AWS Orchestrator Capabilities
This page details the specific capabilities of the AWS Orchestrator Agent, including supported output specifications and built-in rules enforced by the validation evaluation loop.
What It Generates​
A standard run via tf-generator guarantees a production-grade file set standard. The AWS Orchestrator Agent produces complete, production-ready Terraform modules with all required files:
| Output File | Contents |
|---|---|
main.tf | Resource definitions dynamically built upon evaluated boolean gates |
variables.tf | Strict schemas and abstracted ARNs, Regions, and IPs |
outputs.tf | Safe return values enveloped in try() blocks |
versions.tf | Locked constraints to prevent breaking API updates |
README.md | Self-documenting tables and complete usage examples |
Generation Quality & Built-in Rules​
The agent produces complex, deterministic states because it restricts LLMs from randomly outputting text. The Orchestrator agents possess hardcoded prompt regulations (found in subagents.py):
| Practice | Implementation |
|---|---|
| Never Hardcode Values | ARNs, Regions, and IPs must be abstracted into variables.tf. |
| Merge Tagging | Every resource enforces mapping via tags = merge({"Name" = var.name}, var.tags, var.<svc>_tags). |
| Version Pinning | Always map required_providers blocks ensuring breaking API updates do not destroy infrastructure. |
| Conditional Guarding | Use count or for_each dynamically based on boolean gates. |
| Strict Security Enforcement | sec-n-best-practices injects standards (Least-Privilege, VPC flow logs, SSE with KMS) natively. |
Internal Evaluation Loop​
How We End Up at the Desired State​
The framework achieves desired states by creating an internal evaluation loop. The tf-validator acts as an un-bribeable judge, eliminating the hallucination problems common with text-only LLMs.
- The generated code is flushed to disk via
sync_workspace_to_disk(). - The
tf-validatorruns sandboxterraform validateconstraints. - If errors appear (e.g., invalid arguments or missing providers), the raw
stderris injected back into the Graph State. - The Supervisor routes back to the
tf-generator, forcing a rewrite until the validation passes 100%.
Input Flexibility​
The agent understands natural language requests at various levels of specificity and operates reliably if given defined operational scopes:
High-Level Needs​
"Create an S3 bucket for storing application logs"
The agent will infer and orchestrate: versioning, lifecycle policies, encryption, access controls.
Detailed Constraint Requests​
"Generate a heavily restricted AWS VPC module named 'core-network'. It must span 3 AZs. Include DB subnets that are completely isolated without outward internet access. Use a single NAT gateway to save money."
The agent integrates directly into the Execution Planner to implement exact specifications.
Directed GitOps Updates​
"Connect to my repo `talkops-ai/infra-modules`. Look in the `/modules/iam/eks-roles` directory. We need to add an inline policy giving this worker role `s3:GetObject` access to the bucket `arn:aws:s3:::corporate-data`. Make sure not to overwrite the existing attachments."
The GitHub Subagent directly integrates MCP reading capabilities to enact surgical line edits to existing configurations.
📖 See more examples: Check the Examples page for complete generation guides and targeted GitOps updates.