terraform-iac-expert
- Repo stars 105
- License MIT
- Author updated Live
- Author repo some_claude_skills
- Domain
- DevOps
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 94 / 100 · audit passed
- Author / version / license
- @curiositech · MIT
- Token usage
- Lean
- Setup complexity
- Plug-and-play
- External API key
- Not required
- Operating systems
- Linux
- Runtime requirements
- No special requirements
- Permissions
-
- Read-only
- Write / modify
- Network behavior
- Local-only
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: terraform-iac-expert
description: Terraform and OpenTofu infrastructure as code — module design, state management, multi-environme…
category: devops
runtime: no special runtime
---
# terraform-iac-expert output preview
## PART A: Task fit
- Use case: Terraform and OpenTofu infrastructure as code — module design, state management, multi-environment setups, remote backends, secrets management, CI/CD integration. NOT for Pulumi, CDK, Ansible, Expert in Infrastructure as Code using Terraform and OpenTofu. Specializes in module design, state management, multi-cloud deployments, and CI/CD integration. Handl….
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “Overview / When to Use / Capabilities” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “Terraform and OpenTofu infrastructure as code — module design, state management, multi-environment setups, remote backends, secrets management, CI/CD integration. NOT for Pulumi, CDK, Ansible, Expert in Infrastructure as Code using Terraform and OpenTofu. Specializes in module design, state management, multi-cloud deployments, and CI/CD integration. Handl…”.
- **02** When the source has headings, the agent prioritizes “Overview / When to Use / Capabilities” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, write/modify files; mostly runs locally; usually needs no extra API key.
## Running Rules
- read files, write/modify files; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source does not require a stable slash command. After installation, invoke the skill by name and describe the task.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, write/modify files.
Start with a small task and check whether the result follows “Overview / When to Use / Capabilities”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: terraform-iac-expert
description: Terraform and OpenTofu infrastructure as code — module design, state management, multi-environme…
category: devops
source: curiositech/some_claude_skills
---
# terraform-iac-expert
## When to use
- Terraform and OpenTofu infrastructure as code — module design, state management, multi-environment setups, remote back…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “Overview / When to Use / Capabilities” and keep inference separate from source facts.
- read files, write/modify files; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "terraform-iac-expert" {
input -> user goal + target files + boundaries + acceptance criteria
context -> Overview / When to Use / Capabilities
rules -> SKILL.md triggers / order / output contract
runtime -> no special runtime | read files, write/modify files | mostly runs locally
guardrails -> usually needs no extra API key + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} Terraform IaC Expert
Overview
Expert in Infrastructure as Code using Terraform and OpenTofu. Specializes in module design, state management, multi-cloud deployments, and CI/CD integration. Handles complex infrastructure patterns including multi-environment setups, remote state backends, and secure secrets management.
When to Use
- Setting up new Terraform projects and workspaces
- Designing reusable Terraform modules
- Managing state files and remote backends
- Implementing multi-environment (dev/staging/prod) infrastructure
- Migrating existing infrastructure to Terraform
- Troubleshooting state drift and plan failures
- Integrating Terraform with CI/CD pipelines
- Implementing security best practices (secrets, IAM, policies)
Capabilities
Project Structure
- Module-based architecture design
- Workspace vs directory structure strategies
- Variable and output organization
- Provider configuration and version constraints
- Backend configuration for remote state
Module Development
- Reusable module patterns
- Input validation and type constraints
- Output design for module composition
- Local modules vs registry modules
- Module versioning and publishing
State Management
- Remote state backends (S3, GCS, Azure Blob, Terraform Cloud)
- State locking mechanisms
- State migration and manipulation
- Import existing resources
- Handling state drift
Multi-Environment Patterns
- Workspace-based environments
- Directory-based environments
- Terragrunt for DRY infrastructure
- Environment-specific variables
- Promotion workflows
Security
- Sensitive variable handling
- IAM role design for Terraform
- Policy as Code (Sentinel, OPA)
- Secrets management integration (Vault, AWS Secrets Manager)
- Least privilege principles
CI/CD Integration
- GitHub Actions for Terraform
- Atlantis for PR-based workflows
- Terraform Cloud/Enterprise
- Plan/Apply automation
- Cost estimation integration
Dependencies
Works well with:
aws-solutions-architect- AWS resource patternskubernetes-orchestrator- K8s infrastructuregithub-actions-pipeline-builder- CI/CD automationsite-reliability-engineer- Production infrastructure
Examples
Project Structure
terraform/
├── modules/
│ ├── vpc/
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ └── outputs.tf
│ ├── eks/
│ └── rds/
├── environments/
│ ├── dev/
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ ├── terraform.tfvars
│ │ └── backend.tf
│ ├── staging/
│ └── prod/
└── shared/
└── provider.tf
Root Module with Locals
# environments/prod/main.tf
terraform {
required_version = ">= 1.5.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
backend "s3" {
bucket = "mycompany-terraform-state"
key = "prod/terraform.tfstate"
region = "us-west-2"
encrypt = true
dynamodb_table = "terraform-locks"
}
}
locals {
environment = "prod"
project = "myapp"
common_tags = {
Environment = local.environment
Project = local.project
ManagedBy = "terraform"
}
}
module "vpc" {
source = "../../modules/vpc"
environment = local.environment
cidr_block = "10.0.0.0/16"
tags = local.common_tags
}
module "eks" {
source = "../../modules/eks"
environment = local.environment
vpc_id = module.vpc.vpc_id
private_subnet_ids = module.vpc.private_subnet_ids
cluster_version = "1.29"
tags = local.common_tags
}
Reusable Module with Validation
# modules/vpc/variables.tf
variable "environment" {
type = string
description = "Environment name (dev, staging, prod)"
validation {
condition = contains(["dev", "staging", "prod"], var.environment)
error_message = "Environment must be dev, staging, or prod."
}
}
variable "cidr_block" {
type = string
description = "VPC CIDR block"
validation {
condition = can(cidrhost(var.cidr_block, 0))
error_message = "Must be a valid CIDR block."
}
}
variable "availability_zones" {
type = list(string)
description = "List of AZs to use"
default = ["us-west-2a", "us-west-2b", "us-west-2c"]
}
variable "enable_nat_gateway" {
type = bool
description = "Enable NAT Gateway for private subnets"
default = true
}
variable "tags" {
type = map(string)
description = "Tags to apply to all resources"
default = {}
}
Module with Dynamic Blocks
# modules/security-group/main.tf
resource "aws_security_group" "this" {
name = var.name
description = var.description
vpc_id = var.vpc_id
dynamic "ingress" {
for_each = var.ingress_rules
content {
from_port = ingress.value.from_port
to_port = ingress.value.to_port
protocol = ingress.value.protocol
cidr_blocks = ingress.value.cidr_blocks
description = ingress.value.description
}
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = merge(var.tags, {
Name = var.name
})
}
Remote State Data Source
# Reference another environment's state
data "terraform_remote_state" "shared" {
backend = "s3"
config = {
bucket = "mycompany-terraform-state"
key = "shared/terraform.tfstate"
region = "us-west-2"
}
}
# Use outputs from shared state
resource "aws_instance" "app" {
ami = data.terraform_remote_state.shared.outputs.base_ami_id
instance_type = "t3.medium"
subnet_id = data.terraform_remote_state.shared.outputs.private_subnet_id
}
GitHub Actions CI/CD
# .github/workflows/terraform.yml
name: Terraform
on:
pull_request:
paths:
- 'terraform/**'
push:
branches: [main]
paths:
- 'terraform/**'
env:
TF_VERSION: 1.6.0
AWS_REGION: us-west-2
jobs:
plan:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
id-token: write # For OIDC
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789:role/terraform-github-actions
aws-region: ${{ env.AWS_REGION }}
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ env.TF_VERSION }}
- name: Terraform Init
working-directory: terraform/environments/prod
run: terraform init
- name: Terraform Plan
working-directory: terraform/environments/prod
run: terraform plan -out=tfplan
- name: Upload Plan
uses: actions/upload-artifact@v4
with:
name: tfplan
path: terraform/environments/prod/tfplan
apply:
needs: plan
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
environment: production
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789:role/terraform-github-actions
aws-region: ${{ env.AWS_REGION }}
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ env.TF_VERSION }}
- name: Download Plan
uses: actions/download-artifact@v4
with:
name: tfplan
path: terraform/environments/prod
- name: Terraform Apply
working-directory: terraform/environments/prod
run: terraform apply -auto-approve tfplan
Import Existing Resources
# Import existing AWS resource into state
terraform import aws_s3_bucket.existing my-existing-bucket
# Import using for_each key
terraform import 'aws_iam_user.users["alice"]' alice
# Generate configuration from import (Terraform 1.5+)
terraform plan -generate-config-out=generated.tf
Handling Sensitive Values
# Reference secrets from AWS Secrets Manager
data "aws_secretsmanager_secret_version" "db_password" {
secret_id = "prod/db/password"
}
resource "aws_db_instance" "main" {
# ... other config ...
password = data.aws_secretsmanager_secret_version.db_password.secret_string
}
# Mark outputs as sensitive
output "db_connection_string" {
value = "postgres://admin:${aws_db_instance.main.password}@${aws_db_instance.main.endpoint}"
sensitive = true
}
Best Practices
- Use remote state - Never store state locally for team projects
- Enable state locking - Prevent concurrent modifications
- Version pin providers - Use
~>constraints, not>= - Separate environments - Use directories or workspaces, not branches
- Module everything reusable - But don't over-abstract
- Validate inputs - Use variable validation blocks
- Use data sources - Reference existing resources instead of hardcoding
- Tag all resources - Apply consistent tags for cost tracking
- Review plans carefully - Especially for destroy operations
Common Pitfalls
- State file conflicts - Multiple people running terraform simultaneously
- Hardcoded values - Not using variables for environment differences
- Circular dependencies - Resources depending on each other
- Missing dependencies - Not using
depends_onwhen implicit deps aren't enough - Large state files - Not breaking up large infrastructure
- Secrets in state - State contains sensitive values, encrypt at rest
- Provider version drift - Different team members using different versions
- Not using -target carefully - Can cause drift, use sparingly
Decide Fit First
Design Intent
How To Use It
Boundaries And Review