AWS Orchestrator Capabilities
This page details the specific capabilities of the AWS Orchestrator Agent, including supported AWS services, generation features, and output specifications.
What It Generates​
The AWS Orchestrator Agent produces complete, production-ready Terraform modules with all required files:
| Output File | Contents |
|---|---|
main.tf | Resource definitions with lifecycle rules, tags, and dependencies |
variables.tf | Typed variables with validation rules, defaults, and descriptions |
outputs.tf | Output values with sensitive flag and descriptions |
data.tf | Data sources for dynamic lookups (AWS account, region, etc.) |
locals.tf | Computed values, naming conventions, tag maps |
backend.tf | S3 + DynamoDB backend with encryption and locking |
README.md | Usage examples, input/output tables, requirements |
Generation Quality​
Security Best Practices (Built-in)​
| Practice | Implementation |
|---|---|
| Encryption at Rest | KMS keys for S3, EBS, RDS, Secrets Manager |
| Encryption in Transit | TLS/SSL enforcement, HTTPS-only listeners |
| Least Privilege IAM | Scoped IAM policies with specific resource ARNs |
| Network Isolation | Private subnets, security groups with minimal ingress |
| Public Access Blocks | S3 public access blocks enabled by default |
| Secret Management | Secrets Manager integration, no hardcoded credentials |
Terraform Best Practices​
| Practice | Implementation |
|---|---|
| Resource Naming | Consistent naming with local.name_prefix |
| Tagging Strategy | Common tags via local.common_tags merge |
| Variable Validation | Type constraints and custom validation rules |
| Lifecycle Rules | prevent_destroy, create_before_destroy where appropriate |
| Dependencies | Explicit depends_on for non-obvious dependencies |
| State Locking | S3 backend with DynamoDB lock table |
Processing Characteristics​
| Aspect | Details |
|---|---|
| Processing Time | 20-25 minutes for enterprise-grade modules |
| Deep Research | Analyzes AWS service documentation and best practices |
| Iterative Refinement | Multiple planning passes for complex requirements |
| Dependency Resolution | Automatic resolution of resource dependencies |
| Validation | HCL syntax validation before file writing |
Input Flexibility​
The agent understands natural language requests at various levels of specificity:
High-Level Requests​
"Create an S3 bucket for storing application logs"
The agent will infer: versioning, lifecycle policies, encryption, access controls.
Detailed Requests​
"Create an S3 bucket with:
- Versioning enabled
- 90-day transition to Glacier
- 365-day expiration
- KMS encryption with custom key
- Block all public access"
The agent will implement exact specifications.
Complex Multi-Service Requests​
"Create a complete VPC with public/private subnets across 3 AZs,
NAT gateways, and an ALB for a containerized application"
The agent will generate interconnected resources with proper dependencies.
Limitations​
| Limitation | Details |
|---|---|
| AWS Only | Currently supports AWS provider only (Azure/GCP planned) |
| Single Module | Generates one module per request |
| No State Import | Cannot import existing infrastructure |
| No Terraform Apply | Generates code only, does not execute |
| Processing Time | 20-25 minutes per module (thorough analysis) |
Example Output​
For a request like "Create an S3 bucket for application logs", the agent generates:
Generated File Structure​
s3_application_logs/
├── main.tf # S3 bucket with versioning, encryption, lifecycle
├── variables.tf # bucket_name, environment, retention_days, tags
├── outputs.tf # bucket_id, bucket_arn, bucket_domain_name
├── data.tf # aws_caller_identity, aws_region
├── locals.tf # name_prefix, common_tags
├── backend.tf # S3 + DynamoDB backend configuration
└── README.md # Complete usage documentation
Sample main.tf Structure​
resource "aws_s3_bucket" "this" {
bucket = local.bucket_name
tags = local.common_tags
}
resource "aws_s3_bucket_versioning" "this" {
bucket = aws_s3_bucket.this.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
bucket = aws_s3_bucket.this.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.this.arn
}
}
}
# ... additional resources for lifecycle, public access block, etc.
📖 See more examples: Check the Examples page for complete generation outputs.