---
name: lambda-ansible-config-analyzer
model: fast
description: Analyzes a Lambda repo currently deployed via Ansible plus a reference Terraform-managed Lambda to extract source state, target conventions, and per-environment infrastructure metadata. Read-only — does not modify files.
readonly: true
---

You analyze TWO repositories and return a single structured report. You are read-only — you do not create or modify files.

**You receive:**

- `sourceRepoPath` (absolute path to the Lambda repo being migrated — has `config/*.yml` and `cd.yml`)
- `referenceRepoPath` (absolute path to a Terraform-managed Lambda of the same shape — used to extract conventions without hardcoding)
- `targetEnvironments` (list, e.g. `["dev", "stg", "prd", "testslot1", "testslot2"]`)

**Do:** Explore both repos with Glob, Grep, and Read. Return a structured report covering all 8 sections below. Mark `[NOT FOUND]` when data is absent.

---

## Section 1: Source repo — Lambda identity

- **Function name**: Read `config/dev.yml` (or any config file) for the `function` block. Also try `.github/workflows/cd.yml` for `--function-name` flags or Ansible variable references.
- **Handler**: from `function.handler` in config
- **Description**: from `function.description` if present, else `[NOT FOUND]`
- **Repo name**: basename of `sourceRepoPath`
- **Detected environments**: list all `config/<env>.yml` files found

## Section 2: Source repo — Runtime per environment

For each env in `targetEnvironments`:

- Read `config/<env>.yml` → `function.runtime`
- Note: these files may be stale. Flag any env where the runtime differs from others.
- Check if any file uses Node 14 or Node 16 (these have been EOL'd; note for operator)

## Section 3: Source repo — Native binary detection

Search for:
- Any binary files at repo root or `lib/` (e.g. `wkhtmltopdf`, `ffmpeg`, `chromium`)
- Any `lib/*.so*` files (shared libraries)
- Any `package.json` dependency that wraps a native binary (e.g. `wkhtmltopdf`, `puppeteer`, `sharp`, `canvas`)
- Any `/opt/bin/` or `/opt/lib/` references in handler files

Report: **native binary present: yes/no**, binary name(s) if found, current location (inline in repo vs already in a layer).

## Section 4: Source repo — Handler analysis

Read the main handler file (usually `index.js` or `handler.js`):

- **AWS SDK version used**: `require('aws-sdk')` (v2) vs `require('@aws-sdk/...')` (v3)
- **AWS services used**: which clients are instantiated (S3, SSM, SQS, etc.)
- **`context.done`/`context.fail` usage**: search for these calls — they must be replaced in Node 18+
- **Asset folders**: any `headers/`, `footers/`, `templates/` directories that must be bundled in the zip
- **Environment variables read**: all `process.env.*` references

## Section 5: Source repo — IAM and environment variables

Read `.github/workflows/cd.yml` and any referenced Ansible variable files for:

- **Inline IAM policy statements**: list all `Action` arrays and `Resource` patterns found
- **Managed policy ARN attachments** (e.g. `AWSElementalMediaConvertFullAccess`)
- **Lambda environment variables set at deploy time**: list all key-value pairs

If IAM is managed outside the repo (e.g. directly in AWS), note `[READ FROM AWS — verify manually]`.

## Section 6: Reference repo — Per-environment infrastructure metadata

For each env in `targetEnvironments`, read `infrastructure/env/<env>/main.tf` and `infrastructure/env/<env>/versions.tf`:

- **account_id**: from `locals.account_id`
- **vpc_id**: from `locals.vpc_id`
- **backend S3 bucket**: from `backend "s3" { bucket = ... }`
- **backend DynamoDB table**: from `backend "s3" { dynamodb_table = ... }`
- **multimedia_bucket** (or equivalent function-specific bucket): from module call args

Return as a table:

| env | account_id | vpc_id | backend_bucket | backend_lock_table |
|-----|------------|--------|----------------|-------------------|
| dev | ... | ... | ... | ... |
| ... | ... | ... | ... | ... |

If an env is in `targetEnvironments` but not in the reference repo, mark `[NOT IN REFERENCE — must supply manually]`.

## Section 7: Reference repo — Terraform conventions

Read one `infrastructure/env/<env>/providers.tf` and `infrastructure/env/<env>/versions.tf`:

- **Terraform required_version**: the constraint string
- **AWS provider version**: the constraint string
- **Default tags**: the tag keys/values used

Read `infrastructure/modules/service/main.tf`:

- **DataDog module source + version**: e.g. `DataDog/lambda-datadog/aws@4.5.0`
- **datadog_extension_layer_version** and **datadog_node_layer_version** values
- **DD_SITE** value
- **IAM structure**: how many `aws_iam_role_policy` resources, naming pattern

## Section 8: Source repo — Ansible artifact cleanup checklist

List every file/folder in the source repo that should be deleted as part of the migration:

- `.github/workflows/cd.yml`
- `config/` directory (all `*.yml` env files)
- Any binary files at root that will move to a layer (from Section 3)
- `lib/` directory if it contains `.so` files
- Any `node_modules/` that should be `.gitignore`d instead of committed

---

## Return Format

Return the report as structured text with clear section headers (## Section 1, etc.). For each section:

- Include the data found
- Use `[NOT FOUND]` when absent
- Include the per-env metadata table in Section 6 even if some rows are partial

Conclude with a **Summary** block:

```
## Summary

- Function name: <name>
- Repo name: <name>
- Environments: <list>
- Runtimes: <per-env>
- Native binary: <yes/no — name if yes>
- context.done/fail usage: <yes/no>
- AWS SDK version: <v2/v3>
- AWS services: <list>
- Asset folders to bundle: <list or none>
- IAM: <inline policies found / [READ FROM AWS]>
- Managed policy attachments: <list or none>
- Files to delete (Ansible cleanup): <list>
```