Terraform 助手
- 作者仓库星标 0
- 作者更新于 实时读取
- 作者仓库 skills-registry
- 领域
- 运维部署
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 88 / 100 · 社区维护
- 作者 / 版本 / 许可
- @tomevault-io · 未声明 license
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 需简单配置
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- 未声明(默认跨平台)
- 底层运行要求
- 无特殊要求
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- Shell 执行
- 网络行为
- 仅限本地
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: terraform-procedures
description: Use this skill when authoring or running a Terraform plan/apply, refactoring modules, performing…
category: 运维部署
runtime: 无特殊运行时
---
# terraform-procedures 输出预览
## PART A: 任务判断
- 适用问题:部署、CI、环境检查、发布或运维排障。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Terraform fork detection — OpenTofu / Plan / apply lifecycle / Pre-plan validation”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于部署、CI、环境检查、发布或运维排障,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Terraform fork detection — OpenTofu / Plan / apply lifecycle / Pre-plan validation”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、执行终端命令、主要在本地完成、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件、执行终端命令;主要在本地完成;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文出现了 `/infra-change` 这类斜杠命令;如果你的 Agent 支持命令触发,优先用命令开场,再补充目标和边界。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件、执行终端命令。
先用一个小任务确认它会围绕“Terraform fork detection — OpenTofu / Plan / apply lifecycle / Pre-plan validation”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: terraform-procedures
description: Use this skill when authoring or running a Terraform plan/apply, refactoring modules, performing…
category: 运维部署
source: tomevault-io/skills-registry
---
# terraform-procedures
## 什么时候使用
- 把部署运维方向的常用动作沉淀成 Agent 可调用的技能 适合处理部署、CI、发布、回滚、环境检查和运维排障,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查、可继续迭代的步骤…
- 面向部署、CI、环境检查、发布或运维排障,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Terraform fork detection — OpenTofu / Plan / apply lifecycle / Pre-plan validation」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件、执行终端命令;主要在本地完成;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "terraform-procedures" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Terraform fork detection — OpenTofu / Plan / apply lifecycle / Pre-plan validation
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> 无特殊运行时 | 读取文件、写入/修改文件、执行终端命令 | 主要在本地完成
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} Terraform Procedures — State, plan/apply, and OpenTofu compatibility
Knowledge reference for Terraform/OpenTofu operations used by infrastructure-change workflows. Covers the plan/apply lifecycle, state-management commands, refactoring patterns, and fork-compatibility notes. Designed to be loaded as background context when a workflow encounters Terraform configs.
Terraform fork detection — OpenTofu
If .terraform-version or tofu.lock.hcl indicates OpenTofu (HashiCorp BSL fork, 2023+), substitute tofu for terraform in all commands below. Flag semantics are identical for the operations covered in this skill.
Other indicators of an OpenTofu repo:
tofubinary referenced in CI configs instead ofterraform.tofu/directory ortofu.tffiles
Plan / apply lifecycle
Pre-plan validation
terraform validate
terraform fmt -check -recursive
Modern pre-plan suite (run when configs are present):
tflint # if .tflint.hcl present
tfsec . --soft-fail # if tfsec.yml or .tfsec/ present
checkov -d . --soft-fail # if .checkov.yml present
terraform-docs markdown table . # regenerate docs if terraform-docs.yml present
Plan with detailed exit codes
terraform plan -out=tfplan -detailed-exitcode
# Exit codes:
# 0 = no changes
# 1 = error
# 2 = changes proposed
The -detailed-exitcode form is the standard oracle for iterative reconciliation loops (RALF): success = 0 (no diff).
Apply
terraform apply tfplan
Always apply a saved plan file, never re-plan during apply. Re-planning at apply time can introduce drift between what was reviewed and what is executed.
Plan summary format
When presenting a plan for review, summarise as:
## Terraform Plan Summary
| Action | Count | Resources |
|---------|-------|-----------|
| Add | X | [list] |
| Change | X | [list] |
| Destroy | X | [list] |
WARNING — DESTROY/REPLACE resources:
- [resource] — [reason]
Data loss risk: [yes/no]
Estimated cost impact: [if applicable]
State operations — use with extreme caution
State surgery is the second-most-fragile area after destroy. Always back up state before any of these operations (terraform state pull > backup.tfstate).
terraform state list # enumerate resources
terraform state show <addr> # inspect a resource
terraform state mv <src> <dst> # rename / refactor
terraform state rm <addr> # remove from state (resource still exists in cloud)
terraform import <addr> <id> # adopt an existing cloud resource
terraform state pull > backup.tfstate # snapshot state
terraform state push backup.tfstate # restore (DANGEROUS)
Refactor without state surgery
For module refactoring, prefer moved {} blocks (TF v1.1+) and removed {} blocks (TF v1.7+) — they encode the rename inside .tf files instead of imperative state ops, which means:
- Changes are reviewable in PRs
- The refactor is reproducible across workspaces
- No risk of half-applied state on operator error
Example moved block:
moved {
from = aws_instance.old_name
to = aws_instance.new_name
}
Partial-apply anti-pattern
-target=<resource> for partial-apply is an anti-pattern except in emergencies. State drift between resources causes surprising future plans and breaks the invariant that the state file matches the configuration.
If -target becomes necessary (e.g., breaking a cyclic dependency during initial bootstrap), follow up immediately with a full plan/apply to reconcile.
Workspaces
Terraform workspaces partition state within a single backend:
terraform workspace list
terraform workspace new <name>
terraform workspace select <name>
terraform workspace show
Workspaces are appropriate for per-environment state (dev/staging/prod) when the configuration is identical and only variable values differ. For divergent configurations, prefer separate root modules.
Policy-as-code gate
If .conftest/ (Conftest), .opa/ (raw OPA Rego), .tflint.hcl (TFLint), or tfsec.yml (tfsec) / .checkov.yml (Checkov) configs are present, run them as a pre-plan gate. A plan that violates policy never advances to apply.
Rollback
# Revert the .tf file changes and re-apply
terraform plan -out=tfplan-rollback
terraform apply tfplan-rollback
For state-only rollback (after a botched state mv or state rm):
terraform state push backup.tfstate
State rollback overwrites the backend state and should be coordinated with whoever holds the workspace lock.
When this applies
| Phase | Apply this knowledge |
|---|---|
| Step 3 — Review current state | terraform validate, fmt -check, plan -detailed-exitcode |
| Step 3a-bis — State operations | state list/show/mv/rm/import, moved {} / removed {} blocks |
| Step 4 — Implement | terraform fmt -recursive, terraform validate |
| Step 5 — Plan review | terraform plan -out=tfplan and plan-summary format |
| Step 6 — Apply | terraform apply tfplan |
| Step 8 — Rollback | Revert .tf files and re-apply, or push backup state |
Integration
- Used by:
/infra-change(Steps 3, 4, 5, 6, 8 — Terraform plan/apply lifecycle) - Companion knowledge:
@gitops-detection(HCP Terraform / Terraform Cloud / Atlantis / Spacelift / env0 controllers that own the apply gate) - External references: Terraform docs, OpenTofu docs, moved block, removed block
Source: alex-voloshin-dev/ai-assets — distributed by TomeVault.
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核