Skip to main content

AWS Orchestrator Examples

The key to perfect generation outputs is defining operational scopes clearly. Avoid vague statements. Providing defined boundaries to the Supervisor results in exact execution parameters matched to your infrastructure requirements.

Here are a few structured examples demonstrating how to guide the Orchestrator for various tasks.

1. Greenfield Infrastructure with Topology Instructions​

When generating new infrastructure from scratch, provide robust topology instructions, spanning requirements, and network conditions.

"Generate a heavily restricted AWS VPC module named 'core-network'. It must span 3 AZs. Include DB subnets that are completely isolated without outward internet access. Use a single NAT gateway to save money."

Why this works:​

  • Topology defined: Explicitly asks for 3 Availability Zones (AZs).
  • Isolation explicit: Demands DB subnets remain un-routable to outside resources natively.
  • Cost control parameter: "Use a single NAT gateway" tells the Planner agent to override the standard HA practice (1 NAT per AZ) and execute a localized routing override.

2. Deep Update via GitHub MCP​

The AWS Orchestrator integrates natively with the github-agent enabling precise modifications on existing modules via direct GitOps endpoints.

"Connect to my repo talkops-ai/infra-modules. Look in the /modules/iam/eks-roles directory. We need to add an inline policy giving this worker role s3:GetObject access to the bucket arn:aws:s3:::corporate-data. Make sure not to overwrite the existing attachments."

Why this works:​

  • Clear Navigation: Points the update-planner agent to a specific target repository and working path.
  • Surgical scope: Explicitly states the IAM permission and target ARN needed instead of a generic "give it S3 access."
  • Safety override: Commands the agent using natural safety checks ("make sure not to overwrite existing attachments") preventing unintentional removal of existing aws_iam_role_policy_attachment resources.

3. Serverless Component Orchestration​

To tie multiple linked components gracefully across AWS APIs (e.g., API GW -> IAM Role -> Lambda -> CloudWatch).

"Plan and execute an API Gateway that triggers an AWS Lambda Python function. The required IAM role must adhere to least-privilege constraints against CloudWatch logs. Ensure variables.tf allows dynamic assignment of log retention days."

Why this works:​

  • Connection stated: Asserts that API Gateway acts as the trigger for the Lambda deployment.
  • Dynamic assignment request: Specific manipulation of the generated variables.tf enforcing parameterized control over standard logging limits.
  • Security enforcement: Aligns naturally with the SecBestPracticesAgent pipeline, guaranteeing bounded IAM policies inside the generated code.

Best Practices for Prompting​

  1. Be Prefix Explicit: Use clear action words. Prefix your prompt with "Generate Terraform code for..." or "Update the AWS module..." If you provide conversational ambiguity, the Supervisor's HITL integration will interrupt execution and ask you for clarification.
  2. Include Constraints: Use negative prompts if needed. E.g., "Do not include public subnets in this RDS deployment."
  3. Reference File Outcomes: Explicitly demand variable setups. E.g., "Make sure the VPC ID is cleanly exposed in outputs.tf."