Stats
Actions
Tags
From skillry-cloud-and-infrastructure
Use when you need to review Terraform or OpenTofu infrastructure-as-code for remote state and locking correctness, module structure, drift, plan safety, hardcoded secrets, provider pinning, and least-privilege IAM before any apply.
How this skill is triggered — by the user, by Claude, or both
Slash command
/skillry-cloud-and-infrastructure:331-terraform-iac-reviewThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Conduct a structured, read-and-author review of Terraform or OpenTofu code — covering remote state backend and locking, module boundaries and reuse, variable and output hygiene, provider and version pinning, drift between code and live infrastructure, hardcoded secrets, and least-privilege IAM in generated policies. The goal is to make the configuration safe, reproducible, and reviewable so a h...
Conduct a structured, read-and-author review of Terraform or OpenTofu code — covering remote state backend and locking, module boundaries and reuse, variable and output hygiene, provider and version pinning, drift between code and live infrastructure, hardcoded secrets, and least-privilege IAM in generated policies. The goal is to make the configuration safe, reproducible, and reviewable so a human can approve a plan before any apply touches real cloud resources. Surface concrete findings from actual .tf files and terraform plan output, never from assumptions.
*.tf, *.tofu, *.tfvars, backend config, or a module under modules/.terraform plan shows unexpected destroys/replacements and you need to triage drift.apply — escalate to a human operator; do not self-approve.# Find Terraform/OpenTofu roots and modules
find . -name "*.tf" -not -path "*/.terraform/*" | sed 's#/[^/]*$##' | sort -u
# Inspect backend + required versions (read only)
grep -rn "backend\s*\"" . --include="*.tf"
grep -rn "required_version\|required_providers" . --include="*.tf"
# Which binary and version?
terraform version 2>/dev/null || tofu version 2>/dev/null
# State files must NOT be tracked in git
git ls-files | grep -E "terraform\.tfstate|\.tfstate\.backup" && echo "STATE IN GIT — CRITICAL"
# .gitignore should exclude local state + .terraform
grep -E "tfstate|\.terraform" .gitignore 2>/dev/null || echo "WARNING: state not gitignored"
# Confirm a remote backend with locking (s3+dynamodb, gcs, azurerm, or remote)
grep -rn "backend\s*\"\(s3\|gcs\|azurerm\|remote\)\"" . --include="*.tf"
grep -rn "dynamodb_table\|use_lockfile" . --include="*.tf" # S3 locking
terraform init -backend=false # offline structural init, no remote writes
terraform validate
terraform fmt -check -recursive # report unformatted files
# -lock=false only if you are certain no apply is concurrent; otherwise keep locking
terraform plan -out=tfplan -input=false -no-color | tee plan.txt
# Machine-readable diff for triage
terraform show -json tfplan > tfplan.json
# Count creates / updates / destroys / replacements
grep -E "will be (created|destroyed|replaced)|must be replaced" plan.txt | sort | uniq -c
Treat every destroy and must be replaced line as a finding: confirm it is intended and reversible before a human applies.
# Hardcoded credentials or keys in code/vars
grep -rEn "(secret|password|token|access_key|private_key)\s*=\s*\"[^\"$]" . --include="*.tf" --include="*.tfvars"
# Sensitive values that should be marked sensitive
grep -rn "variable\s\+\"" . --include="*.tf"
grep -rn "sensitive\s*=\s*true" . --include="*.tf"
# Plaintext secrets that leak into state (passwords on resources) need a secret manager ref instead
# Unpinned modules (no version / ref) and providers (no = constraint)
grep -rn "source\s*=\s*\"\(git::\|github.com\)" . --include="*.tf" | grep -v "ref=\|?ref"
grep -rn "version\s*=" . --include="*.tf" | grep -E "\">=|~>|\"\*\""
# Wildcards in IAM policy documents (over-permission)
grep -rn "\"Action\".*\"\*\"\|actions\s*=\s*\[\"\*\"\]\|\"Resource\".*\"\*\"" . --include="*.tf"
# Wide-open ingress
grep -rn "0\.0\.0\.0/0\|::/0" . --include="*.tf"
remote) is configured — no purely local state.use_lockfile, or backend-native locking).*.tfstate is gitignored and not tracked in the repo.required_version and every provider in required_providers are pinned with ~> or =.?ref=vX.Y.Z), not a floating branch.terraform validate passes and terraform fmt -check is clean.destroy / must be replaced lines..tf or .tfvars; secrets come from a secret manager or sensitive vars.sensitive = true.Action: "*" on Resource: "*"; permissions are scoped.0.0.0.0/0..tfvars files containing real values are gitignored; an .tfvars.example documents shape.# Remote backend with locking (S3 example) — review target
terraform {
required_version = "~> 1.7"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.40"
}
}
backend "s3" {
bucket = "org-tf-state"
key = "prod/network/terraform.tfstate"
region = "eu-central-1"
encrypt = true
use_lockfile = true # native S3 state locking
}
}
# Pinned external module + sensitive variable
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "5.8.1" # pinned, not a branch
}
variable "db_password" {
type = string
sensitive = true # never printed in plan/apply output
}
# Safe review loop — no mutation of real infrastructure
terraform init -backend=false
terraform validate && terraform fmt -check -recursive
terraform plan -out=tfplan -input=false # produce plan for HUMAN approval
terraform show -json tfplan | jq '.resource_changes[] | select(.change.actions[] | . == "delete")'
terraform.tfstate committed to git — collaborators overwrite each other and secrets leak.>=, latest, branch refs) — non-reproducible builds and surprise upgrades..tfvars committed to the repo, or plaintext passwords that land in state.Action: "*" / Resource: "*" IAM policies and 0.0.0.0/0 ingress — least-privilege violations.apply straight from CI on every push with no manual gate.-lock=false) routinely to "make plans faster".Produce a structured report with:
file:line | issue | severity | concrete fix.apply.terraform apply, terraform destroy, terraform import, terraform state rm/mv, or terraform taint without explicit human approval.init -backend=false, validate, fmt -check, plan, and show are safe to run unattended — and plan exists to be reviewed by a human, not auto-applied..tf/.tfvars; reference a secret manager or use sensitive variables.**** and flag them for rotation and removal from history.npx claudepluginhub fluxonlab/skillry --plugin skillry-cloud-and-infrastructureProvides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.
Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.