IaC Architecture - Cross-Cutting Concerns Skill
Skill Description
This skill provides comprehensive guidance on infrastructure as code architecture patterns, focusing on cross-cutting concerns that span all cloud providers and IaC tools. The Dredgen uses this skill to architect secure, compliant, cost-optimized, and maintainable infrastructure at enterprise scale.
Trigger Phrases
This skill activates when discussions involve:
- •"iac best practices"
- •"infrastructure architecture"
- •"soc2" or "compliance"
- •"security patterns"
- •"cost optimization"
- •"multi-cloud architecture"
- •"enterprise infrastructure"
- •"tagging strategy"
- •"repository structure"
- •"iac security"
- •"infrastructure compliance"
- •"cloud governance"
Core Competencies
1. Security Patterns
Encryption Standards
- •Encryption at rest: AES-256 for all storage resources
- •Encryption in transit: TLS 1.2+ for all network communications
- •Key management: Cloud-native KMS or HashiCorp Vault
- •Certificate rotation: Automated with short-lived certificates
IAM Best Practices
- •Principle of least privilege
- •Role-based access control (RBAC)
- •Service accounts for automation
- •MFA enforcement for human access
- •Regular access reviews and audits
- •Assume-role patterns for cross-account access
Network Segmentation
- •VPC/VNet isolation per environment
- •Private subnets for data and compute
- •Public subnets only for load balancers
- •Network ACLs and security groups
- •Bastion hosts or VPN for administrative access
- •Zero-trust network principles
Secrets Management
- •Never commit secrets to version control
- •Use cloud-native secrets managers
- •Dynamic secrets generation
- •Secrets rotation policies
- •Audit logging for secret access
- •Encryption in transit and at rest
Security Scanning Integration
- •tfsec: Terraform security scanning
- •checkov: Multi-IaC policy scanning
- •trivy: Container and IaC vulnerability scanning
- •terrascan: Compliance scanning
- •Integration in CI/CD pipelines
- •Fail builds on critical findings
2. SOC2 Compliance
CC6.1 - Logical and Physical Access Controls
- •Encryption at rest (customer data)
- •Encryption in transit (all communications)
- •Key rotation policies
- •Access logging
CC6.6 - Logical Access Security Measures
- •Comprehensive logging (CloudTrail, Activity Logs, Audit Logs)
- •Log retention (minimum 90 days)
- •Log integrity protection
- •SIEM integration
- •Real-time alerting
CC6.7 - Restriction of Logical Access
- •IAM policies with least privilege
- •MFA enforcement
- •Session timeout policies
- •Access reviews
- •Privileged access management
CC7.1 - Network Security
- •Network segmentation
- •Security groups/NSGs with minimal rules
- •No public database access
- •Private endpoints for services
- •DDoS protection
CC7.2 - Detection and Monitoring
- •Change management tracking
- •Infrastructure drift detection
- •Automated remediation
- •Version control for all IaC
- •Approval workflows for production changes
Audit Trail Requirements
- •Immutable audit logs
- •Centralized log aggregation
- •Log analysis and alerting
- •Compliance reporting
- •Evidence collection automation
3. Cost Optimization
Tagging Strategies
- •Environment tags (dev, staging, prod)
- •Owner/team tags
- •Cost center allocation
- •Application/service tags
- •Automation tags (terraform-managed)
- •Data classification tags
- •Compliance tags (soc2, hipaa)
Right-Sizing Patterns
- •Start small, scale up based on metrics
- •Use auto-scaling groups
- •Implement scheduled scaling
- •Leverage spot/preemptible instances
- •Monitor and adjust continuously
Reserved Capacity
- •Reserved instances for stable workloads
- •Savings plans for flexible workloads
- •Commitment-based discounts
- •Regular utilization reviews
Spot/Preemptible Instances
- •Batch processing workloads
- •Stateless applications
- •Development environments
- •Mixed instance groups
- •Fault-tolerant architectures
Cost Allocation
- •Tag-based cost allocation
- •Budget alerts and limits
- •Showback/chargeback reports
- •Cost anomaly detection
- •FinOps integration
4. Multi-Cloud Patterns
Abstraction Layers
- •Provider-agnostic modules
- •Standardized interfaces
- •Common tagging schemas
- •Unified naming conventions
- •Shared variable structures
Provider-Agnostic Modules
- •Abstract compute, storage, networking
- •Use Terragrunt for DRY configurations
- •Implement factory patterns
- •Version and document modules
- •Test across providers
Cross-Cloud Networking
- •VPN connections between clouds
- •SD-WAN for multi-cloud
- •Direct connect/ExpressRoute/Interconnect
- •Consistent CIDR planning
- •DNS strategy for multi-cloud
Disaster Recovery
- •RTO/RPO requirements
- •Active-passive configurations
- •Active-active for critical systems
- •Automated failover
- •Regular DR testing
5. Repository Structure
Monorepo vs Polyrepo
Monorepo Benefits:
- •Single source of truth
- •Atomic changes across modules
- •Shared tooling and standards
- •Easier code reuse
- •Simplified dependency management
Polyrepo Benefits:
- •Independent versioning
- •Team autonomy
- •Smaller blast radius
- •Easier access control
- •Focused CI/CD pipelines
Module Organization
terraform/
├── modules/ # Reusable modules
│ ├── compute/
│ ├── database/
│ ├── networking/
│ └── security/
├── environments/ # Environment configurations
│ ├── dev/
│ ├── staging/
│ └── prod/
├── shared/ # Shared resources
│ ├── dns/
│ ├── monitoring/
│ └── logging/
└── policies/ # Security policies
├── tfsec/
├── checkov/
└── sentinel/
Environment Separation
- •Separate AWS accounts/Azure subscriptions/GCP projects
- •Isolated state files per environment
- •Environment-specific variables
- •Promotion workflows (dev → staging → prod)
- •Immutable infrastructure
CI/CD Integration
- •Automated validation (fmt, validate, lint)
- •Security scanning in pipelines
- •Plan on pull requests
- •Apply on merge to main
- •Drift detection scheduled jobs
- •Rollback capabilities
Reference Files
- •
soc2-controls.md- Complete SOC2 control mapping - •
security-scanning.md- Security scanner configurations - •
tagging-strategy.md- Enterprise tagging standards - •
repository-patterns.md- Repository organization patterns - •
cost-optimization.md- Cost control strategies
Example Files
- •
soc2-compliant-vpc.tf- SOC2-compliant VPC configuration - •
tagging-module.tf- Reusable tagging module - •
security-group-patterns.tf- Secure security group patterns - •
cost-tags.tf- Cost allocation tagging examples
Skill Activation
When The Dredgen detects architectural discussions involving security, compliance, cost, or governance, this skill provides:
- •Best practice recommendations
- •Compliance control mappings
- •Security patterns and examples
- •Cost optimization strategies
- •Repository structure guidance
- •Multi-cloud architecture patterns
Integration with Other Skills
- •terraform-enterprise: State management and workspace patterns
- •harness-cd: Pipeline integration for compliance
- •vault-operations: Secrets management implementation
- •terraformer: Import existing infrastructure with compliance
Success Criteria
Infrastructure architecture is successful when:
- •Security scanners pass with zero critical findings
- •SOC2 controls are fully implemented and documented
- •Cost allocation tags are 100% compliant
- •Multi-cloud patterns enable provider portability
- •Repository structure supports team collaboration
- •CI/CD pipelines enforce all policies
- •Audit trails are complete and immutable