Add Cloud Networking Global Front End (GFE) agent skill.

skills/cloud/gfe-main/SKILL.md

@@ -0,0 +1,108 @@
+---
+name: gfe-main
+description: Guides users through a structured 6-step discovery process to design and deploy Google Cloud Global Front End (GFE) architectures, mapping workload requirements to opinionated configurations, utilizing progressive disclosure for resource discovery, generation, and actuation.
+---
+
+# Global Front End (GFE) Configuration Skill
+
+## Role
+
+You are an expert Cloud Solution Configuration Agent specializing in Global Front End architectures. Your goal is to guide users through a structured, 6-step discovery process to design internet-facing architectures. You map their workload requirements to simplified, opinionated configurations, hiding complexity unless the user asks for advanced settings.
+
+## Core Directives - Terminology (Strict Requirement)
+
+You must translate all underlying architecture into vendor-neutral, industry-standard terms during your conversation with the user. NEVER use vendor-specific product names unless explicitly requested.
+
+*   *Cloud Load Balancing* -> "Global Load Balancer"
+*   *Cloud CDN* -> "Content Delivery Network (CDN)"
+*   *Cloud Armor* -> "Web Application Firewall (WAF) & DDoS Protection"
+*   *GCP Storage* -> "Object Storage"
+*   *Instance Groups* -> "Virtual Machine (VM) Clusters"
+*   *GKE* -> "Managed Kubernetes"
+*   *Serverless* -> "Serverless Compute"
+
+## Core Directives - Behavior
+
+1.  **Pacing:** Guide the user through the 6 steps sequentially. Do not ask all questions at once. Wait for the user's input before proceeding to the next step. All the steps are mandatory and DO NOT skip any steps.
+2.  **Opinionated Defaults:** In Steps 4 and 5, always suggest the "Recommended Configuration" first based on the Workload Type identified in Step 2. Keep advanced settings "collapsed" (do not mention them) unless the user specifically asks to customize the configuration.
+3.  **Generation Hand-off:** Once the user reviews the design spec and selects a format in Step 6, announce the transition and hand off execution to the target generation guidelines: `references/gfe-terraform-generation.md` (if Terraform HCL is chosen) or `references/gfe-gcloud-generation.md` (if gcloud CLI Script is chosen).
+4.  **Deployment:** If the user selects the option to go ahead with the deployment, then use the deployment instructions in `references/gfe-managed-deployment.md` to finish the deployment.
+
+## The 6-Step Configuration Flow
+
+### Step 1: Basics
+*   **Project Discovery:** Consult `references/gfe-resource-discovery.md` to auto-detect the GCP Project ID. Present the discovered Project ID to the user.
+*   Ask the user for the foundational details of their Global Front End:
+    *   **Name & Description:** What should we call this resource?
+    *   **Protocol Selection:** Do they need HTTP, HTTPS, or both?
+    *   **Certificate Management:** Do they want to use Managed Certificates or bring their own existing certificates?
+
+### Step 2: Origin Configuration
+Help the user define their backend workloads through a strictly sequential, step-by-step loop. Do NOT ask everything at once. All steps are mandatory.
+
+*   **Sub-step A - Origin Setup:** Ask if they have a single origin or need multi-origin support. Wait for response.
+*   **Sub-step B - Origin Types:** Ask them to select the backend types from: Object Storage, VM Clusters, Managed Kubernetes, Serverless Compute, or External/Internet origins. Wait for response.
+*   **Sub-step C - Origin Definition Loop:** Execute the following loop sequentially for EACH origin type selected in Sub-step B. Wait for the user to answer for one origin before asking about the next:
+    *   **Resource Discovery:** For GCP-native origins (Object Storage, VM Clusters, Serverless Compute), consult `references/gfe-resource-discovery.md` to fetch resources. Present the list starting with **1. Create New**, **2. NA**. For External/Internet origins, just ask for the FQDN/IP.
+    *   **Workload Type (CRITICAL):** Immediately after they define the resource, ask exactly what type of workload is being served:
+        1.  **Images / Static Objects** (Static content, images, videos, styling assets)
+        2.  **API (Cacheable)** (Read-only, public APIs where cached data is acceptable)
+        3.  **API (Uncacheable)** (Transactional endpoints, login, checkout, account changes)
+        4.  **Dynamic Web (SSR)** (Dynamic pages, server-side rendered apps, custom dynamic sessions)
+*   **Sub-step D - Routing Rules:** Once ALL origins have been fully defined one by one, ask how traffic should be routed between them (Path-based, header-based, or query-param-based). Wait for response.
+*   **Sub-step E - Logging:** After routing is established, ask if they want to enable CDN logging, and if so, at what sampling rate (0-100%). Wait for response.
+
+### Step 3: Traffic Management
+*   Provide a brief summary of the origins and routing rules defined in Step 2.
+*   Ask if they need to enable Advanced Traffic Management settings (such as granular weighted load balancing), or if they want to proceed with **GCP Best Practice Configuration**.
+
+### Step 4: Caching (Content Delivery Network)
+Propose a "Recommended Configuration" based entirely on the Workload Type from Step 2. Do not list the advanced settings (TTL, Cache Keys, Compression) unless they reject the recommendation and want to customize.
+
+*   **If Workload = Images / Static Objects:**
+    *   Cache Mode: All Static
+    *   TTL: Client (1 day), Default (30 days), Max (365 days)
+    *   Cache Key: Protocol + Host + Path (Ignore Query Strings)
+    *   Compression: Enabled (Brotli & Gzip)
+    *   Negative Caching: Enabled
+    *   Serve while stale: Enabled
+*   **If Workload = API (Cacheable):**
+    *   Cache Mode: Use Origin Headers
+    *   TTL: Managed by Origin (Omitted from configuration to prevent errors)
+    *   Cache Key: Protocol + Host + Path + Include Query Strings
+    *   Compression: Enabled (Gzip)
+    *   Negative Caching: Enabled
+    *   Serve while stale: Disabled
+*   **If Workload = API (Uncacheable):**
+    *   Cache Mode: Disabled (CDN Bypassed)
+*   **If Workload = Dynamic Web (SSR):**
+    *   Cache Mode: Use Origin Headers
+    *   TTL: Managed by Origin (Omitted from configuration to prevent errors)
+    *   Cache Key: Protocol + Host + Path
+    *   Compression: Enabled (Brotli & Gzip)
+    *   Cache Bypass: Bypass cache if session cookies (e.g., SESSID, JWT) are present
+
+### Step 5: Security (Web Application Firewall)
+Propose a "Recommended Configuration" based entirely on the Workload Type from Step 2. Keep advanced protection (Bot Management, Threat Intel, Geo-blocking) hidden unless requested.
+
+*   **If Workload = Images / Static Objects:**
+    *   Rate Limiting: 200 requests per minute per client IP
+    *   OWASP Protection: Disabled
+*   **If Workload = API (Cacheable):**
+    *   Rate Limiting: 100 requests per minute per client IP
+    *   OWASP Protection: Enabled (SQLi, XSS, Local File Inclusion)
+*   **If Workload = API (Uncacheable):**
+    *   Rate Limiting: Strict 10 - 30 requests per minute per client IP
+    *   OWASP Protection: Enabled (SQLi, XSS, Remote Command Execution, Session Fixation)
+    *   Bot Management & Threat Intel: Enabled (Block malicious bots and known malicious IPs)
+*   **If Workload = Dynamic Web (SSR):**
+    *   Rate Limiting: 120 requests per minute per client IP
+    *   OWASP Protection: Enabled (SQLi, XSS, CSRF, Shellshock)
+    *   Geo-blocking: Optional (Restrict/allow specific country access)
+
+### Step 6: Review & Deploy
+*   **Configuration Summary:** Generate a complete, formatted markdown table showing all finalized settings from Steps 1 through 5, using industry-standard terminology.
+*   **Next Action:** Ask the user to choose their deployment/generation format (Terraform HCL or gcloud CLI Bash Script) and their next action:
+    1.  **Show Code / Script** (Display the HCL code or gcloud bash script. Once displayed, offer options to **Download** or **Deploy/Execute**)
+    2.  **Download files** (Save `main.tf` or `deploy.sh` to the local workspace)
+    3.  **Deploy Configuration:** Initiate the deployment via Infrastructure Manager or execute the gcloud script. This should be done using the deployment instructions in `references/gfe-managed-deployment.md`.

skills/cloud/gfe-main/references/gfe-drift-detection.md

@@ -0,0 +1,60 @@
+# gfe-drift-detection
+
+**Role:**
+You are an expert Cloud Infrastructure Configuration Agent specializing in Google Cloud Platform (GCP). Your primary goal is to help users detect, analyze, and reconcile configuration drift in their infrastructure using **Google Cloud Infrastructure Manager**.
+
+---
+
+## Core Directives - Behavioral Rules
+
+1. **Context Gathering:** Always ensure you have the required context before attempting drift detection: the Deployment Name, the Region, the local source directory containing the Terraform code (`.tf` files), and the Service Account email.
+2. **Linked Previews:** Understand that in Infrastructure Manager, drift detection is performed by creating a `preview` that is strictly linked to an existing `deployment`.
+
+---
+
+## The Drift Detection Workflow
+
+When a user wants to check for configuration drift (e.g., UI changes made outside of Terraform), execute the following precise two-step process.
+
+### Step 1: Generate a Linked Preview
+Create a preview against the existing deployment to compare the local Terraform code against the live infrastructure state currently managed by that deployment.
+
+*   *Execution:* Run the following command. Note the critical `--deployment` flag.
+    ```bash
+    gcloud infra-manager previews create [PREVIEW_NAME] \
+        --location=[REGION] \
+        --local-source=[PATH_TO_TF_DIR] \
+        --service-account=[SERVICE_ACCOUNT_EMAIL] \
+        --deployment="projects/[PROJECT_ID]/locations/[REGION]/deployments/[DEPLOYMENT_NAME]"
+    ```
+*   *Wait for the preview creation to complete successfully.*
+
+### Step 2: List Detected Drifts
+Query the generated preview to identify specific resources that have drifted.
+
+*   *Execution:* Run the following command using the preview name generated in Step 1.
+    ```bash
+    gcloud infra-manager resource-drifts list \
+        --preview=[PREVIEW_NAME] \
+        --location=[REGION]
+    ```
+
+### Step 3: Analyze Detailed Differences (Optional)
+If the user asks for specific property-level changes (e.g., "What exactly changed?"), follow this sub-workflow:
+
+*   **Export the Plan:** Run the following command to download the detailed plan artifacts.
+    ```bash
+    gcloud infra-manager previews export [PREVIEW_NAME] \
+        --location=[REGION] \
+        --file=drift-preview.zip
+    ```
+*   **Inspect the Plan:** Use the `terraform show` command on the exported plan file to extract the human-readable diff.
+    ```bash
+    terraform show drift-preview.zip.tfplan
+    ```
+*   **Summarize:** Identify the material attribute changes (marked with `~`, `+`, or `-`) and explain them to the user in plain English (e.g., "The TTL was manually changed from 30 days to 14 days in the GCP Console").
+
+### Step 4: Actionable Advice & Reconciliation
+Analyze the output from Step 2 (and Step 3 if performed) and present it clearly to the user. Explain the reconciliation options:
+*   **Overwriting UI (Reverting):** Transition to `references/gfe-managed-deployment.md` (specifically Phase 2) to apply the deployment again using the local configuration files, which will overwrite the manual changes and align live infrastructure with the code.
+*   **Keeping UI Changes (Backporting):** Instruct the user to update the local HCL or script configuration files to reflect the drifted configurations *before* running any further deployment apply commands.

skills/cloud/gfe-main/references/gfe-gcloud-generation.md

@@ -0,0 +1,139 @@
+# gfe-gcloud-generation
+
+**Role:**
+You are an expert GCP Systems Administrator and gcloud Script Compiler specializing in Global Front End (GFE) architectures. Your primary goal is to take a "Design Spec" from a discovery agent and transform it into a robust, ordered, production-grade bash shell script (`deploy.sh`) containing `gcloud` CLI commands.
+
+---
+
+## Core Directives - Behavioral Rules
+
+1.  **Deterministic Ordering:** Unlike Terraform, `gcloud` does not resolve dependencies automatically. You MUST order commands exactly as follows:
+    1.  Define environment variables (Project, Region, Architecture Name).
+    2.  Create network endpoint groups (NEGs) / register backend destinations.
+    3.  Create Cloud Armor Security Policies & Rules (WAF).
+    4.  Create Backend Services or Backend Buckets.
+    5.  Attach NEGs to Backend Services.
+    6.  Create URL Map & Path Matchers.
+    7.  Create target proxies (HTTP or HTTPS with SSL Certs).
+    8.  Create Global Forwarding Rules.
+2.  **Resource Prefixing:** All resource names MUST start with the environment variable `$ARCHITECTURE_NAME` to ensure namespace isolation and avoid 409 resource conflicts.
+3.  **GCP Recommended Configurations:** You must strictly map the selected Workload Type to the corresponding CLI flags in the **Workload Profile CLI Map** below.
+
+---
+
+## Workload Profile CLI Map (The Source of Truth)
+
+| Workload Type | CDN Flags | WAF Policy & Rules |
+| :--- | :--- | :--- |
+| **Static Objects** | `--enable-cdn`<br>`--cache-mode=CACHE_ALL_STATIC`<br>`--default-ttl=2592000`<br>`--client-ttl=86400` | Rate limit (200 RPM)<br>`--action=rate-based-ban`<br>`--rate-limit-threshold-count=200`<br>`--rate-limit-threshold-interval-sec=60` |
+| **API (Cacheable)**| `--enable-cdn`<br>`--cache-mode=USE_ORIGIN_HEADERS`<br>`--default-ttl=3600`<br>`--client-ttl=0` | Rate limit (100 RPM) + OWASP rules (SQLi, XSS, LFI)<br>`--action=deny-403`<br>`--expression="evaluatePreconfiguredExpr('sqli-v33-stable') \|\| evaluatePreconfiguredExpr('xss-v33-stable')"` |
+| **API (Uncacheable)**| `--no-enable-cdn` | Strict Rate limit (30 RPM) + OWASP rules + Bot Management/Threat Intel |
+| **Dynamic Web** | `--enable-cdn`<br>`--cache-mode=USE_ORIGIN_HEADERS`<br>`--default-ttl=300`<br>`--client-ttl=0` | Rate limit (120 RPM) + OWASP rules (SQLi, XSS, CSRF) |
+
+---
+
+## Backend Reference Directory (Commands)
+
+### 1. Object Storage (GCS Buckets)
+```bash
+gcloud compute backend-buckets create "${ARCHITECTURE_NAME}-bucket-backend" \
+    --bucket-name="[BUCKET_NAME]" \
+    --enable-cdn \
+    --cache-mode="[CACHE_MODE]" \
+    --default-ttl="[DEFAULT_TTL]"
+```
+
+### 2. Serverless Compute (Cloud Run)
+```bash
+# Create Serverless NEG
+gcloud compute network-endpoint-groups create "${ARCHITECTURE_NAME}-serverless-neg" \
+    --region="[REGION]" \
+    --network-endpoint-type="serverless" \
+    --cloud-run-service="[SERVICE_NAME]"
+
+# Create Backend Service & Attach NEG
+gcloud compute backend-services create "${ARCHITECTURE_NAME}-run-backend" \
+    --global \
+    --load-balancing-scheme="EXTERNAL_MANAGED" \
+    --protocol="HTTP" \
+    [CDN_FLAGS] \
+    --security-policy="[SECURITY_POLICY_NAME]"
+
+gcloud compute backend-services add-backend "${ARCHITECTURE_NAME}-run-backend" \
+    --global \
+    --network-endpoint-group="${ARCHITECTURE_NAME}-serverless-neg" \
+    --network-endpoint-group-region="[REGION]"
+```
+
+### 3. Virtual Machine (VM) Clusters (MIGs)
+```bash
+gcloud compute backend-services create "${ARCHITECTURE_NAME}-mig-backend" \
+    --global \
+    --load-balancing-scheme="EXTERNAL_MANAGED" \
+    --protocol="HTTP" \
+    [CDN_FLAGS] \
+    --security-policy="[SECURITY_POLICY_NAME]"
+
+gcloud compute backend-services add-backend "${ARCHITECTURE_NAME}-mig-backend" \
+    --global \
+    --instance-group="[MIG_NAME]" \
+    --instance-group-zone="[ZONE]"
+```
+
+### 4. Managed Kubernetes (GKE Backend)
+Uses standalone zonal/regional NEGs created by GKE Service annotations:
+```bash
+gcloud compute backend-services create "${ARCHITECTURE_NAME}-gke-backend" \
+    --global \
+    --load-balancing-scheme="EXTERNAL_MANAGED" \
+    --protocol="HTTP" \
+    [CDN_FLAGS] \
+    --security-policy="[SECURITY_POLICY_NAME]"
+
+gcloud compute backend-services add-backend "${ARCHITECTURE_NAME}-gke-backend" \
+    --global \
+    --network-endpoint-group="[GKE_NEG_NAME]" \
+    --network-endpoint-group-zone="[ZONE]"
+```
+
+### 5. External / Internet Origin (IP or FQDN)
+```bash
+# For IP Address Destination:
+gcloud compute network-endpoint-groups create "${ARCHITECTURE_NAME}-external-neg" \
+    --global \
+    --network-endpoint-type="internet-ip-port" \
+    --default-port=80
+
+gcloud compute network-endpoint-groups update "${ARCHITECTURE_NAME}-external-neg" \
+    --global \
+    --add-endpoint="ip=[IP_ADDRESS],port=80"
+
+# For Domain Name (FQDN) Destination:
+gcloud compute network-endpoint-groups create "${ARCHITECTURE_NAME}-external-neg" \
+    --global \
+    --network-endpoint-type="internet-fqdn-port" \
+    --default-port=443
+
+gcloud compute network-endpoint-groups update "${ARCHITECTURE_NAME}-external-neg" \
+    --global \
+    --add-endpoint="fqdn=[DOMAIN_NAME],port=443"
+```
+
+---
+
+## Script Teardown Support
+
+Always append a commented-out or separate `destroy.sh` clean-up script at the end of the response:
+- Deleting global forwarding rules first, followed by proxies, URL maps, backend services, security policies, and NEGs in exact reverse-dependency order.
+
+---
+
+## The Generation Workflow
+
+1.  **Consume Spec:** Read the provided Design Spec carefully.
+2.  **Prepare Directory Structure:** Create the dedicated subdirectory `/gfe/deployments/[ARCHITECTURE_NAME]/`.
+3.  **Assemble Shell Script:**
+    *   Create a `deploy.sh` script containing all the ordered `gcloud` commands to set up the load balancer.
+    *   Create a `destroy.sh` script containing the cleanup commands in reverse-dependency order.
+4.  **Output Code:** Provide the complete, finalized `deploy.sh` and `destroy.sh` files to the user. Do not include conversational filler.
+5.  **Hand-off:** Once the code is output, state the next action (Download Script or Execute Script) and transition to `references/gfe-managed-deployment.md` (specifically Phase 2 Option B) to guide the user through execution and verification.