AgentSkillsCN

Cloud Infra Review Router

云基础设施审查路由器

SKILL.md
markdown
---
name: cloud-infra-review-router
description: Automates Infrastructure as Code (IaC) reviews for Terraform and Cloud configurations. Prioritizes GitHub Copilot CLI for security and architecture analysis, falling back to Gemini CLI for explanations and best practices.
---

# Cloud Infra Review Router

Routes IaC reviews for Terraform, Kubernetes, and Cloud configurations. It prioritizes **GitHub Copilot CLI** for its strength in code logic and security patterns, using **Gemini** as a robust fallback or for natural language explanations.

## When NOT to Use This Skill

- For application source code (JS, Python, Go) logic reviews
- For reviewing binary state files (`.tfstate`)
- When you need to `apply` changes (this skill only analyzes diffs/code)
- For verifying active cloud credentials

## Step 0: Environment Check

Verify the current directory is a valid git repository:

```bash
git rev-parse --git-dir 2>/dev/null || echo "NOT_A_GIT_REPO"

If not a git repository: Stop and inform the user: "This directory is not a git repository. Initialize with git init or navigate to a repo."

Step 1: Prerequisites Check

Verify the Primary (Copilot) and Secondary (Gemini) CLIs are available:

bash
# Check for Primary: GitHub Copilot CLI
copilot --version 2>/dev/null || echo "COPILOT_NOT_FOUND"

# Check for Fallback: Gemini CLI
which gemini || echo "GEMINI_NOT_FOUND"

If Copilot is missing: Warn the user that the primary tool is unavailable, but proceed if Gemini is found (using Gemini as primary). If both are missing: Stop and inform the user they need to install at least one CLI tool.

Step 2: Analyze Git Diff

Run these commands to gather diff statistics and identify cloud resources:

bash
# Get diff stats
git --no-pager diff --stat HEAD 2>/dev/null || git --no-pager diff --stat

# Count changed files
git --no-pager diff --name-only HEAD 2>/dev/null | wc -l

# Identify changed providers/resources (simple grep analysis)
git --no-pager diff HEAD | grep -E "resource|module|provider|apiVersion" | head -n 20

If no changes detected: Report "Nothing to review - no uncommitted changes found." and stop.

Step 3: Calculate Blast Radius Score

Initialize blast_radius_score = 0, then add points to determine risk level:

ConditionPointsDetection Method
IAM/Policy Changes+3Files: *iam*, *policy*, *role*
Network Security+3Files: *sg*, *firewall*, *vpc*
Stateful Resources+3Resources: aws_db_instance, aws_s3_bucket, google_sql
Deletion Risk+4Diff contains prevent_destroy removal or force_destroy = true
Secrets/Vars+2Files: *.tfvars, secrets.yaml
Large Change+2Total lines changed > 300

Step 4: Detect Stack

Analyze file extensions:

  • Terraform/OpenTofu: .tf, .hcl
  • Kubernetes: .yaml, .yml (with apiVersion)
  • Docker: Dockerfile
  • CloudFormation/SAM: template.yaml, template.json

Step 5: Apply Routing Decision Tree

Primary Rule: Default to GitHub Copilot for almost all code-centric reviews.

Priority 1: Copilot (Primary)

Assign to GitHub Copilot if:

  • Blast Radius Score > 0 (Any security/state/IAM risk)
  • Syntax or Logic changes in .tf or .yaml files
  • Module refactoring
  • New resource creation

Priority 2: Gemini (Specialized Cases)

Assign to Gemini ONLY if:

  • Changes are purely Documentation (README.md, comments)
  • The user specifically requests "Explanation" or "Why" rather than a code review
  • Copilot CLI is not installed/fails

Step 6: Execute Review

Explain Routing and output the decision summary:

markdown
## Cloud Infra Review

**Target Stack:** [Terraform/K8s/AWS/etc]
**Blast Radius Score:** [Score]/10

**Primary Reviewer:** GitHub Copilot
**Fallback:** Gemini

**Executing review...**

CLI Commands

Primary: GitHub Copilot CLI Use specific prompts to target Infrastructure risks.

bash
# Option 1: Interactive (Best for deep dives)
copilot -i "Review this IaC diff for 1) Security risks (IAM/SG), 2) Data loss risks (deletion protection), and 3) Syntax correctness: $(git --no-pager diff HEAD)"

# Option 2: Piped (Faster)
git --no-pager diff HEAD | copilot -p "You are a Cloud Security Engineer. Review this diff for misconfigurations, overly permissive IAM roles, and security group violations."

Step 7: Handle Failures with Fallback

If GitHub Copilot fails (returns error or empty output):

  1. Report Failure:

    ⚠️ GitHub Copilot CLI failed to complete the review. [Error details if available]

  2. Execute Fallback (Gemini):

    🔄 Switching to fallback: Gemini CLI...

    bash
    git --no-pager diff HEAD | gemini -p "Act as a DevOps Engineer. Review this Infrastructure as Code diff for security flaws, best practice violations, and potential bugs."
    
  3. Critical Failure: If Gemini also fails:

    ❌ Both review tools failed. Please check your CLI authentication (gh auth login / gcloud auth login).

Step 8: Format Output

Present the review results clearly:

markdown
## ☁️ Infrastructure Review Results

**Reviewer:** [GitHub Copilot / Gemini]
**Status:** [Pass/Risks Detected]

---

[CLI Output Here]

---

**Next Steps:**
- [ ] Verify critical security warnings manually
- [ ] Run `terraform plan` to validate state impact
code