AI Agent Skill HUB

terraform-validator

Comprehensive toolkit for validating, linting, testing, and automating Terraform configurations and HCL files. Use this skill when working with Terraform files (.tf, .tfvars), validating infrastructure-as-code, debugging Terraform configurations, performing dry-run testing with terraform plan, or working with custom providers and modules.

16 stars
bydiegosouzapw
View on GitHubInstallation ↓

Best use case

terraform-validator is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Comprehensive toolkit for validating, linting, testing, and automating Terraform configurations and HCL files. Use this skill when working with Terraform files (.tf, .tfvars), validating infrastructure-as-code, debugging Terraform configurations, performing dry-run testing with terraform plan, or working with custom providers and modules.

Teams using terraform-validator should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/terraform-validator/SKILL.md --create-dirs "https://raw.githubusercontent.com/diegosouzapw/awesome-omni-skill/main/skills/devops/terraform-validator/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/terraform-validator/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How terraform-validator Compares

Feature / Agentterraform-validatorStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Comprehensive toolkit for validating, linting, testing, and automating Terraform configurations and HCL files. Use this skill when working with Terraform files (.tf, .tfvars), validating infrastructure-as-code, debugging Terraform configurations, performing dry-run testing with terraform plan, or working with custom providers and modules.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

AI Agents for Coding

Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.

SKILL.md Source

# Terraform Validator

Comprehensive toolkit for validating, linting, and testing Terraform configurations with automated workflows for syntax validation, security scanning, and intelligent documentation lookup.

## ⚠️ Critical Requirements Checklist

**STOP: You MUST complete these steps in order. Do NOT skip any REQUIRED step.**

| Step | Action | Required |
|------|--------|----------|
| 1 | Run `bash scripts/extract_tf_info_wrapper.sh <path>` | ✅ REQUIRED |
| 2 | Context7 lookup for **ALL** providers (explicit AND implicit); **WebSearch fallback if not found** | ✅ REQUIRED |
| 3 | **READ** `references/security_checklist.md` | ✅ REQUIRED |
| 4 | **READ** `references/best_practices.md` | ✅ REQUIRED |
| 5 | Run `terraform fmt` | ✅ REQUIRED |
| 6 | Run `tflint` (or note as skipped if unavailable) | Recommended |
| 7 | Run `terraform init` (if not initialized) | ✅ REQUIRED |
| 8 | Run `terraform validate` | ✅ REQUIRED |
| 9 | Run `bash scripts/run_checkov.sh <path>` | ✅ REQUIRED |
| 10 | Cross-reference findings with `security_checklist.md` sections | ✅ REQUIRED |
| 11 | Generate report citing reference files | ✅ REQUIRED |

> **IMPORTANT:** Steps 3-4 (reading reference files) must be completed BEFORE running security scans. The reference files contain remediation patterns that MUST be cited in your report.

> **Context7 Fallback:** If Context7 does not have a provider (common for: random, null, local, time, tls), use WebSearch: `"terraform-provider-{name} hashicorp documentation"`

## When to Use This Skill

- Working with Terraform files (`.tf`, `.tfvars`, `.tfstate`)
- Validating Terraform configuration syntax and structure
- Linting and formatting HCL code
- Performing dry-run testing with `terraform plan`
- Debugging Terraform errors or misconfigurations
- Understanding custom Terraform providers or modules
- Security validation of Terraform configurations

## External Documentation

| Tool | Documentation |
|------|---------------|
| **Terraform** | [developer.hashicorp.com/terraform](https://developer.hashicorp.com/terraform/docs) |
| **TFLint** | [github.com/terraform-linters/tflint](https://github.com/terraform-linters/tflint) |
| **Checkov** | [checkov.io](https://www.checkov.io/1.Welcome/Quick%20Start.html) |
| **Trivy** | [aquasecurity.github.io/trivy](https://aquasecurity.github.io/trivy) |

## Validation Workflow

**IMPORTANT:** Follow this workflow in order. Each step is REQUIRED unless explicitly marked optional.

```
1. Identify Terraform files in scope
   ├─> Single file, directory, or multi-environment

2. Extract Provider/Module Info (REQUIRED)
   ├─> MUST run: bash scripts/extract_tf_info_wrapper.sh <path>
   ├─> Parse output for providers and modules
   └─> Use for Context7 documentation lookup

3. Lookup Provider Documentation (REQUIRED)
   ├─> For EACH provider detected:
   │   ├─> mcp__context7__resolve-library-id with "terraform-provider-{name}"
   │   ├─> mcp__context7__get-library-docs for version-specific guidance
   │   └─> If NOT found in Context7: WebSearch fallback (see below)
   └─> Note any custom/private providers for WebSearch

4. Read Reference Files (REQUIRED before validation)
   ├─> MUST READ: references/security_checklist.md (before security scan)
   ├─> MUST READ: references/best_practices.md (for structure validation)
   └─> Reference common_errors.md if errors occur

5. Format and Lint (REQUIRED)
   ├─> MUST run: terraform fmt -recursive (auto-fix formatting)
   ├─> RUN: tflint (or note as skipped if unavailable)
   └─> Report formatting issues

6. Syntax Validation (REQUIRED)
   ├─> MUST run: terraform init (if not initialized)
   ├─> MUST run: terraform validate
   └─> Report syntax errors (consult common_errors.md)

7. Security Scanning (REQUIRED)
   ├─> MUST run: bash scripts/run_checkov.sh <path>
   ├─> Analyze policy violations against security_checklist.md
   └─> Suggest remediations from reference

8. Dry-Run Testing (if credentials available)
   ├─> terraform plan
   ├─> Analyze planned changes
   └─> Report potential issues

9. Generate Comprehensive Report
   ├─> Include all findings with severity
   ├─> Reference best_practices.md for recommendations
   └─> Offer to fix issues if appropriate
```

## Required Reference File Reading

**You MUST read these reference files during validation:**

| When | Reference File | Action |
|------|----------------|--------|
| **Before security scan** | `references/security_checklist.md` | Read to understand security checks and remediation patterns |
| **During validation** | `references/best_practices.md` | Read to validate project structure, naming, and patterns |
| **If errors occur** | `references/common_errors.md` | Read to find solutions for specific error messages |
| **If using Terraform 1.10+** | `references/advanced_features.md` | Read to understand ephemeral values, actions, list resources |

## Required Script Usage

**You MUST use these wrapper scripts instead of calling tools directly:**

| Task | Script | Command |
|------|--------|---------|
| **Extract provider/module info** | `extract_tf_info_wrapper.sh` | `bash scripts/extract_tf_info_wrapper.sh <path>` |
| **Run security scan** | `run_checkov.sh` | `bash scripts/run_checkov.sh <path>` |
| **Install checkov (if missing)** | `install_checkov.sh` | `bash scripts/install_checkov.sh install` |

> **Note:** `extract_tf_info_wrapper.sh` automatically handles the python-hcl2 dependency by creating a temporary virtual environment if needed. The venv is automatically cleaned up on exit.

## Context7 Provider Documentation Lookup (REQUIRED)

**For EVERY provider detected, you MUST lookup documentation via Context7:**

```
1. Run extract_tf_info_wrapper.sh to get provider list
2. For each provider (e.g., "aws", "google", "azurerm"):
   a. Call: mcp__context7__resolve-library-id with "terraform-provider-{name}"
   b. Call: mcp__context7__get-library-docs with the resolved ID
   c. Note version-specific features and constraints
3. Include relevant provider guidance in validation report
```

**Example for AWS provider:**
```
mcp__context7__resolve-library-id("terraform-provider-aws")
mcp__context7__get-library-docs(context7CompatibleLibraryID, topic="best practices")
```

### Context7 Fallback to WebSearch (REQUIRED)

**If Context7 does not find a provider, you MUST fall back to WebSearch:**

```
1. If mcp__context7__resolve-library-id returns no results or provider not found:
   a. Use WebSearch with query: "terraform-provider-{name} hashicorp documentation"
   b. For specific version: "terraform-provider-{name} {version} documentation site:registry.terraform.io"
2. Common providers NOT in Context7 (use WebSearch directly):
   - random (hashicorp/random)
   - null (hashicorp/null)
   - local (hashicorp/local)
   - time (hashicorp/time)
   - tls (hashicorp/tls)
3. Document in report: "Provider docs via WebSearch (not in Context7)"
```

**WebSearch Fallback Example:**
```
# If Context7 fails for random provider:
WebSearch("terraform-provider-random hashicorp documentation site:registry.terraform.io")
```

> **Note:** HashiCorp utility providers (random, null, local, time, tls, archive, external, http) may not be indexed in Context7. Always fall back to WebSearch for these.

## Detecting Implicit Providers (REQUIRED)

**IMPORTANT:** Providers can be used without being declared in `required_providers`. You MUST detect ALL providers:

### Detection Methods

1. **Explicit Providers:** Listed in `required_providers` block (from extract_tf_info_wrapper.sh output)
2. **Implicit Providers:** Inferred from resource type prefixes

### Common Implicit Provider Patterns

| Resource Type Prefix | Provider Name | Context7 Lookup |
|---------------------|---------------|-----------------|
| `random_*` | `random` | `terraform-provider-random` |
| `null_*` | `null` | `terraform-provider-null` |
| `local_*` | `local` | `terraform-provider-local` |
| `tls_*` | `tls` | `terraform-provider-tls` |
| `time_*` | `time` | `terraform-provider-time` |
| `archive_*` | `archive` | `terraform-provider-archive` |
| `http` (data source) | `http` | `terraform-provider-http` |
| `external` (data source) | `external` | `terraform-provider-external` |

### Workflow for Complete Provider Detection

```
1. Parse extract_tf_info_wrapper.sh output
2. Get providers from "providers" array (explicit)
3. Get resources from "resources" array
4. For EACH resource type:
   a. Extract prefix (e.g., "random" from "random_id")
   b. Check if already in providers list
   c. If NOT in providers: add as implicit provider
5. Perform Context7 lookup for ALL providers (explicit + implicit)
```

### Example

If `extract_tf_info_wrapper.sh` returns:
```json
{
  "providers": [{"name": "aws", ...}],
  "resources": [
    {"type": "aws_instance", ...},
    {"type": "random_id", ...}
  ]
}
```

You MUST lookup BOTH:
- `terraform-provider-aws` (explicit)
- `terraform-provider-random` (implicit - detected from `random_id` resource)

## Quick Reference Commands

### Format and Lint

```bash
# Check formatting (dry-run)
terraform fmt -check -recursive .

# Apply formatting
terraform fmt -recursive .

# Run tflint (requires .tflint.hcl config)
tflint --init              # Install plugins
tflint --recursive         # Lint all modules
tflint --format compact    # Compact output
```

> **TFLint Configuration:** See [TFLint Ruleset documentation](https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md) for plugin setup.

### Validate Configuration

```bash
# Initialize (downloads providers and modules)
terraform init

# Validate syntax
terraform validate

# Validate with JSON output
terraform validate -json
```

### Security Scanning

**MUST use wrapper script:**
```bash
# Use the wrapper script (REQUIRED)
bash scripts/run_checkov.sh ./terraform

# With specific options
bash scripts/run_checkov.sh -f json ./terraform
bash scripts/run_checkov.sh --compact ./terraform
```

> **Detailed Security Scanning:** You MUST read `references/security_checklist.md` before running security scans to understand the checks and remediation patterns.

## Security Finding Cross-Reference (REQUIRED)

**When reporting security findings, you MUST cite specific sections from `security_checklist.md`:**

### Cross-Reference Mapping

| Checkov Check Pattern | security_checklist.md Section | Line Reference |
|-----------------------|------------------------------|----------------|
| `CKV_AWS_24` (SSH open) | "Overly Permissive Security Groups" | Lines 66-110 |
| `CKV_AWS_260` (HTTP open) | "Overly Permissive Security Groups" | Lines 66-110 |
| `CKV_AWS_16` (RDS encryption) | "Encryption at Rest" | Lines 141-175 |
| `CKV_AWS_17` (RDS public) | "RDS Databases" | Lines 356-366 |
| `CKV_AWS_130` (public subnet) | "Network Security" | Lines 62-140 |
| `CKV_AWS_53-56` (S3 public access) | "Public S3 Buckets" | Lines 112-139 |
| `CKV_AWS_*` (IAM) | "IAM Security" | Lines 217-308 |
| `CKV_AWS_79` (IMDSv1) | "EC2/EKS Security" | Lines 382-389 |
| Hardcoded passwords | "Hardcoded Credentials" | Lines 8-45 |
| Sensitive outputs | "Sensitive Output Exposure" | Lines 47-61 |

### Report Template for Security Findings

```markdown
### Security Issue: [Check ID]

**Finding:** [Description from checkov]
**Resource:** [Resource name and file:line]
**Severity:** [HIGH/MEDIUM/LOW]

**Reference:** security_checklist.md - "[Section Name]" (lines X-Y)

**Remediation Pattern:**
[Copy relevant code example from security_checklist.md]

**Recommended Fix:**
[Specific fix for this configuration]
```

### Example Cross-Referenced Report

```markdown
### Security Issue: CKV_AWS_24

**Finding:** Security group allows SSH from 0.0.0.0/0
**Resource:** aws_security_group.web (main.tf:47-79)
**Severity:** HIGH

**Reference:** security_checklist.md - "Overly Permissive Security Groups" (lines 66-110)

**Remediation Pattern (from reference):**
```hcl
variable "admin_cidr" {
  description = "CIDR block for admin access"
  type        = string
}

resource "aws_security_group" "app" {
  ingress {
    description = "SSH from admin network only"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = [var.admin_cidr]
  }
}
```

**Recommended Fix:** Replace `cidr_blocks = ["0.0.0.0/0"]` with a variable or specific CIDR range.
```

### Dry-Run Testing

```bash
# Generate execution plan
terraform plan

# Save plan to file
terraform plan -out=tfplan

# Plan with specific var file
terraform plan -var-file="production.tfvars"

# Plan with target resource
terraform plan -target=aws_instance.example
```

**Plan Output Symbols:**
- `+` Resources to be created
- `-` Resources to be destroyed
- `~` Resources to be modified
- `-/+` Resources to be replaced

## Handling Missing Tools

When validation tools are not installed, follow this recovery workflow:

### Recovery Workflow (REQUIRED)

```
1. Detect missing tool
2. Inform user what is missing and why it's needed
3. Provide installation command
4. ASK user: "Would you like me to install [tool] and continue?"
5. If yes: Run installation and RERUN the validation step
6. If no: Note as skipped in report, continue with available tools
```

### Tool-Specific Recovery

**If checkov is missing:**
```
1. Inform: "Checkov is not installed. It's required for security scanning."
2. Ask: "Would you like me to install it? I'll use: bash scripts/install_checkov.sh install"
3. If yes: Run install script, then rerun security scan
```

**If tflint is missing:**
```
1. Inform: "TFLint is not installed. It provides advanced linting beyond terraform validate."
2. Ask: "Would you like me to install it?"
3. Provide: brew install tflint (macOS) or installation script (Linux)
```

**If python-hcl2 is missing:**
```
The extract_tf_info_wrapper.sh script handles this automatically by creating
a temporary venv. No user action required.
```

**Required tools:** `terraform fmt`, `terraform validate`
**Optional but recommended:** `tflint`, `checkov`

## Scripts

| Script | Purpose | Usage |
|--------|---------|-------|
| `extract_tf_info_wrapper.sh` | Parse Terraform files for providers/modules (auto-handles dependencies) | `bash scripts/extract_tf_info_wrapper.sh <path>` |
| `extract_tf_info.py` | Core parser (requires python-hcl2) | Use wrapper instead |
| `run_checkov.sh` | Wrapper for Checkov scans with enhanced output | `bash scripts/run_checkov.sh <path>` |
| `install_checkov.sh` | Install Checkov in isolated venv | `bash scripts/install_checkov.sh install` |

## Reference Documentation

**MUST READ during validation workflow:**

| Reference | When to Read | Content |
|-----------|--------------|---------|
| `references/security_checklist.md` | Before security scan | Security validation, Checkov/Trivy usage, common policies, remediation patterns |
| `references/best_practices.md` | During validation | Project structure, naming conventions, module design, state management |
| `references/common_errors.md` | When errors occur | Error database with causes and solutions |
| `references/advanced_features.md` | If Terraform >= 1.10 | Ephemeral values (1.10+), Actions (1.14+), List Resources (1.14+) |

## Workflow Examples

### Example 1: Validate Single File

```
1. MUST: bash scripts/extract_tf_info_wrapper.sh main.tf
2. MUST: Context7 lookup for each provider detected
3. MUST: Read references/security_checklist.md
4. MUST: Read references/best_practices.md
5. RUN: terraform fmt -check main.tf
6. RUN: terraform init (if needed) && terraform validate
7. MUST: bash scripts/run_checkov.sh -f main.tf
8. Report issues with remediation from references
9. If custom providers: WebSearch for documentation
```

### Example 2: Full Module Validation

```
1. Identify all .tf files in directory
2. MUST: bash scripts/extract_tf_info_wrapper.sh ./modules/vpc/
3. MUST: Context7 lookup for ALL providers
4. MUST: Read references/security_checklist.md
5. MUST: Read references/best_practices.md
6. RUN: terraform fmt -recursive
7. RUN: tflint --recursive (or note as skipped if unavailable)
8. RUN: terraform init && terraform validate
9. MUST: bash scripts/run_checkov.sh ./modules/vpc/
10. Analyze findings against security_checklist.md
11. Validate structure against best_practices.md
12. Provide comprehensive report with references
```

### Example 3: Production Dry-Run

```
1. Verify terraform initialized
2. MUST: Read references/security_checklist.md (production focus)
3. RUN: terraform plan -var-file="production.tfvars"
4. Analyze for unexpected changes
5. Highlight create/modify/destroy operations
6. Flag security concerns (compare with security_checklist.md)
7. Recommend whether safe to apply
```

## Advanced Features

Terraform 1.10+ introduces ephemeral values for secure secrets management. Terraform 1.14+ adds Actions for imperative operations and List Resources for querying infrastructure.

**MUST READ:** `references/advanced_features.md` when:
- Terraform version >= 1.10 is detected
- Configuration uses `ephemeral` blocks
- Configuration uses `action` blocks
- Configuration uses `.tfquery.hcl` files

## Integration with Other Skills

- **k8s-yaml-validator** - For Terraform Kubernetes provider validation
- **helm-validator** - When Terraform manages Helm releases
- **k8s-debug** - For debugging infrastructure provisioned by Terraform

## Notes

- Always run validation in order: extract info → lookup docs → read refs → format → lint → validate → security → plan
- MUST use wrapper scripts for extract_tf_info and checkov
- MUST read reference files before relevant validation steps
- MUST lookup provider docs via Context7 for ALL providers
- MUST offer recovery/rerun when tools are missing
- Never commit without running terraform fmt
- Always review plan output before applying
- Use version constraints for all providers and modules
- Use remote state for team collaboration
- Enable state locking to prevent concurrent modifications

Related Skills

yaml-validator

16
from diegosouzapw/awesome-omni-skill

Comprehensive YAML syntax validation, error fixing, and schema validation for various formats (GitHub Actions, Docker Compose, Kubernetes, GitLab CI). Use when Claude needs to: (1) Validate YAML syntax, (2) Check YAML files for errors, (3) Fix common YAML formatting issues, (4) Validate against schemas like GitHub Actions workflows, Docker Compose files, Kubernetes manifests, or GitLab CI pipelines, (5) Debug YAML parsing errors. Triggers on phrases like "check yaml", "validate yaml", "fix yaml errors", "yaml syntax".

terraformer

16
from diegosouzapw/awesome-omni-skill

Terraformer tool for reverse-engineering existing cloud infrastructure into Terraform code. Import resources from AWS, Azure, GCP, Kubernetes, and other providers. Generate Terraform configurations from running infrastructure for migration, disaster recovery, and infrastructure documentation.

terraform-specialist

16
from diegosouzapw/awesome-omni-skill

Expert Terraform/OpenTofu specialist mastering advanced IaC automation, state management, and enterprise infrastructure patterns.

terraform-skill

16
from diegosouzapw/awesome-omni-skill

Terraform infrastructure as code best practices

terraform-platform-stack

16
from diegosouzapw/awesome-omni-skill

Terraform specialist for Platform as a Service Stack v3.0.0+. Expert in deterministic naming (MD5), RBAC role assignments (uuidv5), feature flag orchestration, time-based RBAC propagation, and anti-pattern detection. Always validates with Terraform Registry MCP before ANY code generation to ensure latest provider schemas and avoid deprecated attributes.

terraform-module-library

16
from diegosouzapw/awesome-omni-skill

Build reusable Terraform modules for AWS, Azure, and GCP infrastructure following infrastructure-as-code best practices. Use when creating infrastructure modules, standardizing cloud provisioning, ...

terraform-infrastructure

16
from diegosouzapw/awesome-omni-skill

Terraform infrastructure as code workflow for provisioning cloud resources, creating reusable modules, and managing infrastructure at scale.

terraform-engineer

16
from diegosouzapw/awesome-omni-skill

Use when implementing infrastructure as code with Terraform across AWS, Azure, or GCP. Invoke for module development, state management, provider configuration, multi-environment workflows, infrastructure testing.

terraform-diagrams

16
from diegosouzapw/awesome-omni-skill

Generates architecture diagrams from Terraform code. Use when user has .tf files or asks to visualize Terraform infrastructure.

terraform-azurerm-set-diff-analyzer

16
from diegosouzapw/awesome-omni-skill

Wave 5 migration placeholder for `awesome-copilot/terraform-azurerm-set-diff-analyzer` imported from antigravity-awesome-skills manifest.

terraform-aws-modules

16
from diegosouzapw/awesome-omni-skill

Terraform module creation for AWS — reusable modules, state management, and HCL best practices. Use when building or reviewing Terraform AWS infrastructure.

terraform-analyzer

16
from diegosouzapw/awesome-omni-skill

Specialized skill for analyzing Terraform configurations. Supports parsing, security scanning (tfsec, checkov), cost estimation (infracost), drift detection, and plan visualization across AWS, Azure, and GCP.