Terraform Skill
Run diagnose-first Terraform and OpenTofu work on modules, CI, policy scans, and state with version-aware guards before any apply.
Install
npx skills add https://github.com/antonbabenko/terraform-skill --skill terraform-skillWhat is this skill?
- Five-part response contract: assumptions, risk category, remediation tradeoffs, validation plan, rollback notes
- Explicit risk taxonomy: identity churn, secret exposure, blast radius, CI drift, compliance gaps, state corruption, prov
- Never recommends direct production apply without a reviewed plan artifact and approval
- Version-floor awareness for Terraform vs OpenTofu runtime, providers, and backend
- On-demand reference depth beyond the core diagnose-first workflow
Adoption & trust: 1.7k installs on skills.sh; 2k GitHub stars; 1/3 security scanners passed (skills.sh audits).
Recommended Skills
Azure Kubernetesmicrosoft/azure-skills
Github Actions Docsxixu-me/skills
Deploy To Vercelvercel-labs/agent-skills
Vercel Cli With Tokensvercel-labs/agent-skills
Turborepovercel/turborepo
Docker Expertsickn33/antigravity-awesome-skills
Journey fit
Primary fit
Infrastructure-as-code lifecycle—plan, state, and production blast radius—maps most naturally to running systems after ship. The skill centers on backends, execution paths (local/CI/Atlantis/Cloud), and state operations rather than app feature coding.
Common Questions / FAQ
Is Terraform Skill safe to install?
skills.sh reports 1 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.
SKILL.md
READMESKILL.md - Terraform Skill
# Terraform Skill for Claude Diagnose-first guidance for Terraform and OpenTofu. Core file is a workflow; depth lives in references loaded on demand. ## Response Contract Every Terraform/OpenTofu response must include: 1. **Assumptions & version floor** — runtime (`terraform` or `tofu`), exact version, providers, state backend, execution path (local/CI/Cloud/Atlantis), environment criticality. State assumptions explicitly if the user did not provide them. 2. **Risk category addressed** — one or more of: identity churn, secret exposure, blast radius, CI drift, compliance gaps, state corruption, provider upgrade risk, testing blind spots. 3. **Chosen remediation & tradeoffs** — what was chosen, what was traded off, why. 4. **Validation plan** — exact commands (`fmt -check`, `validate`, `plan -out`, policy check) tailored to runtime and risk tier. 5. **Rollback notes** — for any destructive or state-mutating change: how to undo, what evidence to keep. Never recommend direct production apply without a reviewed plan artifact and approval. ## Workflow 1. **Capture execution context** — runtime+version, provider(s), backend, execution path, environment criticality. 2. **Diagnose failure mode(s)** using the routing table below. If intent spans categories, load both references. 3. **Load only the matching reference file(s)** — do not preload depth the task does not need. 4. **Propose fix with risk controls** — why this addresses the mode, what could still go wrong, guardrails (tests/approvals/rollback). 5. **Generate artifacts** — HCL, migration blocks (`moved`, `import`), CI changes, policy rules. 6. **Validate before finalizing** — run validation commands tailored to risk tier. 7. **Emit the Response Contract** at the end. ## Diagnose Before You Generate | Failure category | Symptoms | Primary references | |------------------|----------|--------------------| | **Identity churn** | Resource addresses shift after refactor, `count` index churn, missing `moved` blocks | [Code Patterns: count vs for_each](references/code-patterns.md#count-vs-for_each-deep-dive), [Code Patterns: moved blocks](references/code-patterns.md#moved-blocks-terraform-11), [Code Patterns: LLM mistakes](references/code-patterns.md#llm-mistake-checklist--code-patterns) | | **Secret exposure** | Secrets in defaults, state, logs, CI artifacts | [Security & Compliance](references/security-compliance.md), [Code Patterns: write-only](references/code-patterns.md#write-only-arguments-terraform-111), [State Management](references/state-management.md) | | **Blast radius** | Oversized stacks, shared prod/non-prod state, unsafe applies | [State Management](references/state-management.md), [Module Patterns](references/module-patterns.md) | | **CI drift** | Local plan ≠ CI plan, apply without reviewed artifact, unpinned versions | [CI/CD Workflows](references/ci-cd-workflows.md), [Code Patterns: versions](references/code-patterns.md#version-management) | | **Compliance gaps** | Missing policy stage, no approval model, no evidence retention | [Security & Compliance](references/security-compliance.md), [CI/CD Workflows](references/ci-cd-workflows.md) | | **Testing blind spots** | Plan-only validation of computed values, set-type indexing, mock/real confusion | [Testing Frameworks](references/testing-frameworks.md) | | **State corruption / recovery** | Stuck lock, backend migration, drift reconciliation | [State Management](references/state-management.md) | | **Provider upgrade risk** | Breaking-change provider bump, unpinned modules | [Code Patterns: versions](references/code-patterns.md#version-management), [Module Patterns](references/modul