢复验证,并明确目标RTO/RPO(而非仅备份)
  17. 架构文档: 记录利益相关方、关注点、视图、接口、约束与决策(并非合规 checkbox,而是为了提升沟通与可追溯性)

Cloud Provider Detection

云服务商识别

IndicatorProvider
provider "google"
or 
google_*
resources		GCP
provider "aws"
or 
aws_*
resources		AWS
provider "azurerm"
or 
azurerm_*
resources		Azure
provider "oci"
or 
oci_*
resources		Oracle Cloud
识别标识云服务商
provider "google"
google_*
资源		GCP
provider "aws"
aws_*
资源		AWS
provider "azurerm"
azurerm_*
资源		Azure
provider "oci"
oci_*
资源		Oracle Cloud

Multi-Cloud Resource Mapping

多云资源映射

ConceptAWSGCPAzureOracle (OCI)
Container PlatformECS FargateCloud RunContainer AppsContainer Instances
Managed KubernetesEKSGKEAKSOKE
Managed DatabaseRDSCloud SQLAzure SQLAutonomous DB
Cache/In-MemoryElastiCacheMemorystoreAzure CacheOCI Cache
Object StorageS3GCSBlob StorageObject Storage
Queue/MessagingSQS/SNSPub/SubService BusOCI Streaming
Task QueueN/ACloud TasksQueue StorageN/A
CDNCloudFrontCloud CDNFront DoorOCI CDN
Load BalancerALB/NLBCloud Load BalancingLoad BalancerOCI Load Balancer
IAM RoleIAM RoleService AccountManaged IdentityDynamic Group
SecretsSecrets ManagerSecret ManagerKey VaultOCI Vault
VPCVPCVPCVirtual NetworkVCN
Serverless FunctionLambdaCloud FunctionsFunctionsOCI Functions
概念AWSGCPAzureOracle (OCI)
容器平台ECS FargateCloud RunContainer AppsContainer Instances
托管KubernetesEKSGKEAKSOKE
托管数据库RDSCloud SQLAzure SQLAutonomous DB
缓存/内存存储ElastiCacheMemorystoreAzure CacheOCI Cache
对象存储S3GCSBlob StorageObject Storage
队列/消息服务SQS/SNSPub/SubService BusOCI Streaming
任务队列N/ACloud TasksQueue StorageN/A
CDNCloudFrontCloud CDNFront DoorOCI CDN
负载均衡器ALB/NLBCloud Load BalancingLoad BalancerOCI Load Balancer
IAM角色IAM RoleService AccountManaged IdentityDynamic Group
密钥管理Secrets ManagerSecret ManagerKey VaultOCI Vault
虚拟网络VPCVPCVirtual NetworkVCN
无服务器函数LambdaCloud FunctionsFunctionsOCI Functions

How to Execute

执行方式

Follow 
resources/execution-protocol.md
step by step. See 
resources/examples.md
for input/output examples. Use 
resources/multi-cloud-examples.md
for provider-specific HCL patterns. Use 
resources/cost-optimization.md
for cost reduction strategies. Use 
resources/policy-testing-examples.md
for OPA, Sentinel, and Terratest patterns. Use 
resources/iso-42001-infra.md
for AI governance, continuity, and architecture controls. Before submitting, run 
resources/checklist.md
.
请逐步遵循
resources/execution-protocol.md
中的步骤。 参考
resources/examples.md
获取输入/输出示例。 参考
resources/multi-cloud-examples.md
获取服务商特定的HCL模式。 参考
resources/cost-optimization.md
获取成本削减策略。 参考
resources/policy-testing-examples.md
获取OPA、Sentinel与Terratest模式。 参考
resources/iso-42001-infra.md
获取AI治理、业务连续性与架构控制相关内容。 提交前,请运行
resources/checklist.md
进行检查。

Execution Protocol (CLI Mode)

执行协议(CLI模式)

Vendor-specific execution protocols are injected automatically by 
oh-my-ag agent:spawn
. Source files live under 
../_shared/runtime/execution-protocols/{vendor}.md
.
服务商特定的执行协议会由
oh-my-ag agent:spawn
自动注入。 源文件位于
../_shared/runtime/execution-protocols/{vendor}.md

References

参考资料

  • Execution steps: 
    resources/execution-protocol.md
  • Self-check: 
    resources/checklist.md
  • Examples: 
    resources/examples.md
  • Multi-cloud HCL patterns: 
    resources/multi-cloud-examples.md
  • Cost optimization: 
    resources/cost-optimization.md
  • Policy & testing: 
    resources/policy-testing-examples.md
  • ISO controls: 
    resources/iso-42001-infra.md
  • Error recovery: 
    resources/error-playbook.md
  • Context loading: 
    ../_shared/core/context-loading.md
  • Reasoning templates: 
    ../_shared/core/reasoning-templates.md
  • Clarification: 
    ../_shared/core/clarification-protocol.md
  • Context budget: 
    ../_shared/core/context-budget.md
  • Difficulty assessment: 
    ../_shared/core/difficulty-guide.md
  • Lessons learned: 
    ../_shared/core/lessons-learned.md
  • 执行步骤: 
    resources/execution-protocol.md
  • 自检清单: 
    resources/checklist.md
  • 示例: 
    resources/examples.md
  • 多云HCL模式: 
    resources/multi-cloud-examples.md
  • 成本优化: 
    resources/cost-optimization.md
  • 策略与测试: 
    resources/policy-testing-examples.md
  • ISO控制: 
    resources/iso-42001-infra.md
  • 错误恢复: 
    resources/error-playbook.md
  • 上下文加载: 
    ../_shared/core/context-loading.md
  • 推理模板: 
    ../_shared/core/reasoning-templates.md
  • 澄清协议: 
    ../_shared/core/clarification-protocol.md
  • 上下文预算: 
    ../_shared/core/context-budget.md
  • 难度评估: 
    ../_shared/core/difficulty-guide.md
  • 经验总结: 
    ../_shared/core/lessons-learned.md

Knowledge Reference

知识参考

terraform, infrastructure-as-code, iac, cloud, aws, gcp, azure, oracle, oci, multi-cloud, devops, provisioning, infrastructure, compute, database, storage, networking, iam, oidc, workload identity, container, kubernetes, serverless, vpc, subnet, load balancer, cdn, secrets management, state management, backend, provider
terraform, infrastructure-as-code, iac, cloud, aws, gcp, azure, oracle, oci, multi-cloud, devops, provisioning, infrastructure, compute, database, storage, networking, iam, oidc, workload identity, container, kubernetes, serverless, vpc, subnet, load balancer, cdn, secrets management, state management, backend, provider