Infrastructure work is where small decisions have outsized consequences. A misconfigured Terraform module or an under-provisioned database doesn't just cause a bug — it causes an outage. These skills help you review infrastructure code, plan migrations, optimize cloud costs, design network topologies, and manage the Kubernetes manifests and backup strategies that keep production running.
Key takeaway
ClaudeVault's infrastructure skills give Claude Code structured workflows for the Terraform modules, Kubernetes manifests, network topologies, cloud cost reviews, backup strategies, and database migrations that keep production stable. They cover Terraform and OpenTofu review, Kubernetes 4C security hardening, FinOps-driven cost optimization, expand-contract schema migrations, and the 3-2-1-1-0 backup rule — turning Claude into an infrastructure reviewer that catches misconfigurations before they become outages.
When Terraform modules were written once, deployed, and never reviewed for drift, deprecated providers, or over-permissive resource policies
When Kubernetes manifests run containers as root with no resource limits, network policies, or Pod Security Standards enforcement
When the monthly cloud bill keeps climbing but nobody can explain which workloads are over-provisioned or which reserved instances expired
When a database schema change needs to roll out across services without downtime and the team has no expand-contract migration playbook
A Claude Code infrastructure pass moves from broad configuration review down to cost-specific and migration-specific concerns, catching the misconfigurations that monitoring alone cannot surface.
Start with the infra reviewer. Claude scans Terraform files, Dockerfiles, Kubernetes manifests, and CI configuration for common misconfigurations — public S3 buckets, missing encryption at rest, permissive security group rules — and reports findings with severity and fix suggestions.
The Terraform reviewer checks HCL files specifically: pinned provider versions, state locking, module composition, and the HashiCorp BSL versus OpenTofu licensing question. Claude flags deprecated resources and suggests refactored module structures that scale without copy-paste drift.
Use the Kubernetes manifest reviewer to enforce Pod Security Standards, resource limits, RBAC scoping, and network policies. Claude applies the 4C model — Cloud, Cluster, Container, Code — and references the CIS Kubernetes Benchmark for each finding.
The cost optimization advisor audits cloud spend against FinOps benchmarks. Claude identifies idle resources, recommends reserved instance or savings plan commitments, flags GPU workloads that should run on spot instances, and produces a prioritized savings roadmap.
Finally, the migration writer generates expand-contract migration scripts — additive schema changes first, consumer migration second, old column removal last — so the rollout is reversible at every stage and no service sees a broken schema during the transition.
Outcome
Infrastructure code reviewed for security and configuration drift, Terraform modules hardened against deprecation, Kubernetes manifests locked to CIS benchmarks, cloud costs mapped to a savings roadmap, and database migrations planned with reversible stages.
| Skill | Best for | Complexity | Primary use case |
|---|---|---|---|
| Infra Reviewer | Broad infrastructure configuration audits | Intermediate | Cross-tool scan of Terraform, Docker, Kubernetes, and CI files |
| Terraform Reviewer | HCL-specific review and module health | Advanced | Provider pinning, state locking, module refactoring, license compliance |
| Kubernetes Manifest Reviewer | Cluster security and resource governance | Advanced | Pod Security Standards, RBAC, CIS Benchmark enforcement |
| Cost Optimization Advisor | Cloud spend reduction | Intermediate | FinOps audit, right-sizing, reserved instances, and idle resource cleanup |
| Migration Writer | Zero-downtime schema evolution | Advanced | Expand-contract migration scripts with rollback checkpoints |
| Backup Strategy Designer | Data protection and disaster readiness | Intermediate | 3-2-1-1-0 backup plans with recovery testing schedules |
| Network Security Designer | Network topology and perimeter design | Advanced | VPC layout, subnet segmentation, firewall rules, and zero-trust architecture |
Generates safe, reversible migration scripts with rollback plans and lock-time estimates. Use when writing schema changes, data transformations, or infrastructure transitions. Expand-contract, idempotent, batched backfill, pg_repack.
Write migration scripts as the engineer who has been paged at 2 AM because a migration dropped a column with live traffic.
Designs backup systems with verification, retention schedules, and cross-region replication. Use when setting up backups, planning recovery testing, or implementing the 3-2-1 rule. RPO, snapshots, WAL archiving, restore drills.
Design backup systems assuming you will need to restore at the worst possible moment — during a cascading failure, with the senior DBA on vacation, at 2 AM.
Analyzes cloud spend to identify waste and right-size resources. Use when reviewing AWS/GCP/Azure bills, evaluating reserved instances vs spot, or finding idle infrastructure. FinOps, right-sizing, savings plans.
Analyze cloud spending to find the 20% of resources that account for 80% of waste.
Reviews infrastructure-as-code for security, correctness, reliability, cost, and maintainability. Use when auditing Terraform, Kubernetes manifests, CloudFormation, or Helm charts. Public S3 buckets, IAM wildcards, missing health checks.
Audit IaC configurations to catch the S3 bucket with public ACLs before it reaches production.
Reviews Kubernetes manifests for production readiness. Use when auditing resource limits, health checks, security contexts, rolling update configs, or PodDisruptionBudgets. K8s YAML, Helm charts, Kustomize overlays.
Review K8s manifests assuming every missing configuration will eventually cause an outage.
Reviews Terraform code for security misconfigurations, state management risks, and module design anti-patterns. Use when auditing IAM policies, verifying remote state locking, or checking for drift-prone patterns. S3 backend, prevent_destroy, permission boundaries, provider pinning.
Review Terraform code as if a misconfiguration will cost the team a weekend of incident response.
Designs defense-in-depth network topologies with VPC segmentation, firewall rules, and zero-trust controls. Use when laying out subnet tiers, restricting east-west traffic, or hardening developer access paths. Security groups, mTLS, microsegmentation, VPC flow logs.
Design networks as if every internal service is one misconfiguration away from the internet.
Yes. The Terraform reviewer skill checks HCL files for pinned provider versions, state locking, deprecated resources, and module composition issues. Claude flags security misconfigurations, suggests refactored structures, and notes the Terraform BSL versus OpenTofu licensing distinction when it affects toolchain choices.
The Kubernetes manifest reviewer applies the 4C security model — Cloud, Cluster, Container, Code — and checks manifests against the CIS Kubernetes Benchmark. Claude enforces Pod Security Standards, flags containers running as root, verifies resource limits and network policies, and scopes RBAC to least privilege.
Terraform has the largest ecosystem at roughly 32.8 percent IaC market share and 4,800-plus providers. OpenTofu is a Linux Foundation fork under MPL 2.0, created after Terraform's 2023 BSL license change. Pulumi uses general-purpose programming languages like TypeScript and Python instead of HCL. The infrastructure skills work with all three.
The cost optimization advisor runs a FinOps audit that identifies idle resources, recommends reserved instance commitments for 40 to 72 percent savings, right-sizes over-provisioned workloads for 15 to 25 percent savings, and schedules non-production environments to shut down outside business hours.
It extends the classic 3-2-1 rule with two additions: one immutable copy that ransomware cannot encrypt or delete, and zero errors verified through regular recovery testing. The backup strategy designer uses this framework to generate backup plans with explicit recovery time and recovery point objectives.
A pattern that makes schema changes reversible. First, add the new column or table alongside the old one. Then migrate consumers one by one to use the new schema. Finally, remove the old column once all services have migrated. The migration writer generates scripts for each phase with explicit rollback steps.