Execute qualquer Skill no Manus
com um clique

Execute qualquer Skill no Manus com um clique

$pwd:

google-cicd-terraform

Name: Google Cicd Terraform
Author: gemini-cli-extensions

// Architect, provision, and troubleshoot infrastructure on Google Cloud using Terraform. This skill ensures best practices like GCS backend usage and least-privilege IAM are followed. Enforces Google’s Cloud Foundation Fabric patterns and rigorous validation protocols to ensure secure, idempotent, and scalable deployments across environments. Activate when the user requests infrastructure changes, pipeline design involving Terraform, or debugging Terraform issues.

Executar no Manus

$ git log --oneline --stat

stars:44

forks:8

updated:27 de abril de 2026 às 20:18

Explorador de arquivos

7 arquivos

SKILL.md

readonly

name

google-cicd-terraform

description

Architect, provision, and troubleshoot infrastructure on Google Cloud using Terraform. This skill ensures best practices like GCS backend usage and least-privilege IAM are followed. Enforces Google’s Cloud Foundation Fabric patterns and rigorous validation protocols to ensure secure, idempotent, and scalable deployments across environments. Activate when the user requests infrastructure changes, pipeline design involving Terraform, or debugging Terraform issues.

Terraform GCP Skill

This skill provides expert-level guidance for architecting, deploying, and managing GCP infrastructure using Terraform.

🎯 When to Use This Skill

Designing GCP Landing Zones (Projects, Folders, Shared VPCs).
Provisioning Google Cloud resources (GKE, Cloud Run, Cloud SQL, Spanner).
Setting up remote state management via GCS Backend.
Implementing IAM least-privilege via Terraform.
Troubleshooting terraform plan discrepancies in GCP.

🏗️ Core Architecture: GCS Backend & State

Always use a GCS backend for state. Local state is strictly for local prototyping and must never be committed. If local state direcotry is used, add it to .gitignore.

Standard Backend Configuration

terraform {
  backend "gcs" {
    bucket  = "tf-state-${var.project_id}"
    prefix  = "terraform/state/${var.environment}"
  }
}

Note: The GCS bucket must have Object Versioning enabled to allow recovery from accidental state corruption or overlapping writes.

Required Provider Version

Use the Google Cloud Terraform provider version 7.20.0 or higher. This skill utilizes features (e.g., Developer Connect) introduced in Google Provider v7.20.0.

terraform {
  required_version = ">= 1.6.0"

  required_providers {
    google = {
      source  = "hashicorp/google"
      version = ">= 7.20.0" 
    }
  }
}

To retrieve the latest version of the Google provider, use the following command:

curl -s https://registry.terraform.io/v1/providers/hashicorp/google | jq -r .version

🛠️ Execution Protocol (Safety First)

The Agent must follow this lifecycle for every infrastructure change to ensure idempotency and prevent production outages:

Initialize (terraform init):
- Verify backend connectivity.
- Ensure provider plugins are downloaded and versions are locked in .terraform.lock.hcl.
Validate (terraform validate & tflint):
- Check for internal HCL consistency.
- Run tflint with the Google plugin to catch cloud-specific deprecated fields or non-optimal configurations.
Plan (terraform plan -out=tfplan):
- Generate a speculative execution plan.
- Mandatory Step: The Agent must summarize the plan for the user, specifically highlighting any Destroy actions.
Apply (terraform apply tfplan):
- Strict Constraint: Only execute the application after the user provides explicit manual confirmation.

🔍 Live Provider Documentation Lookup

To prevent hallucinations regarding new fields or deprecated attributes, the Agent must verify the grounded truth of the provider schema.

Schema Inspection via CLI The primary command for retrieving the machine-readable schema of the currently initialized providers is:

$ terraform providers schema -json

🛡️ GCP-Specific Standards

Resource Naming & "Main" Pattern To maintain a clean module interface, use the main identifier for singleton resources (the primary resource the module is named after). Use underscores for identifiers and hyphens for names.
```
resource "google_compute_network" "main" {
  name                    = "${var.prefix}-vpc"
  auto_create_subnetworks = false
}
```
IAM Management
- Never use google_project_iam_policy: This resource is authoritative and replaces the entire IAM policy for the project. It is the #1 cause of accidental lockouts.
- Avoid google_project_iam_policy: This resource is authoritative for the entire project and is a common cause of accidental lockouts.
- Prefer google_project_iam_member or google_project_iam_binding:
  - google_project_iam_member is additive and safely grants a role to a single member.
  - google_project_iam_binding is authoritative for a single role. It's useful for managing all members of a role, but be aware it overwrites existing members for that role.
- Shared VPC: Always distinguish between Host projects (where the network lives) and Service projects (where resources consume the network).
- Private Google Access: Subnets should always have private_ip_google_access = true.
- Workload Identity: Prefer GKE Workload Identity over static Service Account JSON keys.
Cloud Build Triggers with Developer Connect When using Developer Connect git repository links, use developer_connect_event_config — NOT repository_event_config. The repository_event_config block is for Cloud Build v2 repository connections and will not work with Developer Connect resources. An example block to create a Cloud Build trigger with Developer Connect git repository link is as follows:
```
resource "google_cloudbuild_trigger" "main" {
  developer_connect_event_config {
    git_repository_link = google_developer_connect_git_repository_link.main.id
    push {
      branch = var.trigger_branch
    }
  }
}
```

Developer Connect Connection When configuring google_developer_connect_connection, always set github_app to "DEVELOPER_CONNECT". Using "FIREBASE" is incorrect and will cause triggers to fail.

resource "google_developer_connect_connection" "main" {
  location      = var.region
  connection_id = var.connection_id
  project       = var.project_id

  github_config {
    github_app = "DEVELOPER_CONNECT" # CORRECT
    authorizer_credential {
      oauth_token_secret_version = "" # Populated after manual authorization
    }
  }

  depends_on = [google_project_service.main["developerconnect.googleapis.com"]]

  lifecycle {
    ignore_changes = [github_config[0].authorizer_credential]
  }
}

Developer Connect Git Repository Link When configuring google_developer_connect_git_repository_link, use parent_connection and git_repository_link_id as required arguments.

resource "google_developer_connect_git_repository_link" "main" {
  location                = var.region
  parent_connection       = google_developer_connect_connection.main.connection_id
  git_repository_link_id  = "my-repo-link"
  clone_uri               = var.github_repo_uri
}

📂 Directory Structure

Follow this standard to ensure compatibility with Antigravity (AGY) discovery and Google best practices:

.
└── terraform/
    ├── main.tf              # Entry point / Resource definitions
    ├── variables.tf         # Typed variables with units and descriptions
    ├── outputs.tf           # Resource ID outputs (no direct input pass-through)
    ├── versions.tf          # Provider version pinning
    ├── network.tf           # (Optional) Grouped networking resources
    ├── examples/            # Example usage for modules
    ├── files/               # Static files (startup scripts, etc.)
    ├── templates/           # .tftpl templates
    ├── scripts/             # Scripts called by Terraform
    └── helpers/             # Scripts NOT called by Terraform

⚠️ Anti-Patterns (Do NOT do these)

❌ Legacy GitHub Triggers: Do not use the legacy github block in google_cloudbuild_trigger. Always use developer_connect_event_config.
❌ Hardcoded IDs: Never hardcode Project IDs. Use variables or data "google_project" sources.
❌ Service Account Keys: Never generate or store .json keys. Use Workload Identity Federation or the default metadata server.
❌ Hardcoded IDs: Never hardcode Project IDs. Use variables or a data "google_project" source.
❌ Broad Scopes: Avoid cloud-platform scopes for GKE nodes; use fine-grained IAM roles instead.
❌ Uppercase Types: Terraform variable types must be lowercase (e.g., type = string not type = STRING).

🧪 Testing Strategy

Static Analysis: Use checkov, trivy, or terrascan to catch insecure GCP configurations (e.g., public GCS buckets).
Integration Testing: Use terraform test (v1.6+) to assert that GCP labels and network tags are correctly applied to resources before full deployment.

related-skills.json

mesmo repositório

google-cicd-deploy.md

from "gemini-cli-extensions/cicd"

Use this skill when requested to deploy an application to Google Cloud (GCS, Cloud Run, GKE) or when analyzing an application to determine the best deployment target. **Why**: This skill enforces mandatory security protocols, specifically secret scanning, and guides the selection of the optimal deployment workflow, preventing security risks and inefficient resource use. Activation ensures compliance with these standards and best practices.

2026-04-2744

google-cicd-pipeline-design.md

from "gemini-cli-extensions/cicd"

Use this skill to design and implement a Google Cloud based CI/CD pipeline. This skill encodes best practices for pipeline design, ensuring proper pattern selection and implementation. You MUST activate this skill when tasked with building a pipeline, designing architecture on GCP, or migrating pipelines.

2026-04-2744

google-cicd-release-orchestration.md

from "gemini-cli-extensions/cicd"

Use this skill when you need to design Cloud Deploy delivery pipelines or manage releases for applications deploying to Cloud Run or Google Kubernetes Engine (GKE). This skill encodes best practices for multi-environment deployment, deployment strategies (like canary), and release management (including rollbacks and automations). Always activate this skill for these tasks to ensure robust and consistent configuration.

2026-04-2744

package.json

"author": "gemini-cli-extensions"

"repository": "gemini-cli-extensions/cicd"

Abrir repositório GitHub Ver repositórios do creator

$ install --global

$ download --local

Executar no Manus

$ useful --forSOC

Desenvolvedores de softwareInformática e Matemática15-1252L4

name

google-cicd-terraform

description

Terraform GCP Skill

This skill provides expert-level guidance for architecting, deploying, and managing GCP infrastructure using Terraform.

🎯 When to Use This Skill

Designing GCP Landing Zones (Projects, Folders, Shared VPCs).
Provisioning Google Cloud resources (GKE, Cloud Run, Cloud SQL, Spanner).
Setting up remote state management via GCS Backend.
Implementing IAM least-privilege via Terraform.
Troubleshooting terraform plan discrepancies in GCP.

🏗️ Core Architecture: GCS Backend & State

Always use a GCS backend for state. Local state is strictly for local prototyping and must never be committed. If local state direcotry is used, add it to .gitignore.

Standard Backend Configuration

terraform {
  backend "gcs" {
    bucket  = "tf-state-${var.project_id}"
    prefix  = "terraform/state/${var.environment}"
  }
}

Note: The GCS bucket must have Object Versioning enabled to allow recovery from accidental state corruption or overlapping writes.

Required Provider Version

Use the Google Cloud Terraform provider version 7.20.0 or higher. This skill utilizes features (e.g., Developer Connect) introduced in Google Provider v7.20.0.

terraform {
  required_version = ">= 1.6.0"

  required_providers {
    google = {
      source  = "hashicorp/google"
      version = ">= 7.20.0" 
    }
  }
}

To retrieve the latest version of the Google provider, use the following command:

curl -s https://registry.terraform.io/v1/providers/hashicorp/google | jq -r .version

🛠️ Execution Protocol (Safety First)

The Agent must follow this lifecycle for every infrastructure change to ensure idempotency and prevent production outages:

Initialize (terraform init):
- Verify backend connectivity.
- Ensure provider plugins are downloaded and versions are locked in .terraform.lock.hcl.
Validate (terraform validate & tflint):
- Check for internal HCL consistency.
- Run tflint with the Google plugin to catch cloud-specific deprecated fields or non-optimal configurations.
Plan (terraform plan -out=tfplan):
- Generate a speculative execution plan.
- Mandatory Step: The Agent must summarize the plan for the user, specifically highlighting any Destroy actions.
Apply (terraform apply tfplan):
- Strict Constraint: Only execute the application after the user provides explicit manual confirmation.

🔍 Live Provider Documentation Lookup

To prevent hallucinations regarding new fields or deprecated attributes, the Agent must verify the grounded truth of the provider schema.

Schema Inspection via CLI The primary command for retrieving the machine-readable schema of the currently initialized providers is:

$ terraform providers schema -json

🛡️ GCP-Specific Standards

Resource Naming & "Main" Pattern To maintain a clean module interface, use the main identifier for singleton resources (the primary resource the module is named after). Use underscores for identifiers and hyphens for names.
```
resource "google_compute_network" "main" {
  name                    = "${var.prefix}-vpc"
  auto_create_subnetworks = false
}
```
IAM Management
- Never use google_project_iam_policy: This resource is authoritative and replaces the entire IAM policy for the project. It is the #1 cause of accidental lockouts.
- Avoid google_project_iam_policy: This resource is authoritative for the entire project and is a common cause of accidental lockouts.
- Prefer google_project_iam_member or google_project_iam_binding:
  - google_project_iam_member is additive and safely grants a role to a single member.
  - google_project_iam_binding is authoritative for a single role. It's useful for managing all members of a role, but be aware it overwrites existing members for that role.
- Shared VPC: Always distinguish between Host projects (where the network lives) and Service projects (where resources consume the network).
- Private Google Access: Subnets should always have private_ip_google_access = true.
- Workload Identity: Prefer GKE Workload Identity over static Service Account JSON keys.
Cloud Build Triggers with Developer Connect When using Developer Connect git repository links, use developer_connect_event_config — NOT repository_event_config. The repository_event_config block is for Cloud Build v2 repository connections and will not work with Developer Connect resources. An example block to create a Cloud Build trigger with Developer Connect git repository link is as follows:
```
resource "google_cloudbuild_trigger" "main" {
  developer_connect_event_config {
    git_repository_link = google_developer_connect_git_repository_link.main.id
    push {
      branch = var.trigger_branch
    }
  }
}
```

Developer Connect Connection When configuring google_developer_connect_connection, always set github_app to "DEVELOPER_CONNECT". Using "FIREBASE" is incorrect and will cause triggers to fail.

resource "google_developer_connect_connection" "main" {
  location      = var.region
  connection_id = var.connection_id
  project       = var.project_id

  github_config {
    github_app = "DEVELOPER_CONNECT" # CORRECT
    authorizer_credential {
      oauth_token_secret_version = "" # Populated after manual authorization
    }
  }

  depends_on = [google_project_service.main["developerconnect.googleapis.com"]]

  lifecycle {
    ignore_changes = [github_config[0].authorizer_credential]
  }
}

Developer Connect Git Repository Link When configuring google_developer_connect_git_repository_link, use parent_connection and git_repository_link_id as required arguments.

resource "google_developer_connect_git_repository_link" "main" {
  location                = var.region
  parent_connection       = google_developer_connect_connection.main.connection_id
  git_repository_link_id  = "my-repo-link"
  clone_uri               = var.github_repo_uri
}

📂 Directory Structure

Follow this standard to ensure compatibility with Antigravity (AGY) discovery and Google best practices:

.
└── terraform/
    ├── main.tf              # Entry point / Resource definitions
    ├── variables.tf         # Typed variables with units and descriptions
    ├── outputs.tf           # Resource ID outputs (no direct input pass-through)
    ├── versions.tf          # Provider version pinning
    ├── network.tf           # (Optional) Grouped networking resources
    ├── examples/            # Example usage for modules
    ├── files/               # Static files (startup scripts, etc.)
    ├── templates/           # .tftpl templates
    ├── scripts/             # Scripts called by Terraform
    └── helpers/             # Scripts NOT called by Terraform

⚠️ Anti-Patterns (Do NOT do these)

❌ Legacy GitHub Triggers: Do not use the legacy github block in google_cloudbuild_trigger. Always use developer_connect_event_config.
❌ Hardcoded IDs: Never hardcode Project IDs. Use variables or data "google_project" sources.
❌ Service Account Keys: Never generate or store .json keys. Use Workload Identity Federation or the default metadata server.
❌ Hardcoded IDs: Never hardcode Project IDs. Use variables or a data "google_project" source.
❌ Broad Scopes: Avoid cloud-platform scopes for GKE nodes; use fine-grained IAM roles instead.
❌ Uppercase Types: Terraform variable types must be lowercase (e.g., type = string not type = STRING).

🧪 Testing Strategy

Static Analysis: Use checkov, trivy, or terrascan to catch insecure GCP configurations (e.g., public GCS buckets).
Integration Testing: Use terraform test (v1.6+) to assert that GCP labels and network tags are correctly applied to resources before full deployment.

google-cicd-terraform

Terraform GCP Skill

🎯 When to Use This Skill

🏗️ Core Architecture: GCS Backend & State

Standard Backend Configuration

Required Provider Version

🛠️ Execution Protocol (Safety First)

🔍 Live Provider Documentation Lookup

🛡️ GCP-Specific Standards

📂 Directory Structure

⚠️ Anti-Patterns (Do NOT do these)

🧪 Testing Strategy

Mais deste repositório

Mais deste repositório

Terraform GCP Skill

🎯 When to Use This Skill

🏗️ Core Architecture: GCS Backend & State

Standard Backend Configuration

Required Provider Version

🛠️ Execution Protocol (Safety First)

🔍 Live Provider Documentation Lookup

🛡️ GCP-Specific Standards

📂 Directory Structure

⚠️ Anti-Patterns (Do NOT do these)

🧪 Testing Strategy