Source of truth for AI assistants and review tooling (including CodeRabbit). Rules live in developer-docs/; commands in CONTRIBUTING.md.
ROSA HCP only — not terraform-rhcs-rosa-classic.
| Topic | When to read | Doc |
|---|---|---|
| Architecture | Any change; HCP versus Classic; ROSA CLI parity | developer-docs/architecture.md |
| Providers and versions | Providers, floors, new AWS resources | developer-docs/providers-and-versions.md |
| Submodules | Adding or editing modules/** |
developer-docs/submodules.md |
| Security | Secrets, sensitive, outputs |
developer-docs/security.md |
| Variables | Adding or changing variable blocks |
developer-docs/variables.md |
| Commands and PR checks | Before opening a PR | CONTRIBUTING.md |
Entrypoints CLAUDE.md and GEMINI.md point here.
HashiCorp terraform skills — CONTRIBUTING.md wins on conflict.
| Skill | When |
|---|---|
| terraform-style-guide | HCL layout — see developer-docs/variables.md |
| terraform-test | *.tftest.hcl, mocks |
| refactor-module | Module splits, breaking interface changes |
- Check rhcs provider schema for root
versions.tfrange. - Provider bump? Update root
versions.tffirst —developer-docs/providers-and-versions.md. - AWS-only submodule? — read in order:
developer-docs/submodules.md,developer-docs/variables.md,developer-docs/providers-and-versions.md,developer-docs/architecture.md. Then check the ROSA CLI source for any field the module validates. For each AWS resource created, fetch the provider documentation and apply all notes and warnings before implementing. - Variables? — read
developer-docs/variables.md. For each variable that maps to a ROSA CLI-validated field (name, path, prefix, enum), verify the validation block against the CLI source before finishing. - Docs/tests/commands —
CONTRIBUTING.md. - Security —
developer-docs/security.md.
- MUST NOT: Change variable/output names or types without a migration plan.
- MUST: Confirm HCP support — if
rhcsresource lacks_hcp, check provider docs. - Submodule
terraform testmay need a newer Terraform CLI than module minimum — seeCONTRIBUTING.md.
- MUST: Add or update
*.tftest.hclwhen module behavior changes. - MUST: Mock AWS/RHCS — no live credentials in tests.
- MUST: Boolean branches — cover both outcomes (
true/count=1andfalse/count=0). - MUST: Validation blocks — add an
expect_failuresrun for eachvalidationblock added. - MUST:
make pre-push-checksbefore PR —CONTRIBUTING.md.
WHEN editing root Dockerfile:
- MUST: Minimal surface — only what Prow presubmits need (
make verify,verify-gen,run-example,pre-push-checkstools). - MUST: Pin versions (UBI, AWS CLI, ROSA CLI, Terraform);
# renovate:comments; release binaries viahack/install-release-tool.sh. - MUST: Verify AWS CLI (
gpg --verify) and ROSA CLI (sha256sum -c) per existing patterns. - MUST NOT: Add packages/runtimes without a job that uses them.
WHEN make security-check reports a finding:
- MUST: Treat as real unless documented mock in allowlisted test code (
.gitleaks.toml). - Config:
.gitleaks.toml; install:make security-check-bin.
WHEN make security-check reports HIGH/CRITICAL:
- MUST: Fix HCL first (least privilege, encryption, IMDSv2).
- MAY:
#checkov:skip=<ID>:<reason>on line above resource (narrow scope). - MAY:
checkov.yamlskip-checkonly when inline skip impossible. - MUST: Remove stale suppressions when checks no longer fire.
Config: checkov.yaml; modules/rosa-cluster-hcp/main.tf skipped (Checkov parse limit).