Stats
Actions
Tags
Generate the control-plane cutover runbook — the steps that create the empty target shape (IAM, networking, KMS keys, empty resource containers, DNS scaffolding) via Terraform module applies and AWS control-plane API calls. Phase 0 (Globals: IAM/Route53 root/CloudFront/Backup) → 1 (Networking) → 2 (Storage containers) → 3 (Database containers) → 4 (Compute containers) → 5 (DNS scaffolding, no record changes) → 6 (Control plane validation). Produces cutover-checklist-control-plane.md + .json. Runs BEFORE the data-plane runbook.
How this skill is triggered — by the user, by Claude, or both
Slash command
/aws-migration-architect:cutover-control-planeThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
This skill produces the runbook for **creating the empty target shape**. No data moves here. The output is what the operator (or the cutover-executor) runs to provision the target account so that the data-plane runbook has a destination to copy into.
This skill produces the runbook for creating the empty target shape. No data moves here. The output is what the operator (or the cutover-executor) runs to provision the target account so that the data-plane runbook has a destination to copy into.
migration-planner (reads migration-plan.json)cutover-data-plane (the data-plane runbook depends on this completing)migration-plan.json, resource-ownership.json, dependency-graph.json, hardcoded-values.json existterraform/ modules generated by terraform-generator exist with terraform validate clean| Input | Source | Required |
|---|---|---|
migration-plan.json | migration-planner | yes |
resource-ownership.json | inventory | yes |
dependency-graph.json | dependency-analyzer | yes |
hardcoded-values.json | dependency-analyzer | yes |
terraform/ modules | terraform-generator | yes |
cutover-checklist-control-plane.md — printable runbook for the operatorcutover-checklist-control-plane.json — validates against schemas/cutover-checklist-control-plane.schema.json. Consumed by the cutover-executor.Account-global resources that exist once, not per-region:
terraform apply iam/)Operator IAM during this phase: target-cutover-control-plane.json only.
VPCs, subnets, NAT gateways, security groups, NACLs, route tables, TGW attachments, VPC peering bridges back to source (for cross-account data plane), VPC endpoints.
terraform apply networking/. One module apply, one operator approval (Terraform's own plan UI), no further per-resource gating in this phase.
Empty resource containers, no data:
terraform apply storage/. The actual data movement is the data-plane runbook's job.
The structural pieces databases need:
terraform apply databases/. Check data-migration-plan.json to know which databases need an empty container created vs which will appear via restore.
terraform apply compute/.
NOT actual record changes — the records still point at source. This phase creates the scaffolding needed for the eventual cutover:
The actual DNS swap is in the data-plane runbook (Phase 4 there).
Before handing off to data plane:
terraform plan against every module shows no driftiam:simulate-principal-policyaws ... describe-*.generation-report.mdThe control-plane runbook ends with a handoff_to_data_plane.criteria[] list. All criteria must be checked before the operator starts /aws-migration-architect:execute on the data-plane checklist. Example criteria:
Every phase gets these standard items:
Pre:
aws sts get-caller-identity --profile $MIGRATION_TARGET_PROFILE succeedsterraform plan -target=module.<mod> reviewedDuring:
terraform apply runs cleanly (or AWS CLI commands for non-Terraform control-plane operations)Post:
aws ... describe-*For each phase where any resource has owner_team set in migration-plan.json, inject an approval gate at phase boundary:
> ⚠ Approval required from **<team>** before Phase N begins
> Sign-off: ________________________________
target-cutover-data-plane.json IAMaws s3 sync, aws rds restore-db-instance-from-db-snapshot, aws datasync ..., aws dms ... — those are data-plane.aws route53 change-resource-record-sets for production records — that's data-plane's traffic shift.Calls cutover-control-plane-builder to render the per-phase steps from migration-plan.json.
Guides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.
npx claudepluginhub pavankishore1987/aws-migration-architect --plugin aws-migration-architect