Terraform Skill

1---2name: terraform-skill3description: Use when working with Terraform or OpenTofu - creating modules, writing tests (native test framework, Terratest), setting up CI/CD pipelines, reviewing configurations, choosing between testing approaches, debugging state issues, implementing security scanning (trivy, checkov), or making infrastructure-as-code architecture decisions4license: Apache-2.05metadata:6  author: Anton Babenko7  version: 1.6.08---9 10# Terraform Skill for Claude11 12Comprehensive Terraform and OpenTofu guidance covering testing, modules, CI/CD, and production patterns. Based on terraform-best-practices.com and enterprise experience.13 14## When to Use This Skill15 16**Activate this skill when:**17- Creating new Terraform or OpenTofu configurations or modules18- Setting up testing infrastructure for IaC code19- Deciding between testing approaches (validate, plan, frameworks)20- Structuring multi-environment deployments21- Implementing CI/CD for infrastructure-as-code22- Reviewing or refactoring existing Terraform/OpenTofu projects23- Choosing between module patterns or state management approaches24 25**Don't use this skill for:**26- Basic Terraform/OpenTofu syntax questions (Claude knows this)27- Provider-specific API reference (link to docs instead)28- Cloud platform questions unrelated to Terraform/OpenTofu29 30## Core Principles31 32### 1. Code Structure Philosophy33 34**Module Hierarchy:**35 36| Type | When to Use | Scope |37|------|-------------|-------|38| **Resource Module** | Single logical group of connected resources | VPC + subnets, Security group + rules |39| **Infrastructure Module** | Collection of resource modules for a purpose | Multiple resource modules in one region/account |40| **Composition** | Complete infrastructure | Spans multiple regions/accounts |41 42**Hierarchy:** Resource → Resource Module → Infrastructure Module → Composition43 44**Directory Structure:**45```46environments/        # Environment-specific configurations47├── prod/48├── staging/49└── dev/50 51modules/            # Reusable modules52├── networking/53├── compute/54└── data/55 56examples/           # Module usage examples (also serve as tests)57├── complete/58└── minimal/59```60 61**Key principle from terraform-best-practices.com:**62- Separate **environments** (prod, staging) from **modules** (reusable components)63- Use **examples/** as both documentation and integration test fixtures64- Keep modules small and focused (single responsibility)65 66**For detailed module architecture, see:** [Code Patterns: Module Types & Hierarchy](references/code-patterns.md)67 68### 2. Naming Conventions69 70**Resources:**71```hcl72# Good: Descriptive, contextual73resource "aws_instance" "web_server" { }74resource "aws_s3_bucket" "application_logs" { }75 76# Good: "this" for singleton resources (only one of that type)77resource "aws_vpc" "this" { }78resource "aws_security_group" "this" { }79 80# Avoid: Generic names for non-singletons81resource "aws_instance" "main" { }82resource "aws_s3_bucket" "bucket" { }83```84 85**Singleton Resources:**86 87Use `"this"` when your module creates only one resource of that type:88 89✅ DO:90```hcl91resource "aws_vpc" "this" {}           # Module creates one VPC92resource "aws_security_group" "this" {}  # Module creates one SG93```94 95❌ DON'T use "this" for multiple resources:96```hcl97resource "aws_subnet" "this" {}  # If creating multiple subnets98```99 100Use descriptive names when creating multiple resources of the same type.101 102**Variables:**103```hcl104# Prefix with context when needed105var.vpc_cidr_block          # Not just "cidr"106var.database_instance_class # Not just "instance_class"107```108 109**Files:**110- `main.tf` - Primary resources111- `variables.tf` - Input variables112- `outputs.tf` - Output values113- `versions.tf` - Provider versions114- `data.tf` - Data sources (optional)115 116## Testing Strategy Framework117 118### Decision Matrix: Which Testing Approach?119 120| Your Situation | Recommended Approach | Tools | Cost |121|----------------|---------------------|-------|------|122| **Quick syntax check** | Static analysis | `terraform validate`, `fmt` | Free |123| **Pre-commit validation** | Static + lint | `validate`, `tflint`, `trivy`, `checkov` | Free |124| **Terraform 1.6+, simple logic** | Native test framework | Built-in `terraform test` | Free-Low |125| **Pre-1.6, or Go expertise** | Integration testing | Terratest | Low-Med |126| **Security/compliance focus** | Policy as code | OPA, Sentinel | Free |127| **Cost-sensitive workflow** | Mock providers (1.7+) | Native tests + mocking | Free |128| **Multi-cloud, complex** | Full integration | Terratest + real infra | Med-High |129 130### Testing Pyramid for Infrastructure131 132```133        /\134       /  \          End-to-End Tests (Expensive)135      /____\         - Full environment deployment136     /      \        - Production-like setup137    /________\138   /          \      Integration Tests (Moderate)139  /____________\     - Module testing in isolation140 /              \    - Real resources in test account141/________________\   Static Analysis (Cheap)142                     - validate, fmt, lint143                     - Security scanning144```145 146### Native Test Best Practices (1.6+)147 148**Before generating test code:**149 1501. **Validate schemas with Terraform MCP:**151   ```152   Search provider docs → Get resource schema → Identify block types153   ```154 1552. **Choose correct command mode:**156   - `command = plan` - Fast, for input validation157   - `command = apply` - Required for computed values and set-type blocks158 1593. **Handle set-type blocks correctly:**160   - Cannot index with `[0]`161   - Use `for` expressions to iterate162   - Or use `command = apply` to materialize163 164**Common patterns:**165- S3 encryption rules: **set** (use for expressions)166- Lifecycle transitions: **set** (use for expressions)167- IAM policy statements: **set** (use for expressions)168 169**For detailed testing guides, see:**170- **[Testing Frameworks Guide](references/testing-frameworks.md)** - Deep dive into static analysis, native tests, and Terratest171- **[Quick Reference](references/quick-reference.md#testing-approach-selection)** - Decision flowchart and command cheat sheet172 173## Code Structure Standards174 175### Resource Block Ordering176 177**Strict ordering for consistency:**1781. `count` or `for_each` FIRST (blank line after)1792. Other arguments1803. `tags` as last real argument1814. `depends_on` after tags (if needed)1825. `lifecycle` at the very end (if needed)183 184```hcl185# ✅ GOOD - Correct ordering186resource "aws_nat_gateway" "this" {187  count = var.create_nat_gateway ? 1 : 0188 189  allocation_id = aws_eip.this[0].id190  subnet_id     = aws_subnet.public[0].id191 192  tags = {193    Name = "${var.name}-nat"194  }195 196  depends_on = [aws_internet_gateway.this]197 198  lifecycle {199    create_before_destroy = true200  }201}202```203 204### Variable Block Ordering205 2061. `description` (ALWAYS required)2072. `type`2083. `default`2094. `validation`2105. `nullable` (when setting to false)211 212```hcl213variable "environment" {214  description = "Environment name for resource tagging"215  type        = string216  default     = "dev"217 218  validation {219    condition     = contains(["dev", "staging", "prod"], var.environment)220    error_message = "Environment must be one of: dev, staging, prod."221  }222 223  nullable = false224}225```226 227**For complete structure guidelines, see:** [Code Patterns: Block Ordering & Structure](references/code-patterns.md#block-ordering--structure)228 229## Count vs For_Each: When to Use Each230 231### Quick Decision Guide232 233| Scenario | Use | Why |234|----------|-----|-----|235| Boolean condition (create or don't) | `count = condition ? 1 : 0` | Simple on/off toggle |236| Simple numeric replication | `count = 3` | Fixed number of identical resources |237| Items may be reordered/removed | `for_each = toset(list)` | Stable resource addresses |238| Reference by key | `for_each = map` | Named access to resources |239| Multiple named resources | `for_each` | Better maintainability |240 241### Common Patterns242 243**Boolean conditions:**244```hcl245# ✅ GOOD - Boolean condition246resource "aws_nat_gateway" "this" {247  count = var.create_nat_gateway ? 1 : 0248  # ...249}250```251 252**Stable addressing with for_each:**253```hcl254# ✅ GOOD - Removing "us-east-1b" only affects that subnet255resource "aws_subnet" "private" {256  for_each = toset(var.availability_zones)257 258  availability_zone = each.key259  # ...260}261 262# ❌ BAD - Removing middle AZ recreates all subsequent subnets263resource "aws_subnet" "private" {264  count = length(var.availability_zones)265 266  availability_zone = var.availability_zones[count.index]267  # ...268}269```270 271**For migration guides and detailed examples, see:** [Code Patterns: Count vs For_Each](references/code-patterns.md#count-vs-for_each-deep-dive)272 273## Locals for Dependency Management274 275**Use locals to ensure correct resource deletion order:**276 277```hcl278# Problem: Subnets might be deleted after CIDR blocks, causing errors279# Solution: Use try() in locals to hint deletion order280 281locals {282  # References secondary CIDR first, falling back to VPC283  # Forces Terraform to delete subnets before CIDR association284  vpc_id = try(285    aws_vpc_ipv4_cidr_block_association.this[0].vpc_id,286    aws_vpc.this.id,287    ""288  )289}290 291resource "aws_vpc" "this" {292  cidr_block = "10.0.0.0/16"293}294 295resource "aws_vpc_ipv4_cidr_block_association" "this" {296  count = var.add_secondary_cidr ? 1 : 0297 298  vpc_id     = aws_vpc.this.id299  cidr_block = "10.1.0.0/16"300}301 302resource "aws_subnet" "public" {303  vpc_id     = local.vpc_id  # Uses local, not direct reference304  cidr_block = "10.1.0.0/24"305}306```307 308**Why this matters:**309- Prevents deletion errors when destroying infrastructure310- Ensures correct dependency order without explicit `depends_on`311- Particularly useful for VPC configurations with secondary CIDR blocks312 313**For detailed examples, see:** [Code Patterns: Locals for Dependency Management](references/code-patterns.md#locals-for-dependency-management)314 315## Module Development316 317### Standard Module Structure318 319```320my-module/321├── README.md           # Usage documentation322├── main.tf             # Primary resources323├── variables.tf        # Input variables with descriptions324├── outputs.tf          # Output values325├── versions.tf         # Provider version constraints326├── examples/327│   ├── minimal/        # Minimal working example328│   └── complete/       # Full-featured example329└── tests/              # Test files330    └── module_test.tftest.hcl  # Or .go331```332 333### Best Practices Summary334 335**Variables:**336- ✅ Always include `description`337- ✅ Use explicit `type` constraints338- ✅ Provide sensible `default` values where appropriate339- ✅ Add `validation` blocks for complex constraints340- ✅ Use `sensitive = true` for secrets341 342**Outputs:**343- ✅ Always include `description`344- ✅ Mark sensitive outputs with `sensitive = true`345- ✅ Consider returning objects for related values346- ✅ Document what consumers should do with each output347 348**For detailed module patterns, see:**349- **[Module Patterns Guide](references/module-patterns.md)** - Variable best practices, output design, ✅ DO vs ❌ DON'T patterns350- **[Quick Reference](references/quick-reference.md#common-patterns)** - Resource naming, variable naming, file organization351 352## CI/CD Integration353 354### Recommended Workflow Stages355 3561. **Validate** - Format check + syntax validation + linting3572. **Test** - Run automated tests (native or Terratest)3583. **Plan** - Generate and review execution plan3594. **Apply** - Execute changes (with approvals for production)360 361### Cost Optimization Strategy362 3631. **Use mocking for PR validation** (free)3642. **Run integration tests only on main branch** (controlled cost)3653. **Implement auto-cleanup** (prevent orphaned resources)3664. **Tag all test resources** (track spending)367 368**For complete CI/CD templates, see:**369- **[CI/CD Workflows Guide](references/ci-cd-workflows.md)** - GitHub Actions, GitLab CI, Atlantis integration, cost optimization370- **[Quick Reference](references/quick-reference.md#troubleshooting-guide)** - Common CI/CD issues and solutions371 372## Security & Compliance373 374### Essential Security Checks375 376```bash377# Static security scanning378trivy config .379checkov -d .380```381 382### Common Issues to Avoid383 384❌ **Don't:**385- Store secrets in variables386- Use default VPC387- Skip encryption388- Open security groups to 0.0.0.0/0389 390✅ **Do:**391- Use AWS Secrets Manager / Parameter Store392- Create dedicated VPCs393- Enable encryption at rest394- Use least-privilege security groups395 396**For detailed security guidance, see:**397- **[Security & Compliance Guide](references/security-compliance.md)** - Trivy/Checkov integration, secrets management, state file security, compliance testing398 399## Version Management400 401### Version Constraint Syntax402 403```hcl404version = "5.0.0"      # Exact (avoid - inflexible)405version = "~> 5.0"     # Recommended: 5.0.x only406version = ">= 5.0"     # Minimum (risky - breaking changes)407```408 409### Strategy by Component410 411| Component | Strategy | Example |412|-----------|----------|---------|413| **Terraform** | Pin minor version | `required_version = "~> 1.9"` |414| **Providers** | Pin major version | `version = "~> 5.0"` |415| **Modules (prod)** | Pin exact version | `version = "5.1.2"` |416| **Modules (dev)** | Allow patch updates | `version = "~> 5.1"` |417 418### Update Workflow419 420```bash421# Lock versions initially422terraform init              # Creates .terraform.lock.hcl423 424# Update to latest within constraints425terraform init -upgrade     # Updates providers426 427# Review and test428terraform plan429```430 431**For detailed version management, see:** [Code Patterns: Version Management](references/code-patterns.md#version-management)432 433## Modern Terraform Features (1.0+)434 435### Feature Availability by Version436 437| Feature | Version | Use Case |438|---------|---------|----------|439| `try()` function | 0.13+ | Safe fallbacks, replaces `element(concat())` |440| `nullable = false` | 1.1+ | Prevent null values in variables |441| `moved` blocks | 1.1+ | Refactor without destroy/recreate |442| `optional()` with defaults | 1.3+ | Optional object attributes |443| Native testing | 1.6+ | Built-in test framework |444| Mock providers | 1.7+ | Cost-free unit testing |445| Provider functions | 1.8+ | Provider-specific data transformation |446| Cross-variable validation | 1.9+ | Validate relationships between variables |447| Write-only arguments | 1.11+ | Secrets never stored in state |448 449### Quick Examples450 451```hcl452# try() - Safe fallbacks (0.13+)453output "sg_id" {454  value = try(aws_security_group.this[0].id, "")455}456 457# optional() - Optional attributes with defaults (1.3+)458variable "config" {459  type = object({460    name    = string461    timeout = optional(number, 300)  # Default: 300462  })463}464 465# Cross-variable validation (1.9+)466variable "environment" { type = string }467variable "backup_days" {468  type = number469  validation {470    condition     = var.environment == "prod" ? var.backup_days >= 7 : true471    error_message = "Production requires backup_days >= 7"472  }473}474```475 476**For complete patterns and examples, see:** [Code Patterns: Modern Terraform Features](references/code-patterns.md#modern-terraform-features-10)477 478## Version-Specific Guidance479 480### Terraform 1.0-1.5481- Use Terratest for testing482- No native testing framework available483- Focus on static analysis and plan validation484 485### Terraform 1.6+ / OpenTofu 1.6+486- **New:** Native `terraform test` / `tofu test` command487- Consider migrating from external frameworks for simple tests488- Keep Terratest only for complex integration tests489 490### Terraform 1.7+ / OpenTofu 1.7+491- **New:** Mock providers for unit testing492- Reduce cost by mocking external dependencies493- Use real integration tests for final validation494 495### Terraform vs OpenTofu496 497Both are fully supported by this skill. For licensing, governance, and feature comparison, see [Quick Reference: Terraform vs OpenTofu](references/quick-reference.md#terraform-vs-opentofu-comparison).498 499## Detailed Guides500 501This skill uses **progressive disclosure** - essential information is in this main file, detailed guides are available when needed:502 503📚 **Reference Files:**504- **[Testing Frameworks](references/testing-frameworks.md)** - In-depth guide to static analysis, native tests, and Terratest505- **[Module Patterns](references/module-patterns.md)** - Module structure, variable/output best practices, ✅ DO vs ❌ DON'T patterns506- **[CI/CD Workflows](references/ci-cd-workflows.md)** - GitHub Actions, GitLab CI templates, cost optimization, automated cleanup507- **[Security & Compliance](references/security-compliance.md)** - Trivy/Checkov integration, secrets management, compliance testing508- **[Quick Reference](references/quick-reference.md)** - Command cheat sheets, decision flowcharts, troubleshooting guide509 510**How to use:** When you need detailed information on a topic, reference the appropriate guide. Claude will load it on demand to provide comprehensive guidance.511 512## License513 514This skill is licensed under the **Apache License 2.0**. See the LICENSE file for full terms.515 516**Copyright © 2026 Anton Babenko**