infra-as-code-review
# infra-as-code-review This Claude Code skill analyzes infrastructure-as-code files (Terraform, CloudFormation, Pulumi, Ansible, or CDK) against security, reliability, and operational standards. Use it to review IaC code before deployment, audit existing cloud configurations, assess security posture, or generate reusable review checklists for your team. It produces a structured report with findings categorized by severity, specific remediation steps, and a template checklist for future reviews.
git clone --depth 1 https://github.com/mohitagw15856/pm-claude-skills /tmp/infra-as-code-review && cp -r /tmp/infra-as-code-review/plugins/pm-engineering/skills/infra-as-code-review ~/.claude/skills/infra-as-code-reviewSKILL.md
# Infrastructure-as-Code Review
Produce a structured infrastructure-as-code review that applies security, reliability, and operational quality standards to a specific body of IaC code. The output serves two purposes: an actionable review report for the code at hand (with findings by severity and specific remediation steps), and a reusable checklist the team can apply to every future IaC change. If the user provides actual code, analyze it and populate the findings table with real issues. If no code is provided, produce the checklist and a template findings report.
## Required Inputs
Ask for these if not already provided:
- **IaC tool** — Terraform, CloudFormation, Pulumi, Ansible, or CDK
- **Cloud provider** — AWS, GCP, Azure, or multi-cloud
- **What the code provisions** — a brief description (e.g., "VPC, EKS cluster, and RDS instance for the payments service")
- **Security policies or naming standards in use** — any existing org standards to check against; if none, use sensible defaults
- **The IaC code itself** — paste or describe it; if not provided, produce the checklist template only and note findings require code
## Output Format
---
# IaC Review Report: [What Is Being Provisioned]
**Reviewer:** [Name / Claude]
**IaC Tool:** [Terraform / CloudFormation / Pulumi / Ansible / CDK]
**Cloud Provider:** [AWS / GCP / Azure]
**Code Location:** [Repo path or PR link]
**Review Date:** [Date]
**Overall Risk:** [Critical / High / Medium / Low]
---
## Executive Summary
| Severity | Finding Count | Resolved in This Review | Carry-Over Risk |
|----------|---------------|------------------------|-----------------|
| Critical | [n] | [n] | [Yes/No — explain] |
| High | [n] | [n] | [Yes/No — explain] |
| Medium | [n] | [n] | [Yes/No — explain] |
| Low | [n] | [n] | [Yes/No — explain] |
| **Total** | **[n]** | **[n]** | |
**Recommendation:** [Approve / Approve with Required Changes / Block — one sentence rationale]
---
## Findings
### Critical Findings
#### CRIT-01: [Finding Title]
| Field | Detail |
|-------|--------|
| **Severity** | Critical |
| **Category** | [IAM / Secrets / Encryption / Network / State / Naming / Cost] |
| **Resource** | `[resource_type.resource_name]` |
| **File / Line** | `[path/to/file.tf:42]` |
| **Risk** | [What can go wrong — be specific about the attack vector or failure mode] |
**Current code:**
```hcl
# [paste the problematic snippet]
resource "aws_s3_bucket" "data" {
bucket = "my-bucket"
acl = "public-read" # PROBLEM: public read access
}
```
**Remediation:**
```hcl
resource "aws_s3_bucket" "data" {
bucket = "my-bucket"
}
resource "aws_s3_bucket_public_access_block" "data" {
bucket = aws_s3_bucket.data.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
```
**Why this matters:** [One sentence linking the specific risk to business impact — data exposure, compliance violation, etc.]
---
#### CRIT-02: [Next Critical Finding — repeat structure]
---
### High Findings
#### HIGH-01: [Finding Title]
| Field | Detail |
|-------|--------|
| **Severity** | High |
| **Category** | [Category] |
| **Resource** | `[resource_type.resource_name]` |
| **File / Line** | `[path/to/file.tf:line]` |
| **Risk** | [Specific risk description] |
**Current code:**
```hcl
# [problematic snippet]
```
**Remediation:**
```hcl
# [fixed snippet]
```
---
### Medium Findings
#### MED-01: [Finding Title]
| Field | Detail |
|-------|--------|
| **Severity** | Medium |
| **Category** | [Category] |
| **Resource** | `[resource_type.resource_name]` |
| **File / Line** | `[path/to/file.tf:line]` |
| **Risk** | [Specific risk description] |
**Remediation:** [Prose or code snippet — choose whichever is clearer for this finding]
---
### Low Findings
#### LOW-01: [Finding Title]
| Field | Detail |
|-------|--------|
| **Severity** | Low |
| **Category** | [Category] |
| **Resource** | `[resource_type.resource_name]` |
| **File / Line** | `[path/to/file.tf:line]` |
| **Suggestion** | [What to improve and why] |
---
## Reusable IaC Review Checklist
Use this checklist on every IaC pull request. Check every item; mark N/A only when the item genuinely does not apply to the resources being provisioned.
### 1. IAM and Access Control
- [ ] No wildcard actions (`"*"`) in IAM policies — policies follow least-privilege
- [ ] No wildcard resource (`"*"`) in IAM policies unless explicitly justified with a comment
- [ ] IAM roles use condition keys to restrict scope (e.g., `aws:RequestedRegion`, `sts:ExternalId`)
- [ ] No IAM access keys or credentials hardcoded or in plaintext variables
- [ ] EC2 / compute instances use instance profiles, not hardcoded credentials
- [ ] S3 bucket policies do not allow public access unless the bucket is explicitly a public asset bucket
- [ ] Cross-account trust policies name specific account IDs, not `"*"`
- [ ] Service accounts (GCP) / managed identities (Azure) follow naming conventions and have documented purpose
### 2. Secrets Management
- [ ] No secrets, passwords, tokens, or API keys in plaintext in any `.tf`, `.yaml`, or `.json` file
- [ ] No secrets in variable default values
- [ ] Secrets sourced from Secrets Manager / Parameter Store / Vault — not from environment variables passed at plan time
- [ ] `sensitive = true` is set on all output values and variables that contain secrets (Terraform)
- [ ] State backend is encrypted — no unencrypted state files contain sensitive data
- [ ] `.gitignore` or equivalent excludes `*.tfvars`, `terraform.tfstate`, and any file that may contain resolved secrets
### 3. Encryption at Rest
- [ ] Storage resources (S3, EBS, RDS, DynamoDB, GCS, Azure Blob) have encryption at rest enabled
- [ ] Customer-managed keys (CMK/KMS) are used where required by policy — not solely AWS/GCP/Azure managed keys
- [ ] KMS key rotation is enabled for all CMKs
- [ ] Database snapshots have encryption enabled
-Conduct a structured ethical review of an AI or ML feature, model, or product. Use when preparing to deploy an AI system, assessing algorithmic risk, auditing a model for bias, or producing a responsible AI impact assessment. Produces a structured ethics review covering fairness, transparency, privacy, safety, accountability, and societal impact with a risk tier score, pre-deployment checklist, and prioritised mitigations.
Structure AI and ML product decisions with the rigour of any product decision. Use when building AI-powered features, evaluating LLM integrations, designing AI products, or assessing AI readiness. Produces a complete AI product canvas covering problem definition, model approach, data requirements, evaluation framework, UX design, responsible AI checklist, and launch monitoring plan.
Transform feature briefs into structured design briefs that give designers the context they need before opening Figma. Use when asked to write a design brief, create a design handoff, brief a designer on a new feature, or translate a PRD into design requirements. Produces a brief with user goal, emotional context, success criteria, constraints, edge cases, and out-of-scope boundaries.
Design statistically rigorous A/B tests and interpret experiment results. Use when asked to design an experiment, run an A/B test, calculate sample size, interpret test results, or assess whether an experiment was successful. Produces a complete experiment design with hypothesis, sample size, run time, success criteria, and risk flags — or a results interpretation with ship/iterate/kill recommendation.
Synthesises user signals from multiple research sources into a unified, weighted insight brief. Use when you have data from interviews, support tickets, NPS verbatims, app reviews, or sales calls and need to reconcile contradictions, surface the underlying need behind requests, or answer 'what are users really telling us'. Produces ranked insights with confidence ratings, source weighting rationale, divergent signal analysis by user segment, and a research gap identification section.
Structure a product data analysis, metric deep-dive, funnel analysis, or cohort study. Use when asked to analyse product metrics, investigate a drop in conversion, explain a data change to stakeholders, or find the root cause of a metric movement. Produces a structured analysis with question, root cause, confidence level, and recommended action.
Interpret product metrics against goals and surface actionable signals. Use when asked to analyse product health, review key metrics, investigate a performance issue, produce a health report, or assess product-market fit signals. Produces a structured health report with RAG status, trend analysis, root cause hypotheses, and prioritised actions.
Structure a retention analysis, churn investigation, or engagement deep-dive for any product team. Use when asked to analyse user retention, investigate churn, measure DAU/MAU, or build a retention improvement plan. Produces a retention snapshot with root cause hypotheses, aha-moment correlation, and prioritised interventions.