iac on MD/Blog https://www.ducea.com/tag/iac/ Recent content in iac on MD/Blog Hugo -- gohugo.io en Sun, 12 Oct 2025 10:20:55 +0000 HowTo use Kiro hooks to enforce IaC standards https://www.ducea.com/2025/10/12/howto-use-kiro-hooks-to-enforce-iac-standards/ Sun, 12 Oct 2025 10:20:55 +0000 https://www.ducea.com/2025/10/12/howto-use-kiro-hooks-to-enforce-iac-standards/ <p><a href="https://kiro.dev/docs/cli/hooks/">Kiro hooks</a> are actions that trigger at specific points in the agent&rsquo;s lifecycle: before or after a tool call, when a file is saved, when the agent stops, or when you manually fire them. A hook can either run a shell command or send a prompt back to the agent. They&rsquo;re how you get the agent to actually follow your team&rsquo;s rules, not just write code that compiles.</p> <p>When Kiro writes Terraform, the default loop is: agent writes the .tf, you eyeball it, you push, CI complains, you go back to the agent. Hooks shorten that loop by running validators during the agent&rsquo;s own turn. Bad code never makes it to the PR.</p> <p>This post shows how to wire up four checks for Terraform work and back them with a steering document. The setup assumes apply happens in CI (Atlantis or similar). Hooks are about the local feedback loop, not gating production.</p> <p>The four checks:</p> <ul> <li><strong>terraform validate</strong> — catches invalid HCL and schema errors</li> <li><strong>terraform fmt</strong> — small formatting issues, auto-fix</li> <li><strong>tflint</strong> — bigger linter issues (provider-specific best practices, deprecations)</li> <li><strong>trivy</strong> — security misconfigurations (which absorbed tfsec)</li> </ul> <h3 id="step-1-where-things-live">Step 1: Where things live</h3> <p>Kiro hooks are <code>.kiro.hook</code> files that live in <code>.kiro/hooks/</code> inside your workspace (or <code>~/.kiro/hooks/</code> for user-level hooks that apply everywhere). Each hook is its own file with a <code>when</code>/<code>then</code> structure — what event triggers it, and what action to take.</p> <p>There are two action types: <code>runCommand</code> executes a shell command, and <code>askAgent</code> sends a prompt back to the agent so it can act on the result. Some checks work better as agent prompts than shell scripts — more on that below.</p> <p>Steering documents go in <code>.kiro/steering/</code>. We&rsquo;ll create one of those too.</p> <p>Here&rsquo;s what we&rsquo;re building:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">.kiro/ </span></span><span class="line"><span class="cl">├── hooks/ </span></span><span class="line"><span class="cl">│ ├── terraform-fmt-validate.kiro.hook </span></span><span class="line"><span class="cl">│ ├── terraform-lint-scan.kiro.hook </span></span><span class="line"><span class="cl">│ ├── terraform-lint-scan.sh </span></span><span class="line"><span class="cl">│ └── block-terraform-apply.kiro.hook </span></span><span class="line"><span class="cl">└── steering/ </span></span><span class="line"><span class="cl"> └── terraform.md </span></span></code></pre></div><h3 id="step-2-auto-format-and-validate-on-save">Step 2: Auto-format and validate on save</h3> <p>The first hook fires whenever you save a <code>.tf</code> file. It uses <code>askAgent</code> to tell the agent to run <code>terraform fmt</code> and <code>terraform validate</code> and surface any errors.</p> <p><code>.kiro/hooks/terraform-fmt-validate.kiro.hook</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;enabled&#34;</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;Validate&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;description&#34;</span><span class="p">:</span> <span class="s2">&#34;Runs terraform fmt to format and terraform validate to check syntax whenever a .tf file is saved.&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;version&#34;</span><span class="p">:</span> <span class="s2">&#34;1&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;when&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;fileEdited&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;patterns&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;**/*.tf&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;then&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;askAgent&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;prompt&#34;</span><span class="p">:</span> <span class="s2">&#34;A .tf file was saved. Run &#39;terraform fmt&#39; on the saved file, then run &#39;terraform validate&#39; in its parent directory. Surface any errors.&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>Why <code>askAgent</code> and not <code>runCommand</code>? A shell script would just print errors. I like using <code>askAgent</code> here because the agent can read the output and fix issues in the same turn, which is the whole point. The <code>enabled</code> flag also lets you toggle hooks on and off without deleting them.</p> <h3 id="step-3-lint-and-security-scan-at-end-of-turn">Step 3: Lint and security scan at end of turn</h3> <p>Running <strong>tflint</strong> and <strong>trivy</strong> after every single file save is overkill — they&rsquo;re slower and the agent often writes multiple files in a turn. Better to run them once when the agent finishes using the <code>agentStop</code> event, which fires at the end of every agent response.</p> <p>This hook uses <code>askAgent</code> to check whether any <code>.tf</code> files were touched, and if so, calls a shell script that runs both linters. The script lives alongside the hook files.</p> <p><code>.kiro/hooks/terraform-lint-scan.sh</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/usr/bin/env bash </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="nb">set</span> -euo pipefail </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Find all directories containing .tf files</span> </span></span><span class="line"><span class="cl"><span class="nv">tf_dirs</span><span class="o">=</span><span class="k">$(</span>find . -name <span class="s1">&#39;*.tf&#39;</span> -not -path <span class="s1">&#39;*/.terraform/*&#39;</span> -exec dirname <span class="o">{}</span> <span class="se">\;</span> <span class="p">|</span> sort -u<span class="k">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[</span> -z <span class="s2">&#34;</span><span class="nv">$tf_dirs</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;No .tf files found, skipping.&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> dir in <span class="nv">$tf_dirs</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;==&gt; Running tflint in </span><span class="nv">$dir</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> tflint --chdir<span class="o">=</span><span class="s2">&#34;</span><span class="nv">$dir</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;==&gt; Running trivy config scan on </span><span class="nv">$dir</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> trivy config <span class="s2">&#34;</span><span class="nv">$dir</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span></code></pre></div><p>And the hook definition at <code>.kiro/hooks/terraform-lint-scan.kiro.hook</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;enabled&#34;</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;Terraform Lint &amp; Scan&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;description&#34;</span><span class="p">:</span> <span class="s2">&#34;Runs tflint and trivy config scan on all directories containing .tf files once the agent finishes its turn.&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;version&#34;</span><span class="p">:</span> <span class="s2">&#34;1&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;when&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;agentStop&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;then&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;askAgent&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;prompt&#34;</span><span class="p">:</span> <span class="s2">&#34;Check if any .tf files were created or modified during this session. If yes, run: bash .kiro/hooks/terraform-lint-scan.sh and surface the findings. If no .tf files were touched, do nothing and skip silently.&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>If either linter finds something, the agent surfaces the findings and can fix them in the same turn.</p> <p><em>Very handy.</em></p> <p>I tested this with tflint v0.55+ and trivy v0.58+. Both have to be installed locally. On macOS: <code>brew install tflint trivy</code>.</p> <h3 id="step-4-discourage-local-apply">Step 4: Discourage local apply</h3> <p>Local apply skips CI, skips review, skips state locking conventions. This hook is advisory, not a hard block — see the note at the end — but it catches the common case.</p> <p>It uses <code>preToolUse</code> on shell commands with an <code>askAgent</code> prompt. The agent checks the command before it runs and refuses if it&rsquo;s an apply or destroy.</p> <p><code>.kiro/hooks/block-terraform-apply.kiro.hook</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;enabled&#34;</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;Block Terraform Apply&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;description&#34;</span><span class="p">:</span> <span class="s2">&#34;Prevents terraform apply and terraform destroy from being run locally. Push the PR and let CI handle it.&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;version&#34;</span><span class="p">:</span> <span class="s2">&#34;1&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;when&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;preToolUse&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;toolTypes&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;shell&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;then&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;askAgent&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;prompt&#34;</span><span class="p">:</span> <span class="s2">&#34;Check if the command being executed contains &#39;terraform apply&#39; or &#39;terraform destroy&#39;. If it does, STOP and do NOT run the command. Instead, tell the user: &#39;terraform apply/destroy is blocked locally. Push the PR and let CI handle it.&#39; If the command does not contain terraform apply or destroy, proceed normally.&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p><code>terraform plan</code> still works, so the agent can preview changes. Hopefully Kiro will add a proper <code>denyCommand</code> action at some point so we don&rsquo;t have to rely on the agent being well-behaved for this.</p> <h3 id="step-5-a-steering-document-with-your-teams-iac-standards">Step 5: A steering document with your team&rsquo;s IaC standards</h3> <p>Hooks catch mechanical errors. The steering document is where you encode the things linters can&rsquo;t catch — your team&rsquo;s conventions, naming patterns, what modules to use. Put it at <code>.kiro/steering/terraform.md</code> in your workspace.</p> <p>A starting point for what to put in there. Adjust to your team&rsquo;s actual standards:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-mysql" data-lang="mysql"><span class="line"><span class="cl"><span class="c1"># Terraform standards </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c1">## File and resource conventions </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="o">-</span><span class="w"> </span><span class="n">One</span><span class="w"> </span><span class="n">resource</span><span class="w"> </span><span class="n">per</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="k">when</span><span class="w"> </span><span class="n">possible</span><span class="p">.</span><span class="w"> </span><span class="k">Group</span><span class="w"> </span><span class="n">tightly</span><span class="o">-</span><span class="n">related</span><span class="w"> </span><span class="nf">resources</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">(</span><span class="n">e</span><span class="p">.</span><span class="n">g</span><span class="p">.,</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">Lambda</span><span class="w"> </span><span class="n">function</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="n">its</span><span class="w"> </span><span class="n">IAM</span><span class="w"> </span><span class="n">role</span><span class="p">)</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">same</span><span class="w"> </span><span class="n">file</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="o">-</span><span class="w"> </span><span class="n">Resource</span><span class="w"> </span><span class="n">names</span><span class="w"> </span><span class="k">use</span><span class="w"> </span><span class="n">snake_case</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="n">start</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">noun</span><span class="w"> </span><span class="n">describing</span><span class="w"> </span><span class="n">what</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">resource</span><span class="w"> </span><span class="k">is</span><span class="p">,</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="n">what</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">does</span><span class="p">.</span><span class="w"> </span><span class="o">`</span><span class="n">vpc_main</span><span class="o">`</span><span class="p">,</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="o">`</span><span class="n">main_vpc</span><span class="o">`</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="o">-</span><span class="w"> </span><span class="k">All</span><span class="w"> </span><span class="n">variables</span><span class="w"> </span><span class="n">have</span><span class="w"> </span><span class="o">`</span><span class="n">type</span><span class="o">`</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="o">`</span><span class="n">description</span><span class="o">`</span><span class="p">.</span><span class="w"> </span><span class="k">Sensitive</span><span class="w"> </span><span class="n">variables</span><span class="w"> </span><span class="n">have</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="o">`</span><span class="k">sensitive</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="no">true</span><span class="o">`</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="o">-</span><span class="w"> </span><span class="n">Provider</span><span class="w"> </span><span class="n">versions</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">pinned</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="o">`~&gt;`</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="o">`</span><span class="n">versions</span><span class="p">.</span><span class="n">tf</span><span class="o">`</span><span class="p">.</span><span class="w"> </span><span class="n">Never</span><span class="w"> </span><span class="o">`&gt;=`</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c1">## Modules </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="o">-</span><span class="w"> </span><span class="k">Use</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">company</span><span class="w"> </span><span class="o">`</span><span class="n">terraform</span><span class="o">-</span><span class="n">aws</span><span class="o">-</span><span class="n">eks</span><span class="o">`</span><span class="w"> </span><span class="n">module</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">EKS</span><span class="p">,</span><span class="w"> </span><span class="n">do</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="k">declare</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">raw</span><span class="w"> </span><span class="o">`</span><span class="n">aws_eks_cluster</span><span class="o">`</span><span class="w"> </span><span class="n">resources</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="o">-</span><span class="w"> </span><span class="k">Use</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">company</span><span class="w"> </span><span class="o">`</span><span class="n">terraform</span><span class="o">-</span><span class="n">aws</span><span class="o">-</span><span class="n">s3</span><span class="o">-</span><span class="n">secure</span><span class="o">`</span><span class="w"> </span><span class="n">module</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">S3</span><span class="w"> </span><span class="n">bucket</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="o">-</span><span class="w"> </span><span class="n">Modules</span><span class="w"> </span><span class="n">sourced</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">internal</span><span class="w"> </span><span class="n">registry</span><span class="p">,</span><span class="w"> </span><span class="n">never</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="o">`</span><span class="n">github</span><span class="p">.</span><span class="n">com</span><span class="o">`</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">directly</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c1">## Required tags </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="o">-</span><span class="w"> </span><span class="n">Every</span><span class="w"> </span><span class="n">resource</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">supports</span><span class="w"> </span><span class="n">tags</span><span class="w"> </span><span class="n">must</span><span class="w"> </span><span class="n">have</span><span class="p">:</span><span class="w"> </span><span class="o">`</span><span class="n">Owner</span><span class="o">`</span><span class="p">,</span><span class="w"> </span><span class="o">`</span><span class="n">Environment</span><span class="o">`</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="o">`</span><span class="n">ManagedBy</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&#34;terraform&#34;</span><span class="o">`</span><span class="p">,</span><span class="w"> </span><span class="o">`</span><span class="n">CostCenter</span><span class="o">`</span><span class="p">,</span><span class="w"> </span><span class="o">`</span><span class="n">Repository</span><span class="o">`</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="o">-</span><span class="w"> </span><span class="k">Use</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="o">`</span><span class="n">default_tags</span><span class="o">`</span><span class="w"> </span><span class="n">block</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">provider</span><span class="w"> </span><span class="k">when</span><span class="w"> </span><span class="n">possible</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c1">## Things to never do </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="o">-</span><span class="w"> </span><span class="n">No</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="n">ACLs</span><span class="w"> </span><span class="k">on</span><span class="w"> </span><span class="n">S3</span><span class="w"> </span><span class="nf">buckets</span><span class="w"> </span><span class="p">(</span><span class="o">`</span><span class="n">acl</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&#34;public-read&#34;</span><span class="o">`</span><span class="w"> </span><span class="n">etc</span><span class="p">.).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="o">-</span><span class="w"> </span><span class="n">No</span><span class="w"> </span><span class="o">`</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="o">`</span><span class="w"> </span><span class="n">ingress</span><span class="w"> </span><span class="k">on</span><span class="w"> </span><span class="n">security</span><span class="w"> </span><span class="n">groups</span><span class="w"> </span><span class="n">except</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">resources</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">explicitly</span><span class="w"> </span><span class="n">tagged</span><span class="w"> </span><span class="o">`</span><span class="n">Public</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="o">`</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="o">-</span><span class="w"> </span><span class="n">No</span><span class="w"> </span><span class="n">hardcoded</span><span class="w"> </span><span class="n">AWS</span><span class="w"> </span><span class="n">account</span><span class="w"> </span><span class="n">IDs</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="n">ARNs</span><span class="p">.</span><span class="w"> </span><span class="k">Use</span><span class="w"> </span><span class="o">`</span><span class="n">data</span><span class="w"> </span><span class="s2">&#34;aws_caller_identity&#34;</span><span class="o">`</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="o">`</span><span class="n">data</span><span class="o">`</span><span class="w"> </span><span class="n">sources</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">ARNs</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="o">-</span><span class="w"> </span><span class="n">No</span><span class="w"> </span><span class="o">`</span><span class="n">aws_iam_policy</span><span class="o">`</span><span class="w"> </span><span class="n">declared</span><span class="w"> </span><span class="n">inline</span><span class="w"> </span><span class="n">outside</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">approved</span><span class="w"> </span><span class="n">modules</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c1">## Workflow </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="o">-</span><span class="w"> </span><span class="n">After</span><span class="w"> </span><span class="n">modifying</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="p">.</span><span class="n">tf</span><span class="w"> </span><span class="n">file</span><span class="p">,</span><span class="w"> </span><span class="n">validate</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="o">`</span><span class="n">terraform</span><span class="w"> </span><span class="n">validate</span><span class="o">`</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">If</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">fails</span><span class="p">,</span><span class="w"> </span><span class="n">fix</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="k">before</span><span class="w"> </span><span class="n">reporting</span><span class="w"> </span><span class="n">back</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">user</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="o">-</span><span class="w"> </span><span class="n">After</span><span class="w"> </span><span class="n">making</span><span class="w"> </span><span class="n">meaningful</span><span class="w"> </span><span class="n">changes</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">directory</span><span class="p">,</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="o">`</span><span class="n">tflint</span><span class="o">`</span><span class="w"> </span><span class="k">and</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="o">`</span><span class="n">trivy</span><span class="o">`</span><span class="w"> </span><span class="k">on</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="n">surface</span><span class="w"> </span><span class="n">findings</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="o">-</span><span class="w"> </span><span class="n">Never</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="o">`</span><span class="n">terraform</span><span class="w"> </span><span class="n">apply</span><span class="o">`</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="o">`</span><span class="n">terraform</span><span class="w"> </span><span class="n">destroy</span><span class="o">`</span><span class="w"> </span><span class="n">locally</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">Apply</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">handled</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">CI</span><span class="p">.</span><span class="w"> </span></span></span></code></pre></div><p>Without a steering doc the agent writes generic Terraform. With one it writes like someone who actually read your wiki.</p> <h3 id="a-note-on-ci">A note on CI</h3> <p>Run <code>terraform fmt</code>, <code>tflint</code>, and <code>trivy</code> in CI as a backstop. Hooks can be bypassed: they can be disabled with the <code>enabled</code> flag, they only fire when changes go through Kiro&rsquo;s tools or editor saves, and an agent following <code>askAgent</code> prompts is ultimately advisory — it&rsquo;s an LLM, not a hard gate. CI is the boundary that actually has to hold.</p> <p>The point of hooks isn&rsquo;t to replace CI. It&rsquo;s faster feedback. Catch the issue during the agent&rsquo;s turn while it&rsquo;s still in context, not 20 minutes later in PR review when you&rsquo;ve moved on to something else.</p> <p>That&rsquo;s it.</p>