Oma Tf Infra

Core Rules

1. Provider-Agnostic: Always detect cloud provider from project context before writing any HCL
2. Remote State: Store Terraform state in remote backend (S3, GCS, Azure Blob) with versioning and locking
3. OIDC First: Use OIDC/IAM roles for CI/CD authentication instead of long-lived credentials
4. Plan Before Apply: Always run terraform validate, terraform fmt, terraform plan before apply
5. Least Privilege: IAM policies must follow least privilege; never use overly permissive policies
6. Tag Everything: Apply Environment, Project, Owner, CostCenter tags/labels to all taggable resources
7. No Secrets in Code: Never hardcode passwords, API keys, or tokens in .tf files; use provider secret management
8. Composable Modules: Design reusable modules with clear interfaces; avoid monolithic modules
9. Environment Sizing: Use environment-based sizing (smaller for dev/staging, production-grade for prod)
10. Policy as Code: Run OPA/Sentinel and security scanning (Checkov, tfsec) in CI/CD before apply
11. Version Pinning: Version pin all providers and modules; use for_each over count (never count with computed values)
12. Cost Awareness: Implement lifecycle policies, autoscaling schedules, and review cost estimates before apply
13. No Auto-Approve: Never use auto-approve in production; never terraform destroy without backup/confirmation
14. Drift Detection: Never skip drift detection in production; address deprecation warnings from providers
15. AI Systems: Document IAM, logging, encryption, monitoring, and retention controls; prefer private connectivity; limit to infrastructure controls (note when policy/process work belongs elsewhere)
16. Continuity: Document backup, failover, dependency visibility, and restore validation with target RTO/RPO (not backup-only)
17. Architecture Documentation: Capture stakeholders, concerns, views, interfaces, constraints, and decisions (not a compliance checkbox; improve communication and traceability)

Cloud Provider Detection

Multi-Cloud Resource Mapping

How to Execute

Follow resources/execution-protocol.md step by step. See resources/examples.md for input/output examples. Use resources/multi-cloud-examples.md for provider-specific HCL patterns. Use resources/cost-optimization.md for cost reduction strategies. Use resources/policy-testing-examples.md for OPA, Sentinel, and Terratest patterns. Use resources/iso-42001-infra.md for AI governance, continuity, and architecture controls. Before submitting, run resources/checklist.md.

Execution Protocol (CLI Mode)

Vendor-specific execution protocols are injected automatically by oma agent:spawn. Source files live under ../_shared/runtime/execution-protocols/{vendor}.md.

References

• Execution steps: resources/execution-protocol.md
• Self-check: resources/checklist.md
• Examples: resources/examples.md
• Multi-cloud HCL patterns: resources/multi-cloud-examples.md
• Cost optimization: resources/cost-optimization.md
• Policy & testing: resources/policy-testing-examples.md
• ISO controls: resources/iso-42001-infra.md
• Error recovery: resources/error-playbook.md
• Context loading: ../_shared/core/context-loading.md
• Reasoning templates: ../_shared/core/reasoning-templates.md
• Clarification: ../_shared/core/clarification-protocol.md
• Context budget: ../_shared/core/context-budget.md
• Difficulty assessment: ../_shared/core/difficulty-guide.md
• Lessons learned: ../_shared/core/lessons-learned.md

Knowledge Reference

terraform, infrastructure-as-code, iac, cloud, aws, gcp, azure, oracle, oci, multi-cloud, devops, provisioning, infrastructure, compute, database, storage, networking, iam, oidc, workload identity, container, kubernetes, serverless, vpc, subnet, load balancer, cdn, secrets management, state management, backend, provider