--- name: cloud-infra-review-router description: Automates Infrastructure as Code (IaC) reviews for Terraform and Cloud configurations. Prioritizes GitHub Copilot CLI for security and architecture analysis, falling back to Gemini CLI for explanations and best practices. --- # Cloud Infra Review Router Routes IaC reviews for Terraform, Kubernetes, and Cloud configurations. It prioritizes **GitHub Copilot CLI** for its strength in code logic and security patterns, using **Gemini** as a robust fallback or for natural language explanations. ## When NOT to Use This Skill - For application source code (JS, Python, Go) logic reviews - For reviewing binary state files (`.tfstate`) - When you need to `apply` changes (this skill only analyzes diffs/code) - For verifying active cloud credentials ## Step 0: Environment Check Verify the current directory is a valid git repository: ```bash git rev-parse --git-dir 2>/dev/null || echo "NOT_A_GIT_REPO"
If not a git repository: Stop and inform the user: "This directory is not a git repository. Initialize with git init or navigate to a repo."
Step 1: Prerequisites Check
Verify the Primary (Copilot) and Secondary (Gemini) CLIs are available:
# Check for Primary: GitHub Copilot CLI copilot --version 2>/dev/null || echo "COPILOT_NOT_FOUND" # Check for Fallback: Gemini CLI which gemini || echo "GEMINI_NOT_FOUND"
If Copilot is missing: Warn the user that the primary tool is unavailable, but proceed if Gemini is found (using Gemini as primary). If both are missing: Stop and inform the user they need to install at least one CLI tool.
Step 2: Analyze Git Diff
Run these commands to gather diff statistics and identify cloud resources:
# Get diff stats git --no-pager diff --stat HEAD 2>/dev/null || git --no-pager diff --stat # Count changed files git --no-pager diff --name-only HEAD 2>/dev/null | wc -l # Identify changed providers/resources (simple grep analysis) git --no-pager diff HEAD | grep -E "resource|module|provider|apiVersion" | head -n 20
If no changes detected: Report "Nothing to review - no uncommitted changes found." and stop.
Step 3: Calculate Blast Radius Score
Initialize blast_radius_score = 0, then add points to determine risk level:
| Condition | Points | Detection Method |
|---|---|---|
| IAM/Policy Changes | +3 | Files: *iam*, *policy*, *role* |
| Network Security | +3 | Files: *sg*, *firewall*, *vpc* |
| Stateful Resources | +3 | Resources: aws_db_instance, aws_s3_bucket, google_sql |
| Deletion Risk | +4 | Diff contains prevent_destroy removal or force_destroy = true |
| Secrets/Vars | +2 | Files: *.tfvars, secrets.yaml |
| Large Change | +2 | Total lines changed > 300 |
Step 4: Detect Stack
Analyze file extensions:
- •Terraform/OpenTofu:
.tf,.hcl - •Kubernetes:
.yaml,.yml(withapiVersion) - •Docker:
Dockerfile - •CloudFormation/SAM:
template.yaml,template.json
Step 5: Apply Routing Decision Tree
Primary Rule: Default to GitHub Copilot for almost all code-centric reviews.
Priority 1: Copilot (Primary)
Assign to GitHub Copilot if:
- •Blast Radius Score > 0 (Any security/state/IAM risk)
- •Syntax or Logic changes in
.tfor.yamlfiles - •Module refactoring
- •New resource creation
Priority 2: Gemini (Specialized Cases)
Assign to Gemini ONLY if:
- •Changes are purely Documentation (
README.md, comments) - •The user specifically requests "Explanation" or "Why" rather than a code review
- •Copilot CLI is not installed/fails
Step 6: Execute Review
Explain Routing and output the decision summary:
## Cloud Infra Review **Target Stack:** [Terraform/K8s/AWS/etc] **Blast Radius Score:** [Score]/10 **Primary Reviewer:** GitHub Copilot **Fallback:** Gemini **Executing review...**
CLI Commands
Primary: GitHub Copilot CLI Use specific prompts to target Infrastructure risks.
# Option 1: Interactive (Best for deep dives) copilot -i "Review this IaC diff for 1) Security risks (IAM/SG), 2) Data loss risks (deletion protection), and 3) Syntax correctness: $(git --no-pager diff HEAD)" # Option 2: Piped (Faster) git --no-pager diff HEAD | copilot -p "You are a Cloud Security Engineer. Review this diff for misconfigurations, overly permissive IAM roles, and security group violations."
Step 7: Handle Failures with Fallback
If GitHub Copilot fails (returns error or empty output):
- •
Report Failure:
⚠️ GitHub Copilot CLI failed to complete the review. [Error details if available]
- •
Execute Fallback (Gemini):
🔄 Switching to fallback: Gemini CLI...
bashgit --no-pager diff HEAD | gemini -p "Act as a DevOps Engineer. Review this Infrastructure as Code diff for security flaws, best practice violations, and potential bugs."
- •
Critical Failure: If Gemini also fails:
❌ Both review tools failed. Please check your CLI authentication (
gh auth login/gcloud auth login).
Step 8: Format Output
Present the review results clearly:
## ☁️ Infrastructure Review Results **Reviewer:** [GitHub Copilot / Gemini] **Status:** [Pass/Risks Detected] --- [CLI Output Here] --- **Next Steps:** - [ ] Verify critical security warnings manually - [ ] Run `terraform plan` to validate state impact