[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-a4eeea7e-cffd-4d96-95d9-9f2c1c71842a":3,"$fG-sFLZgwatXka45533Je_X3dBm66y-mORlHRGMFots0":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"a4eeea7e-cffd-4d96-95d9-9f2c1c71842a","terraform-skill","Terraform基础设施即代码最佳实践","cat_coding_devops","mod_coding","sickn33,coding","---\nname: terraform-skill\ndescription: \"Terraform infrastructure as code best practices\"\nrisk: safe\nsource: \"https:\u002F\u002Fgithub.com\u002Fantonbabenko\u002Fterraform-skill\"\ndate_added: \"2026-02-27\"\n---\n# Terraform Skill for Claude\n\nComprehensive Terraform and OpenTofu guidance covering testing, modules, CI\u002FCD, and production patterns. Based on terraform-best-practices.com and enterprise experience.\n\n## When to Use This Skill\n\n**Activate this skill when:**\n- Creating new Terraform or OpenTofu configurations or modules\n- Setting up testing infrastructure for IaC code\n- Deciding between testing approaches (validate, plan, frameworks)\n- Structuring multi-environment deployments\n- Implementing CI\u002FCD for infrastructure-as-code\n- Reviewing or refactoring existing Terraform\u002FOpenTofu projects\n- Choosing between module patterns or state management approaches\n\n**Don't use this skill for:**\n- Basic Terraform\u002FOpenTofu syntax questions (Claude knows this)\n- Provider-specific API reference (link to docs instead)\n- Cloud platform questions unrelated to Terraform\u002FOpenTofu\n\n## Core Principles\n\n### 1. Code Structure Philosophy\n\n**Module Hierarchy:**\n\n| Type | When to Use | Scope |\n|------|-------------|-------|\n| **Resource Module** | Single logical group of connected resources | VPC + subnets, Security group + rules |\n| **Infrastructure Module** | Collection of resource modules for a purpose | Multiple resource modules in one region\u002Faccount |\n| **Composition** | Complete infrastructure | Spans multiple regions\u002Faccounts |\n\n**Hierarchy:** Resource → Resource Module → Infrastructure Module → Composition\n\n**Directory Structure:**\n```\nenvironments\u002F # Environment-specific configurations\n├── prod\u002F\n├── staging\u002F\n└── dev\u002F\n\nmodules\u002F # Reusable modules\n├── networking\u002F\n├── compute\u002F\n└── data\u002F\n\nexamples\u002F # Module usage examples (also serve as tests)\n├── complete\u002F\n└── minimal\u002F\n```\n\n**Key principle from terraform-best-practices.com:**\n- Separate **environments** (prod, staging) from **modules** (reusable components)\n- Use **examples\u002F** as both documentation and integration test fixtures\n- Keep modules small and focused (single responsibility)\n\n**For detailed module architecture, see:** Code Patterns: Module Types & Hierarchy\n\n### 2. Naming Conventions\n\n**Resources:**\n```hcl\n# Good: Descriptive, contextual\nresource \"aws_instance\" \"web_server\" { }\nresource \"aws_s3_bucket\" \"application_logs\" { }\n\n# Good: \"this\" for singleton resources (only one of that type)\nresource \"aws_vpc\" \"this\" { }\nresource \"aws_security_group\" \"this\" { }\n\n# Avoid: Generic names for non-singletons\nresource \"aws_instance\" \"main\" { }\nresource \"aws_s3_bucket\" \"bucket\" { }\n```\n\n**Singleton Resources:**\n\nUse `\"this\"` when your module creates only one resource of that type:\n\n✅ DO:\n```hcl\nresource \"aws_vpc\" \"this\" {} # Module creates one VPC\nresource \"aws_security_group\" \"this\" {} # Module creates one SG\n```\n\n❌ DON'T use \"this\" for multiple resources:\n```hcl\nresource \"aws_subnet\" \"this\" {} # If creating multiple subnets\n```\n\nUse descriptive names when creating multiple resources of the same type.\n\n**Variables:**\n```hcl\n# Prefix with context when needed\nvar.vpc_cidr_block # Not just \"cidr\"\nvar.database_instance_class # Not just \"instance_class\"\n```\n\n**Files:**\n- `main.tf` - Primary resources\n- `variables.tf` - Input variables\n- `outputs.tf` - Output values\n- `versions.tf` - Provider versions\n- `data.tf` - Data sources (optional)\n\n## Testing Strategy Framework\n\n### Decision Matrix: Which Testing Approach?\n\n| Your Situation | Recommended Approach | Tools | Cost |\n|----------------|---------------------|-------|------|\n| **Quick syntax check** | Static analysis | `terraform validate`, `fmt` | Free |\n| **Pre-commit validation** | Static + lint | `validate`, `tflint`, `trivy`, `checkov` | Free |\n| **Terraform 1.6+, simple logic** | Native test framework | Built-in `terraform test` | Free-Low |\n| **Pre-1.6, or Go expertise** | Integration testing | Terratest | Low-Med |\n| **Security\u002Fcompliance focus** | Policy as code | OPA, Sentinel | Free |\n| **Cost-sensitive workflow** | Mock providers (1.7+) | Native tests + mocking | Free |\n| **Multi-cloud, complex** | Full integration | Terratest + real infra | Med-High |\n\n### Testing Pyramid for Infrastructure\n\n```\n \u002F\\\n \u002F \\ End-to-End Tests (Expensive)\n \u002F____\\ - Full environment deployment\n \u002F \\ - Production-like setup\n \u002F________\\\n \u002F \\ Integration Tests (Moderate)\n \u002F____________\\ - Module testing in isolation\n \u002F \\ - Real resources in test account\n\u002F________________\\ Static Analysis (Cheap)\n - validate, fmt, lint\n - Security scanning\n```\n\n### Native Test Best Practices (1.6+)\n\n**Before generating test code:**\n\n1. **Validate schemas with Terraform MCP:**\n ```\n Search provider docs → Get resource schema → Identify block types\n ```\n\n2. **Choose correct command mode:**\n - `command = plan` - Fast, for input validation\n - `command = apply` - Required for computed values and set-type blocks\n\n3. **Handle set-type blocks correctly:**\n - Cannot index with `[0]`\n - Use `for` expressions to iterate\n - Or use `command = apply` to materialize\n\n**Common patterns:**\n- S3 encryption rules: **set** (use for expressions)\n- Lifecycle transitions: **set** (use for expressions)\n- IAM policy statements: **set** (use for expressions)\n\n**For detailed testing guides, see:**\n- **Testing Frameworks Guide** - Deep dive into static analysis, native tests, and Terratest\n- **Quick Reference** - Decision flowchart and command cheat sheet\n\n## Code Structure Standards\n\n### Resource Block Ordering\n\n**Strict ordering for consistency:**\n1. `count` or `for_each` FIRST (blank line after)\n2. Other arguments\n3. `tags` as last real argument\n4. `depends_on` after tags (if needed)\n5. `lifecycle` at the very end (if needed)\n\n```hcl\n# ✅ GOOD - Correct ordering\nresource \"aws_nat_gateway\" \"this\" {\n count = var.create_nat_gateway ? 1 : 0\n\n allocation_id = aws_eip.this[0].id\n subnet_id = aws_subnet.public[0].id\n\n tags = {\n Name = \"${var.name}-nat\"\n }\n\n depends_on = [aws_internet_gateway.this]\n\n lifecycle {\n create_before_destroy = true\n }\n}\n```\n\n### Variable Block Ordering\n\n1. `description` (ALWAYS required)\n2. `type`\n3. `default`\n4. `validation`\n5. `nullable` (when setting to false)\n\n```hcl\nvariable \"environment\" {\n description = \"Environment name for resource tagging\"\n type = string\n default = \"dev\"\n\n validation {\n condition = contains([\"dev\", \"staging\", \"prod\"], var.environment)\n error_message = \"Environment must be one of: dev, staging, prod.\"\n }\n\n nullable = false\n}\n```\n\n**For complete structure guidelines, see:** Code Patterns: Block Ordering & Structure\n\n## Count vs For_Each: When to Use Each\n\n### Quick Decision Guide\n\n| Scenario | Use | Why |\n|----------|-----|-----|\n| Boolean condition (create or don't) | `count = condition ? 1 : 0` | Simple on\u002Foff toggle |\n| Simple numeric replication | `count = 3` | Fixed number of identical resources |\n| Items may be reordered\u002Fremoved | `for_each = toset(list)` | Stable resource addresses |\n| Reference by key | `for_each = map` | Named access to resources |\n| Multiple named resources | `for_each` | Better maintainability |\n\n### Common Patterns\n\n**Boolean conditions:**\n```hcl\n# ✅ GOOD - Boolean condition\nresource \"aws_nat_gateway\" \"this\" {\n count = var.create_nat_gateway ? 1 : 0\n # ...\n}\n```\n\n**Stable addressing with for_each:**\n```hcl\n# ✅ GOOD - Removing \"us-east-1b\" only affects that subnet\nresource \"aws_subnet\" \"private\" {\n for_each = toset(var.availability_zones)\n\n availability_zone = each.key\n # ...\n}\n\n# ❌ BAD - Removing middle AZ recreates all subsequent subnets\nresource \"aws_subnet\" \"private\" {\n count = length(var.availability_zones)\n\n availability_zone = var.availability_zones[count.index]\n # ...\n}\n```\n\n**For migration guides and detailed examples, see:** Code Patterns: Count vs For_Each\n\n## Locals for Dependency Management\n\n**Use locals to ensure correct resource deletion order:**\n\n```hcl\n# Problem: Subnets might be deleted after CIDR blocks, causing errors\n# Solution: Use try() in locals to hint deletion order\n\nlocals {\n # References secondary CIDR first, falling back to VPC\n # Forces Terraform to delete subnets before CIDR association\n vpc_id = try(\n aws_vpc_ipv4_cidr_block_association.this[0].vpc_id,\n aws_vpc.this.id,\n \"\"\n )\n}\n\nresource \"aws_vpc\" \"this\" {\n cidr_block = \"10.0.0.0\u002F16\"\n}\n\nresource \"aws_vpc_ipv4_cidr_block_association\" \"this\" {\n count = var.add_secondary_cidr ? 1 : 0\n\n vpc_id = aws_vpc.this.id\n cidr_block = \"10.1.0.0\u002F16\"\n}\n\nresource \"aws_subnet\" \"public\" {\n vpc_id = local.vpc_id # Uses local, not direct reference\n cidr_block = \"10.1.0.0\u002F24\"\n}\n```\n\n**Why this matters:**\n- Prevents deletion errors when destroying infrastructure\n- Ensures correct dependency order without explicit `depends_on`\n- Particularly useful for VPC configurations with secondary CIDR blocks\n\n**For detailed examples, see:** Code Patterns: Locals for Dependency Management\n\n## Module Development\n\n### Standard Module Structure\n\n```\nmy-module\u002F\n├── README.md # Usage documentation\n├── main.tf # Primary resources\n├── variables.tf # Input variables with descriptions\n├── outputs.tf # Output values\n├── versions.tf # Provider version constraints\n├── examples\u002F\n│ ├── minimal\u002F # Minimal working example\n│ └── complete\u002F # Full-featured example\n└── tests\u002F # Test files\n └── module_test.tftest.hcl # Or .go\n```\n\n### Best Practices Summary\n\n**Variables:**\n- ✅ Always include `description`\n- ✅ Use explicit `type` constraints\n- ✅ Provide sensible `default` values where appropriate\n- ✅ Add `validation` blocks for complex constraints\n- ✅ Use `sensitive = true` for secrets\n\n**Outputs:**\n- ✅ Always include `description`\n- ✅ Mark sensitive outputs with `sensitive = true`\n- ✅ Consider returning objects for related values\n- ✅ Document what consumers should do with each output\n\n**For detailed module patterns, see:**\n- **Module Patterns Guide** - Variable best practices, output design, ✅ DO vs ❌ DON'T patterns\n- **Quick Reference** - Resource naming, variable naming, file organization\n\n## CI\u002FCD Integration\n\n### Recommended Workflow Stages\n\n1. **Validate** - Format check + syntax validation + linting\n2. **Test** - Run automated tests (native or Terratest)\n3. **Plan** - Generate and review execution plan\n4. **Apply** - Execute changes (with approvals for production)\n\n### Cost Optimization Strategy\n\n1. **Use mocking for PR validation** (free)\n2. **Run integration tests only on main branch** (controlled cost)\n3. **Implement auto-cleanup** (prevent orphaned resources)\n4. **Tag all test resources** (track spending)\n\n**For complete CI\u002FCD templates, see:**\n- **CI\u002FCD Workflows Guide** - GitHub Actions, GitLab CI, Atlantis integration, cost optimization\n- **Quick Reference** - Common CI\u002FCD issues and solutions\n\n## Security & Compliance\n\n### Essential Security Checks\n\n```bash\n# Static security scanning\ntrivy config .\ncheckov -d .\n```\n\n### Common Issues to Avoid\n\n❌ **Don't:**\n- Store secrets in variables\n- Use default VPC\n- Skip encryption\n- Open security groups to 0.0.0.0\u002F0\n\n✅ **Do:**\n- Use AWS Secrets Manager \u002F Parameter Store\n- Create dedicated VPCs\n- Enable encryption at rest\n- Use least-privilege security groups\n\n**For detailed security guidance, see:**\n- **Security & Compliance Guide** - Trivy\u002FCheckov integration, secrets management, state file security, compliance testing\n\n## Version Management\n\n### Version Constraint Syntax\n\n```hcl\nversion = \"5.0.0\" # Exact (avoid - inflexible)\nversion = \"~> 5.0\" # Recommended: 5.0.x only\nversion = \">= 5.0\" # Minimum (risky - breaking changes)\n```\n\n### Strategy by Component\n\n| Component | Strategy | Example |\n|-----------|----------|---------|\n| **Terraform** | Pin minor version | `required_version = \"~> 1.9\"` |\n| **Providers** | Pin major version | `version = \"~> 5.0\"` |\n| **Modules (prod)** | Pin exact version | `version = \"5.1.2\"` |\n| **Modules (dev)** | Allow patch updates | `version = \"~> 5.1\"` |\n\n### Update Workflow\n\n```bash\n# Lock versions initially\nterraform init # Creates .terraform.lock.hcl\n\n# Update to latest within constraints\nterraform init -upgrade # Updates providers\n\n# Review and test\nterraform plan\n```\n\n**For detailed version management, see:** Code Patterns: Version Management\n\n## Modern Terraform Features (1.0+)\n\n### Feature Availability by Version\n\n| Feature | Version | Use Case |\n|---------|---------|----------|\n| `try()` function | 0.13+ | Safe fallbacks, replaces `element(concat())` |\n| `nullable = false` | 1.1+ | Prevent null values in variables |\n| `moved` blocks | 1.1+ | Refactor without destroy\u002Frecreate |\n| `optional()` with defaults | 1.3+ | Optional object attributes |\n| Native testing | 1.6+ | Built-in test framework |\n| Mock providers | 1.7+ | Cost-free unit testing |\n| Provider functions | 1.8+ | Provider-specific data transformation |\n| Cross-variable validation | 1.9+ | Validate relationships between variables |\n| Write-only arguments | 1.11+ | Secrets never stored in state |\n\n### Quick Examples\n\n```hcl\n# try() - Safe fallbacks (0.13+)\noutput \"sg_id\" {\n value = try(aws_security_group.this[0].id, \"\")\n}\n\n# optional() - Optional attributes with defaults (1.3+)\nvariable \"config\" {\n type = object({\n name = string\n timeout = optional(number, 300) # Default: 300\n })\n}\n\n# Cross-variable validation (1.9+)\nvariable \"environment\" { type = string }\nvariable \"backup_days\" {\n type = number\n validation {\n condition = var.environment == \"prod\" ? var.backup_days >= 7 : true\n error_message = \"Production requires backup_days >= 7\"\n }\n}\n```\n\n**For complete patterns and examples, see:** Code Patterns: Modern Terraform Features\n\n## Version-Specific Guidance\n\n### Terraform 1.0-1.5\n- Use Terratest for testing\n- No native testing framework available\n- Focus on static analysis and plan validation\n\n### Terraform 1.6+ \u002F OpenTofu 1.6+\n- **New:** Native `terraform test` \u002F `tofu test` command\n- Consider migrating from external frameworks for simple tests\n- Keep Terratest only for complex integration tests\n\n### Terraform 1.7+ \u002F OpenTofu 1.7+\n- **New:** Mock providers for unit testing\n- Reduce cost by mocking external dependencies\n- Use real integration tests for final validation\n\n### Terraform vs OpenTofu\n\nBoth are fully supported by this skill. For licensing, governance, and feature comparison, see Quick Reference: Terraform vs OpenTofu.\n\n## Detailed Guides\n\nThis skill uses **progressive disclosure** - essential information is in this main file, detailed guides are available when needed:\n\n📚 **Reference Files:**\n- **Testing Frameworks** - In-depth guide to static analysis, native tests, and Terratest\n- **Module Patterns** - Module structure, variable\u002Foutput best practices, ✅ DO vs ❌ DON'T patterns\n- **CI\u002FCD Workflows** - GitHub Actions, GitLab CI templates, cost optimization, automated cleanup\n- **Security & Compliance** - Trivy\u002FCheckov integration, secrets management, compliance testing\n- **Quick Reference** - Command cheat sheets, decision flowcharts, troubleshooting guide\n\n**How to use:** When you need detailed information on a topic, reference the appropriate guide. Claude will load it on demand to provide comprehensive guidance.\n\n## License\n\nThis skill is licensed under the **Apache License 2.0**. See the LICENSE file for full terms.\n\n**Copyright © 2026 Anton Babenko**\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,131,357,"2026-05-16 13:43:39",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查,提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"DevOps","devops","mdi-cog-outline","CI\u002FCD、容器化、部署运维",3,162,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"03582fdd-357b-4d5f-ae56-207e2885ffac","1.0.0","terraform-skill.zip",6262,"uploads\u002Fskills\u002Fa4eeea7e-cffd-4d96-95d9-9f2c1c71842a\u002Fterraform-skill.zip","cbe33e6db59c4508714b1c8f5a52e493ce248fa04fa4516b3d44ea0fca8955b8","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":16101}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]