infrastructure-validation

<!-- TOKEN BUDGET: 130 lines / ~390 tokens -->

# Infrastructure Validation

## Activation Triggers
- Files matching: `*.tf`, `*.tfvars`, `Dockerfile`, `docker-compose.yml`, `playbook*.yml`, `roles/`, `inventory/`
- Config: `.shipyard/config.json` has `iac_validation` set to `"auto"` or `true`

## Overview

IaC mistakes don't cause test failures — they cause outages, breaches, and cost overruns. Validate before every change.

**Core principle:** Never apply without plan review. Like TDD requires tests before code, IaC requires validation before apply.

## File Detection

| Files Present | Workflow |
|--------------|----------|
| `*.tf` | Terraform |
| `playbook*.yml`, `roles/`, `inventory/` | Ansible |
| `Dockerfile`, `docker-compose.yml` | Docker |
| Templates with `AWSTemplateFormatVersion` | CloudFormation |
| YAML with `apiVersion:` | Kubernetes |

## Terraform Workflow

Run in order. Each step must pass before proceeding.

```
terraform fmt -check          # 1. Format (auto-fix with fmt if needed)
terraform validate            # 2. Syntax validation
terraform plan -out=tfplan    # 3. Review every change — NEVER skip
tflint --recursive            # 4. Lint (if installed)
tfsec . OR checkov -d .       # 5. Security scan (if installed)
```

**Drift detection:** `terraform plan -detailed-exitcode` — exit code 2 means drift. Document what drifted and why before overwriting.

## Ansible Workflow

```
yamllint .                              # 1. YAML syntax
ansible-lint                            # 2. Best practices
ansible-playbook --syntax-check *.yml   # 3. Playbook syntax
ansible-playbook --check *.yml          # 4. Dry run (where supported)
molecule test                           # 5. Role tests (if configured)
```

## Docker Workflow

```
hadolint Dockerfile                     # 1. Lint (if installed)
docker build -t test-build .            # 2. Build
trivy image test-build                  # 3. Security scan (if installed)
docker compose config