IaC Feature (iac)
Intent
Provide a single Infrastructure-as-Code (IaC) shape per project:
- •
ros(Alibaba Cloud ROS templates) - •
terraform
and publish a non-secret IaC overview into the Context-Awareness layer (docs/context/iac/*).
What gets enabled (Stage C materialization)
When enabled (via blueprint iac.tool):
- •
ops/iac/<tool>/(SSOT: IaC definitions) - •
ops/iac/handbook/(runbooks/decisions/logs) - •
docs/context/iac/overview.json(generated, no secrets) - •
docs/context/project.registry.jsonentry:iac.overview(generated artifact registration)
Controller script:
- •
node .ai/skills/features/iac/scripts/ctl-iac.mjs
How to enable (Init Stage B/C)
In init/_work/project-blueprint.json:
json
{
"iac": { "tool": "terraform" }
}
Valid values: none | ros | terraform (case-insensitive).
When omitted or none, IaC feature is not enabled.
Operating rules
- •No dual SSOT: do not keep both
ops/iac/ros/andops/iac/terraform/. - •IaC
plan/applyis human/CI executed. Theiacfeature does not auto-apply infrastructure. - •Never store secret values in IaC code or context artifacts.
Verification
bash
node .ai/skills/features/iac/scripts/ctl-iac.mjs verify --repo-root .
Boundaries
- •The
iacfeature does not execute IaC apply.terraform/rosplan/apply is human/CI executed. - •The
iacfeature does not configure IAM/identity; treat identity as IaC-owned. - •Never write secret values into
ops/iac/**templates ordocs/context/iac/*.