05 PLATFORM Regulated sectors High

Platform Engineering — IaC with Terraform and Kubernetes

Infrastructure as code with specialized Terraform agents, verified and with provenance tracking.

◻ intake ★★★

△ architect ★★★

◇ vigil ★★☆

⬡ licit ★★☆

Architecture diagram

Context

Platform team managing infrastructure as code with Terraform and Kubernetes via ArgoCD GitOps. SOC 2 auditors ask who authorized each IAM policy.

Flow with 4 tools

◻ Phase 01 — intake

IaC spec

Normalizes infra requirements from Jira, Slack, and RFCs.

◻ intake

intake init "New RDS Aurora Cluster" \
  --source jira://PLATFORM/PLAT-892 \
  --source slack://platform-team/thread-rds \
  --source docs/rfc-aurora-migration.md \
  --format architect

△ Phase 02 — architect

Custom infra agents

Loop with specialized terraform agent and infra validations.

△ architect

architect loop "Create Terraform module for Aurora per spec" \
  --agent terraform \
  --check "terraform -chdir=modules/aurora validate" \
  --check "tflint --chdir=modules/aurora" \
  --check "vigil scan modules/aurora/" \
  --max-iterations 15

◇ Phase 03 — vigil

Infrastructure security

Scans infrastructure modules for vulnerabilities.

◇ vigil

vigil scan modules/ --format sarif --output vigil-infra.sarif

⬡ Phase 04 — licit

AI-generated IaC provenance

Documents which Terraform modules were generated by agents for SOC 2 audits.

⬡ licit

licit trace
licit connect vigil --sarif vigil-infra.sarif
licit report --format markdown
licit changelog

Why licit is critical here

In SOC 2, auditors ask who authorized this IAM policy. If an AI agent generated it, licit documents it with provenance tracking. The config changelog detects if someone changed the terraform agent system prompt.