One Command to Rule Them All: The terraform-aws Team Bundle
TL;DR —
adlc --team terraform-awsinstalls 7 agents, 8 commands, 7 skills, 3 hooks, and 2 MCPs in a single command. A new engineer goes from zero to a production-grade Terraform-on-AWS environment in ~10 minutes instead of half a day.
The Press Release
ADLC Framework Launches terraform-aws Team Bundle — First Multi-Component Bundle Reduces Terraform Onboarding from Hours to Minutes
Melbourne, February 2026 — The ADLC (Agent Development Lifecycle) Framework today announced the terraform-aws team bundle, the first bundle that installs not just AI agents but also slash commands, reusable skills, safety hooks, and MCP server integrations in a single command. Enterprise teams building AWS infrastructure with Terraform can now bootstrap a complete, governance-compliant AI development environment by running:
adlc --team terraform-aws
The Problem We Solved
Every Terraform-on-AWS project needs the same foundational components: an architect agent that understands multi-account patterns, a testing framework that catches drift before it reaches production, cost estimation that runs before terraform apply, and safety hooks that prevent credentials from leaking into version control.
Before today, engineers assembled this stack manually. 15+ individual install commands. Discovery by word-of-mouth. Inconsistent configurations across teams. The median onboarding time for a new engineer on an existing Terraform project was 4+ hours — and that assumes someone wrote a setup guide.
The Solution
The terraform-aws bundle packages 27 components that a Terraform-on-AWS engineer actually needs into a single, governance-ordered installation:
| Component Type | Count | What It Does |
|---|---|---|
| Agents | 7 | AI specialists from product-owner to observability-engineer |
| Commands | 8 | Slash commands for testing, deploying, diffing, and costing |
| Skills | 7 | Reusable knowledge: Terraform patterns, LocalStack testing, AWS profile routing |
| Hooks | 3 | Safety rails: block dangerous commands, protect credentials, enforce evidence |
| MCPs | 2 | Terraform Registry integration and AWS compliance scanning |
| 27 | Total components installed |
"We used to tell new engineers to read the wiki, find the right agents, and hope they didn't miss the profile-router skill. Now we tell them to run one command." — Cloud Platform Team Lead, ANZ FSI
Why This Matters: The 80/20 Problem
Previous team bundles in ADLC installed only agents — roughly 20% of what an engineer actually needs. The remaining 80% (commands, skills, hooks, MCPs) required manual discovery through documentation, Slack threads, or trial and error.
The terraform-aws bundle closes this gap entirely. It is the first multi-component bundle — a pattern that will extend to cdk-aws, kubernetes, and finops bundles in future releases.
What's Inside: The 27 Components
Agents: The AI Team
Every bundle starts with the constitutional authority chain. The first two agents are non-negotiable — they enforce business validation and architectural review before any specialist touches infrastructure.
| # | Agent | Role | Why It's Included |
|---|---|---|---|
| 1 | product-owner | Requirements, prioritization, acceptance | ADLC Principle I — business validation gate |
| 2 | cloud-architect | Architecture, security, infrastructure design | ADLC Principle IV — technical design gate |
| 3 | infrastructure-engineer | Core Terraform execution | Writes and refactors HCL modules |
| 4 | qa-engineer | 3-tier test orchestration | Orchestrates snapshot/LocalStack/AWS testing |
| 5 | security-compliance-engineer | APRA CPS 234, IAM review | FSI regulatory compliance checks |
| 6 | terraform-specialist | HCL patterns, drift detection | Deep Terraform expertise from marketplace |
| 7 | observability-engineer | CloudWatch, cost dashboards | Monitoring and FinOps visibility |
Commands: The Workflow
Eight slash commands that map to the daily workflow of a Terraform engineer. The testing commands follow a progressive gating pattern — each tier must pass before the next tier runs.
| Command | What It Does | Cost | Duration |
|---|---|---|---|
/terraform:test | Master 3-tier orchestrator — runs all tiers in sequence | $0-10 | 2s-10m |
/terraform:test-functional | Tier 1: Snapshot tests, static analysis | $0 | 2-3s |
/terraform:test-integration | Tier 2: LocalStack functional tests | $0 | 30-60s |
/terraform:test-e2e | Tier 3: Real AWS Sandbox integration | ~$5-10/mo | 5-10m |
/terraform:deploy | Constitutional deployment with 35 checkpoints | Varies | Varies |
/terraform:diff | Breaking change detection across stacks | $0 | 5-10s |
/terraform:cost | Infracost estimation with FOCUS 1.3 FinOps tags | $0 | 10-15s |
/terraform:release | Full release workflow with HITL approval | $0 | 1-2m |
Skills: The Knowledge Base
Skills are reusable knowledge packages that load into the AI agent's context on demand. They follow a progressive disclosure architecture — the agent loads only what it needs, when it needs it, keeping the token budget lean.
| Skill | Size | What It Teaches the Agent |
|---|---|---|
terraform-patterns | 24KB | Module hierarchy, state management, naming conventions |
localstack-testing | 13KB | Tier 2 service compatibility matrix, mock patterns |
aws-sandbox-testing | 17KB | Tier 3 cost guardrails, account isolation, cleanup |
progressive-gating | 15KB | BLOCKING gates between test tiers |
autonomous-testing | 12KB | PDCA loops, context forking for parallel test runs |
cross-validation-mcp-api | 10KB | 4-way validation: MCP vs CLI vs SDK vs Console |
profile-router | 6KB | 44-account AWS profile routing for multi-account orgs |
The profile-router skill is the single most important safety component in the bundle. In a multi-account AWS organization (common in FSI), targeting the wrong account with terraform apply is a compliance incident. This skill teaches the agent to resolve the correct AWS profile for every operation based on account purpose, region, and environment.
Without it, an agent might apply a development change to a production account.
Hooks: The Safety Rails
Hooks execute automatically before or after tool calls. They are invisible to the engineer but prevent the three most common infrastructure disasters.
| Hook | Trigger | What It Blocks |
|---|---|---|
validate-bash | Before every Bash command | rm -rf, terraform destroy without approval, unscoped aws CLI calls |
block-sensitive-files | Before file writes/commits | .env, .tfvars with secrets, credential files, private keys |
detect-nato-violation | Before completion claims | "Done" or "Complete" without evidence in tmp/ directory |
MCPs: The External Integrations
MCP (Model Context Protocol) servers connect the AI agents to external services. These two MCPs are merged into the project's .mcp.json file.
| MCP Server | Purpose |
|---|---|
hashicorp-terraform | Terraform Registry lookup, provider docs, AI-assisted HCL generation |
awslabs-terraform | AWS-specific security scanning, compliance validation, best-practice checks |
The 3-Tier Testing Strategy
The bundle's testing architecture is designed around a simple principle: catch bugs at the cheapest tier possible.
| Tier | Environment | Cost | Speed | Coverage | When to Use |
|---|---|---|---|---|---|
| 1 | Local (no infra) | $0 | 2-3 seconds | 70-80% | Every code change |
| 2 | LocalStack (Docker) | $0 | 30-60 seconds | +15-20% | Before pull request |
| 3 | AWS Sandbox (real) | ~$5-10/month | 5-10 minutes | +5-10% | Before release |
The progressive gating skill enforces a hard gate between tiers: Tier 2 cannot start until Tier 1 passes at 100%. Tier 3 cannot start until Tier 2 passes at 100%. This prevents wasting cloud spend on code that fails basic validation.
How It Works: From Install to First Deploy
Step 1: Install — Run adlc --team terraform-aws in your project root. The CLI validates constitutional governance, installs all 27 components in dependency order, and merges MCP configurations.
Step 2: Develop — Write Terraform modules. The terraform-specialist agent and terraform-patterns skill provide real-time guidance on module structure, naming conventions, and state management.
Step 3: Test — Run /terraform:test. The master orchestrator drives your code through all three tiers. Failures at any tier block progression to the next.
Step 4: Estimate — Run /terraform:cost to get Infracost estimates tagged with FOCUS 1.3 FinOps metadata before any infrastructure is provisioned.
Step 5: Deploy — Run /terraform:deploy. The 35-checkpoint constitutional deployment validates security, compliance, cost, and architecture before requesting HITL (Human-In-The-Loop) approval.
What We Deliberately Excluded
Knowing what to leave out is as important as knowing what to include. Every exclusion has a reason.
| Component | Excluded Because |
|---|---|
kubernetes-engineer agent | Not relevant for pure Terraform-on-AWS (separate K8s bundle planned) |
meta-engineering-expert agent | Framework development, not infrastructure consumption |
terraform/deploy-baseline command | Specialized for initial baseline setup, install individually |
terraform/serverless command | Lambda/SAM niche, not core Terraform workflow |
awslabs-iam MCP | Write operations too dangerous for automatic installation |
finops/* skills (15+) | FinOps is a separate discipline; dedicated bundle planned |
| Settings merge | Complex conflict resolution; deferred to v2 |
Frequently Asked Questions
Customer FAQ
Q: Does this work with existing projects that already have some agents installed?
Yes. The CLI installs components that don't exist and skips components that are already present. MCP configurations are merged into your project's .mcp.json using a deep merge on the mcpServers key — existing entries are preserved, and only new server definitions are added. If a key already exists, the existing configuration takes precedence (no overwrite).
Q: Do I need all 27 components? Can I install a subset?
The bundle is designed as a cohesive unit — the components work together. However, you can always install individual components with adlc --agent, adlc --command, or adlc --skill flags. The bundle is a convenience, not a lock-in.
Q: What AWS account setup does this assume?
The bundle works with single-account and multi-account AWS Organizations. The profile-router skill supports up to 44+ accounts with role-based profile resolution. For single-account setups, the skill gracefully defaults to the active profile.
Q: How does this handle FSI (Financial Services) compliance?
The security-compliance-engineer agent is trained on APRA CPS 234 (Information Security), CPS 231 (Outsourcing), and the AWS Well-Architected FSI Lens. The 35-checkpoint deployment command includes specific FSI gates for encryption, network isolation, IAM least-privilege, and audit logging.
Q: What's the cost of running the 3-tier tests?
Tier 1 and Tier 2 are completely free ($0). Tier 3 uses a real AWS Sandbox account and costs approximately $5-10/month depending on the resources your modules create. The aws-sandbox-testing skill includes automatic cleanup to minimize costs.
Q: Can I preview what will be installed before running the command?
Yes. Run adlc --team-info terraform-aws to see the full component list with descriptions before installing anything.
Technical FAQ
Q: How is the installation order determined?
Agents are installed in constitutional governance order: product-owner first, cloud-architect second, then specialists. Commands, skills, hooks, and MCPs are installed in the order they appear in the bundle definition. Hooks are merged into the project's .claude/settings.json via the existing hook installation mechanism.
Q: How does progressive gating work technically?
The progressive-gating skill teaches agents to check for evidence files in tmp/test-results/ before proceeding to the next tier. Tier 2 requires tmp/test-results/tier1-static/ to contain passing results. Tier 3 requires tmp/test-results/tier2-unit/ to contain passing results. This is enforced at the skill level, not at the CLI level — meaning agents cannot be tricked into skipping tiers.
Q: What happens if a component fails to install?
The CLI continues with remaining components and reports a summary at the end. Each component type tracks its own success count independently:
Agents: 7/7 installed
Commands: 8/8 installed
Skills: 7/7 installed
Hooks: 3/3 installed
MCPs: 2/2 merged
If any component fails, the bundle reports as "partially installed" with the specific failure details. You can re-run the command to retry failed components.
Q: Is this backwards-compatible with existing agent-only bundles?
Yes. The multi-component extension uses optional arrays (bundle.commands || [], bundle.skills || []). Existing bundles like enterprise-devops have no commands, skills, hooks, or mcps properties — the installer gracefully skips those phases. Zero changes to existing bundle behavior.
Q: How does the 4-way cross-validation skill work?
The cross-validation-mcp-api skill teaches agents to verify infrastructure state through four independent channels:
All four sources must agree. Any discrepancy triggers investigation before the agent can claim the operation is complete.
Q: Can I build my own multi-component bundle?
Yes. The terraform-aws bundle establishes the pattern. Add a new entry to framework/cli/src/config/team-bundles.js with agents, commands, skills, hooks, and mcps arrays. The install mechanism handles all five component types automatically.
What's Next
The terraform-aws bundle is the first multi-component bundle. The pattern is now proven and extensible. On the roadmap:
| Bundle | Components | Target |
|---|---|---|
cdk-aws | ~25 | AWS CDK TypeScript development with 3-tier testing |
kubernetes | ~20 | K3D/K3S cluster management and GitOps |
finops | ~18 | Multi-cloud cost optimization and reporting |
security-audit | ~15 | Comprehensive security scanning and compliance |
Future enhancements for the bundle mechanism itself:
--dry-runflag — Preview all file changes before installation- Bundle uninstall —
adlc --team-remove terraform-aws - Bundle versioning — Pin to a specific framework version
- Settings merge — Intelligent conflict resolution for
.claude/settings.json
Try It Now
# Preview what will be installed
adlc --team-info terraform-aws
# Install the complete bundle
adlc --team terraform-aws
# Verify governance compliance
adlc --team terraform-aws --governance-check
Browse Individual Components
Every component in this bundle is available in the ADLC Component Marketplace. Install them individually or build your own custom stack:
| Component | Browse in Marketplace | Install Command |
|---|---|---|
| infrastructure-engineer | Browse | npx adlc@latest install infrastructure-engineer |
| terraform-patterns | Browse | npx adlc@latest install terraform-patterns |
| profile-router | Browse | npx adlc@latest install profile-router |
| localstack-testing | Browse | npx adlc@latest install localstack-testing |
| aws-sandbox-testing | Browse | npx adlc@latest install aws-sandbox-testing |
Or build a custom stack with the Stack Builder.
27 components. One command. ~10 minutes to a production-grade environment.