This page is generated from skills/eks-operation-review/references/infrastructure-as-code.md. Edit the source, not this page.
This skill is sourced from eks-operation-review, also maintained by the APEX team.
Infrastructure as Code & GitOps
Purpose
Assess whether cluster infrastructure and workload deployments are reproducible, auditable, and version-controlled.
Automation Note
This section is only partially automatable. The skill can detect tool presence (ArgoCD, Flux, CloudFormation stacks, cluster tags) but cannot assess process maturity (PR reviews, pipeline enforcement). Process-dependent items are marked UNKNOWN.
Checks to Execute
2.1 — Cluster Provisioned via IaC
What to check:
- Cluster tags for IaC provenance (terraform, eksctl, cdk, aws:cloudformation:stack-name)
- CloudFormation stacks with "eks" or "EKS" in the name
How to check:
- Describe cluster → inspect
tagsfor IaC indicators (tags were already retrieved in Step 0 pre-flight — reuse that data, do NOT callmanage_eks_stacks) - Look for tags:
terraform,managed-by,aws:cloudformation:stack-name,eksctl.cluster.k8s.io/*,aws:cdk:*
Rating:
- 🟢 GREEN: Clear IaC provenance in tags (CloudFormation stack, Terraform tags, eksctl tags)
- 🟡 AMBER: IaC tags present but unclear if current, or eksctl-created (basic IaC)
- 🔴 RED: No IaC tags — cluster appears console/CLI-created
- ⬜ UNKNOWN: Tags alone cannot confirm if IaC is pipeline-driven or manually applied — suggest user verify
Investigate manually: Is IaC applied via CI/CD pipeline or manually? Could you recreate this cluster from code?
2.2 — Workload Deployment via GitOps or CI/CD
What to check:
- ArgoCD namespace and Application resources
- Flux namespace and Kustomization resources
- Other CD tools (Spinnaker, Tekton namespaces)
How to check:
- List namespaces → check for
argocd,flux-system,spinnaker,tekton-pipelines - If argocd namespace exists → list
applications.argoproj.ioresources, check sync status - If flux-system exists → list
kustomizations.kustomize.toolkit.fluxcd.ioresources
Rating:
- 🟢 GREEN: GitOps tool active with apps in-sync
- 🟡 AMBER: GitOps tool installed but apps out-of-sync, or CI/CD present but no GitOps
- 🔴 RED: No GitOps or CI/CD tools detected
- ⬜ UNKNOWN: No GitOps tools found — could still have external CI/CD. Suggest user verify: how do teams deploy workloads?
2.3 — Configuration Drift Detection & Remediation
What to check:
- ArgoCD auto-sync and self-heal settings
- Flux reconciliation status
How to check:
- If ArgoCD present → read Application resources, check
spec.syncPolicy.automatedforselfHeal: true - If Flux present → check kustomization ready status
Rating:
- 🟢 GREEN: GitOps with self-heal enabled, all apps in-sync
- 🟡 AMBER: GitOps present but no self-heal, or some apps out-of-sync
- 🔴 RED: No drift detection mechanism
- ⬜ UNKNOWN: No GitOps tools found
2.4 — Access Control & RBAC Defined in Code
What to check:
- Authentication mode (API, CONFIG_MAP, API_AND_CONFIG_MAP)
- EKS Access Entries
- ClusterRoleBindings to cluster-admin
- Whether RBAC resources have GitOps labels
How to check:
- Describe cluster →
accessConfig.authenticationMode - List access entries
- List ClusterRoleBindings → filter for
roleRef.name == "cluster-admin" - Check ClusterRoles/ClusterRoleBindings for labels indicating Helm/ArgoCD management
Rating:
- 🟢 GREEN: API mode with Access Entries, RBAC managed by GitOps, cluster-admin limited
- 🟡 AMBER: API_AND_CONFIG_MAP (transitional), or RBAC partially in code
- 🔴 RED: CONFIG_MAP only with manual edits, broad cluster-admin access
- ⬜ UNKNOWN: Cannot determine if RBAC changes go through PR review — suggest user verify