aws-migration-architect

Compare source and target AWS accounts after the cutover. Re-runs the same describe-* scope against both profiles, structurally diffs, categorizes drift (missing/extra/config/security/cost/scope), and emits audit-diff.json + audit-report.md.

Discover-only pass — inventory the source account + dependency analysis, but skip Terraform generation and migration planning. Use to understand what is in the source account before committing to a migration.

Execute an already-approved cutover-checklist.md against the target account, one resource at a time, with mandatory per-step human approval and resumable journal. Halts and offers rollback on failure. Polls long-running data-plane jobs.

Run the full AWS account-to-account migration pipeline end-to-end (Discover → Generate → Cutover). Halts at the cutover checklist; human runs the actual cutover, then invokes /aws-migration-architect:audit.

Generate the control-plane cutover checklist — 7 phases (Globals → Networking → Storage Containers → Database Containers → Compute Containers → DNS Scaffolding → Control Plane Validation) of Terraform module applies and AWS control-plane API operations. NO data movement, NO writable-data freeze, NO production DNS swap. Output is cutover-checklist-control-plane.json + .md. Use when invoked by the cutover-control-plane skill or the migrate workflow.

Generate the data-plane cutover checklist — 5 phases (Pre-Staging → Bulk Transfers → Application Data → Cutover → Data Validation) that move data, freeze writes, swap DNS, promote replicas, and validate the copy. Consumes data-migration-plan.json as primary input. NO terraform applies, NO IAM creation. Output is cutover-checklist-data-plane.json + .md. Use when invoked by the cutover-data-plane skill or the migrate workflow.

Actually execute the cutover one resource at a time. Reads BOTH cutover checklists (cutover-checklist-control-plane.json AND cutover-checklist-data-plane.json) plus data-migration-plan.json + migration-plan.json + dependency-graph.json. Compiles execution-steps.json walking control-plane first then data-plane (preview/execute/verify/rollback/poll per step). Walks the list with mandatory per-step human approval. Halts and offers rollback on failure. Resumable via append-only JSONL journal (re-verifies in-flight steps against AWS before continuing). Polls long-running data-plane jobs (DataSync, DMS, S3 Batch, DynamoDB export/import). Use when invoked by the cutover-executor skill or the migrate workflow's Execute phase.

Plan data movement for every data-bearing resource. Sizes each datastore via AWS APIs (CloudWatch + describe), picks transfer tool + mode per the rules in the data-migration-planner skill (size, RPO, encryption), estimates wall-clock time using per-tool throughput models, prices the transfer via the awspricing MCP, applies criticality-tier RPO/RTO defaults, computes freeze windows for non-continuous strategies, defines validation methods, and emits data-migration-plan.json + .md. Use when invoked by the data-migration-planner skill or the migrate workflow's DataPlan phase.

Read-only AWS dependency analysis sub-agent. Reads inventory.json and walks every resource configuration to enumerate cross-resource references (SG, IAM, Lambda env, S3 policy, Route53, etc.), classifies IAM trusts (cross-account/OIDC/IRSA/SAML), detects hard-coded values (account IDs, regions, EIPs, ARNs, domains), assigns Low/Medium/High risk per resource, and emits Mermaid architecture diagrams. Use when invoked by the dependency-analyzer skill or the migrate workflow.

Generate the control-plane cutover runbook — the steps that create the empty target shape (IAM, networking, KMS keys, empty resource containers, DNS scaffolding) via Terraform module applies and AWS control-plane API calls. Phase 0 (Globals: IAM/Route53 root/CloudFront/Backup) → 1 (Networking) → 2 (Storage containers) → 3 (Database containers) → 4 (Compute containers) → 5 (DNS scaffolding, no record changes) → 6 (Control plane validation). Produces cutover-checklist-control-plane.md + .json. Runs BEFORE the data-plane runbook.

Generate the data-plane cutover runbook — the steps that move actual data (snapshot shares, KMS grants, AMI shares, DataSync, DMS, S3 sync, snapshot-restore, ECR push, secret values), freeze writes during cutover, swap DNS / promote replicas, and validate the copy. Consumes data-migration-plan.json for sizing, strategy, freeze windows, and validation criteria. Phase 1 (Pre-Staging) → 2 (Bulk Transfers) → 3 (Application Data) → 4 (Cutover: freeze + promote + swap) → 5 (Data Validation). Produces cutover-checklist-data-plane.md + .json. Runs AFTER the control-plane runbook completes.

Execute BOTH approved cutover checklists (control plane then data plane) against the target AWS account, one resource at a time. Reads cutover-checklist-control-plane.json, cutover-checklist-data-plane.json, data-migration-plan.json, migration-plan.json. Builds an execution-steps.json with preview/execute/verify/rollback/poll per step. Walks control-plane steps first (Terraform module applies + AWS control-plane API), then data-plane steps (snapshot share, restore, DataSync, DMS, freeze, route53 swap, validation). Mandatory per-step human approval. Halts and offers rollback on failure. Resumable via append-only JSONL journal — on resume, re-verifies any in-flight steps against AWS before continuing.

Plan the data movement for every data-bearing resource in scope. Sizes each datastore via AWS APIs, picks the right transfer tool + mode (bulk vs bulk+delta vs continuous), estimates wall-clock transfer time and dollar cost (egress, cross-region, cross-account, tool runtime, double storage), captures encryption requirements (KMS grants, re-encryption), surfaces RPO/RTO targets per criticality tier, and produces freeze windows and validation criteria per datastore. Output is data-migration-plan.json + .md — consumed by cutover-data-plane to inject real timings into the cutover checklist.

Find the hidden coupling that breaks migrations. Walks resource-to-resource references (SG rules, Lambda env vars, S3 policies, IAM trust chains), classifies IAM trusts (cross-account, OIDC, IRSA, SAML), detects hard-coded values (account IDs, regions, EIPs, ARNs, domains), assigns Low/Medium/High risk per resource, and emits Mermaid architecture diagrams. Use after `inventory` and before `terraform-generator` or `migration-planner`.