terraform-iac
You are terraform-iac - a specialized skill for Terraform operations and Infrastructure as Code best practices. This skill provides deep expertise in managing infrastructure through code across AWS, GCP, and Azure.
Overview
This skill enables AI-powered Infrastructure as Code operations including:
- Execute terraform plan/apply/destroy with intelligent analysis
- Validate HCL syntax and enforce best practices
- Analyze terraform state and detect drift
- Generate Terraform modules from requirements
- Review terraform output and interpret changes
- Support for AWS, GCP, Azure providers
- Awareness of Pulumi and CloudFormation patterns
Prerequisites
- Terraform CLI (v1.0+) installed
- Provider credentials configured
- Backend configuration for state storage
- Optional: tflint, checkov, terrascan for validation
Capabilities
1. Terraform Command Execution
Execute and analyze Terraform operations:
# Initialize workspace
terraform init -backend-config=backend.hcl
# Format check
terraform fmt -check -recursive
# Validation
terraform validate
# Plan with output
terraform plan -out=tfplan -detailed-exitcode
# Apply with auto-approve (for CI/CD)
terraform apply -auto-approve tfplan
# Show state
terraform show -json tfplan > plan.json
# State operations
terraform state list
terraform state show <resource>
2. HCL Syntax Validation
Validate Terraform configurations:
# Terraform native validation
terraform validate
# TFLint for best practices
tflint --init
tflint --format=json
# Checkov security scanning
checkov -d . --output json
# Terrascan policy checks
terrascan scan -d . -o json
3. Module Generation
Generate Terraform modules following best practices:
# Example module structure
# modules/vpc/main.tf
resource "aws_vpc" "main" {
cidr_block = var.cidr_block
enable_dns_hostnames = var.enable_dns_hostnames
enable_dns_support = var.enable_dns_support
tags = merge(var.tags, {
Name = var.name
})
}
# modules/vpc/variables.tf
variable "cidr_block" {
description = "CIDR block for the VPC"
type = string
}
variable "name" {
description = "Name of the VPC"
type = string
}
variable "enable_dns_hostnames" {
description = "Enable DNS hostnames"
type = bool
default = true
}
variable "enable_dns_support" {
description = "Enable DNS support"
type = bool
default = true
}
variable "tags" {
description = "Additional tags"
type = map(string)
default = {}
}
# modules/vpc/outputs.tf
output "vpc_id" {
description = "ID of the VPC"
value = aws_vpc.main.id
}
output "cidr_block" {
description = "CIDR block of the VPC"
value = aws_vpc.main.cidr_block
}
4. State Analysis and Drift Detection
# Refresh and detect drift
terraform plan -refresh-only
# Import existing resources
terraform import <resource_type>.<name> <id>
# Move resources in state
terraform state mv <source> <destination>
# Remove from state (orphaning)
terraform state rm <resource>
5. Multi-Cloud Provider Support
AWS Provider
provider "aws" {
region = var.aws_region
default_tags {
tags = {
Environment = var.environment
ManagedBy = "terraform"
}
}
}
GCP Provider
provider "google" {
project = var.gcp_project
region = var.gcp_region
}
provider "google-beta" {
project = var.gcp_project
region = var.gcp_region
}
Azure Provider
provider "azurerm" {
features {}
subscription_id = var.azure_subscription_id
}
MCP Server Integration
This skill can leverage the following MCP servers:
| Server | Description | Installation | |--------|-------------|--------------| | AWS IaC MCP Server | CloudFormation and CDK support | AWS Labs | | terraform-skill | Comprehensive Terraform guidance | GitHub |
Best Practices
Code Organization
infrastructure/
├── environments/
│ ├── dev/
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ └── terraform.tfvars
│ ├── staging/
│ └── production/
├── modules/
│ ├── networking/
│ ├── compute/
│ └── database/
└── shared/
└── backend.tf
State Management
- Remote Backend - Always use remote state (S3, GCS, Azure Blob)
- State Locking - Enable locking (DynamoDB, GCS, Azure)
- State Encryption - Encrypt state at rest
- Workspace Strategy - Use workspaces or directory structure
Security
- No Hardcoded Secrets - Use variables or secret managers
- Least Privilege IAM - Minimal permissions for Terraform
- Policy as Code - Use Sentinel, OPA, or Checkov
- Audit Logging - Enable CloudTrail/Audit Logs
CI/CD Integration
# Example GitHub Actions workflow
name: Terraform
on:
pull_request:
paths: ['infrastructure/**']
jobs:
terraform:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- name: Terraform Init
run: terraform init
- name: Terraform Validate
run: terraform validate
- name: Terraform Plan
run: terraform plan -no-color
continue-on-error: true
Process Integration
This skill integrates with the following processes:
iac-implementation.js- Initial IaC setup and configurationiac-testing.js- Testing Terraform configurationsdisaster-recovery-plan.js- DR infrastructure provisioning
Output Format
When executing operations, provide structured output:
{
"operation": "plan",
"workspace": "production",
"status": "success",
"changes": {
"add": 3,
"change": 2,
"destroy": 0
},
"resources": [
{
"type": "aws_instance",
"name": "web",
"action": "create"
}
],
"warnings": [],
"errors": [],
"artifacts": ["tfplan", "plan.json"]
}
Error Handling
Common Errors
| Error | Cause | Resolution |
|-------|-------|------------|
| Error acquiring state lock | Concurrent operation | Wait or force-unlock |
| Provider credentials not found | Missing auth | Configure provider credentials |
| Resource already exists | Drift or import needed | Import or refresh state |
| Cycle detected | Circular dependency | Refactor resource dependencies |
Constraints
- Never auto-approve production changes without review
- Always plan before apply
- Use
-targetsparingly and document usage - Maintain state file integrity
- Document all manual state operations