// Deploy one-time prerequisite infrastructure from scripts/prepare.mk. Use when the user says 'prepare', 'deploy prerequisites', 'create ECR', or invokes /ipa-prepare.
Compose a deployment from stack skills and generate executable artifacts (Makefiles, security disposition). Use when the user says 'compose', 'generate deployment', or invokes /ipa-compose.
Deploy a CodePipeline CI/CD pipeline with CodeBuild for automated build/test/deploy.
Provision or update centralized security infrastructure (IAM roles) for an IPA project. Use when the user says 'security', 'set up security', 'IAM roles', or invokes /ipa-security.
Deploy a frontend tier stack: S3 static hosting + CloudFront distribution + OAC.
Deploy a centralized S3 log bucket for CloudFront, S3 access, and VPC flow logs.
[DEPRECATED] Use /ipa-compose codepipeline + /ipa-prepare instead.
| name | ipa-prepare |
| description | Deploy one-time prerequisite infrastructure from scripts/prepare.mk. Use when the user says 'prepare', 'deploy prerequisites', 'create ECR', or invokes /ipa-prepare. |
| model | opus |
This skill deploys one-time prerequisite infrastructure by executing
scripts/prepare.mk. Prepare stacks (ECR repositories, etc.) must exist
before build and deploy scripts can run.
Lifecycle: /ipa-init → /ipa-compose → /ipa-prepare → /ipa-deploy
make -n -f scripts/prepare.mk preparemake -f scripts/prepare.mk prepare*_COMPLETE status.env (if Cognito is a prepare stack)/ipa-compose's job/ipa-security's job/ipa-deployprepare target| Stack | Skill | Description |
|---|---|---|
{ns}-{env}-logs | ipa-stack-logs | Centralized S3 log bucket (CloudFront, S3 access, VPC flow logs) |
{ns}-{env}-cognito | ipa-stack-cognito | Cognito User Pool with OIDC |
{ns}-{env}-ecr | ipa-stack-ecr | ECR container repository |
{ns}-{env}-codecommit | ipa-stack-codecommit | CodeCommit source repository |
{ns}-{env}-codepipeline | ipa-stack-codepipeline | CI/CD pipeline |
Log bucket teardown: CloudFormation cannot delete non-empty S3 buckets. If teardown-logs fails, empty the bucket manually (aws s3 rm s3://{bucket} --recursive) and re-run.
This skill is always invoked manually by the builder. /ipa-deploy does NOT auto-invoke
/ipa-prepare — it gates with an error message directing the builder here.
Full flow: pre-flight → plan display → confirmation → execute → verify → report.
/ipa-compose on a new project/ipa-compose that adds new prepare stacks| Source | What Prepare Reads | When |
|---|---|---|
.env | APP_NAMESPACE, APP_ENV, AWS_REGION, AWS_PROFILE | Pre-flight validation |
scripts/prepare.mk | Target names, stack names | Plan display + execution |
make -n | Dry-run output | Plan display |
source .env 2>/dev/null; aws cloudformation describe-stacks | Stack status | Post-execution verification |
AWS credential resolution: All
awsCLI commands must be prefixed withsource .env 2>/dev/null;to load credentials. Do NOT pass--profileor--regionexplicitly.
Run all checks and report all failures at once.
Check .env exists at project root and is non-empty.
If missing: ".env not found. Run /ipa-init to initialize project configuration."
| Variable | Written By | Error If Missing |
|---|---|---|
APP_NAMESPACE | /ipa-init | "Missing APP_NAMESPACE. Run /ipa-init." |
APP_ENV | /ipa-init | "Missing APP_ENV. Run /ipa-init." |
AWS_REGION | /ipa-init | "Missing AWS_REGION. Run /ipa-init." |
AWS_PROFILE | /ipa-init | "Missing AWS_PROFILE. Run /ipa-init." |
Check scripts/prepare.mk exists and contains a prepare target.
If missing: "A solution must be composed before prepare stacks can be deployed. Run /ipa-compose to generate deployment artifacts."
If empty/no target: "A solution must be composed before prepare stacks can be deployed. Run /ipa-compose with stacks that have prepare prerequisites."
Run: source .env 2>/dev/null; aws sts get-caller-identity
If fails: "AWS credentials are invalid or expired for profile {AWS_PROFILE}."
Check which make.
If any fail, display all failures and STOP. If all pass: "Pre-flight validation passed."
Run: make -n -f scripts/prepare.mk prepare
Display:
Prepare Plan: {APP_NAMESPACE}-{APP_ENV}
Stack Action
--------------------------------- ------
{APP_NAMESPACE}-{APP_ENV}-cognito create/update
.env write OIDC configuration
{APP_NAMESPACE}-{APP_ENV}-ecr create/update
These are one-time prerequisite stacks. They must exist before
build and deploy can run.
Ask: "Proceed? (yes/no):" If declined: "Prepare cancelled. No changes were made."
Run: make -f scripts/prepare.mk prepare
Display Make output as it runs.
If fails: Read stack events via source .env 2>/dev/null; aws cloudformation describe-stack-events --stack-name {failed-stack}, diagnose, and propose fix. Same error classification as /ipa-deploy.
For each prepare stack, run:
source .env 2>/dev/null; aws cloudformation describe-stacks --stack-name {stack-name} --query 'Stacks[0].StackStatus' --output text
Confirm all report CREATE_COMPLETE or UPDATE_COMPLETE.
Prepare Complete: {APP_NAMESPACE}-{APP_ENV}
Stack Status
--------------------------------- ---------------
{APP_NAMESPACE}-{APP_ENV}-cognito CREATE_COMPLETE
{APP_NAMESPACE}-{APP_ENV}-ecr CREATE_COMPLETE
.env OIDC vars written
Next steps:
- Run `/ipa-deploy` to build and deploy the application
- Re-run `/ipa-prepare` if prepare stacks change
- Prepare stacks are NOT auto-deleted by /ipa-destroy — manual teardown:
make -f scripts/prepare.mk teardown-prepare