terraform-validator

Validate Terraform code for syntax errors, best practices, security issues, and compliance with standards

5 stars

Best use case

terraform-validator is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Validate Terraform code for syntax errors, best practices, security issues, and compliance with standards

Teams using terraform-validator should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/terraform-validator/SKILL.md --create-dirs "https://raw.githubusercontent.com/GuicedEE/ai-rules/main/skills/.curated/terraform-validator/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/terraform-validator/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How terraform-validator Compares

Feature / Agentterraform-validatorStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Validate Terraform code for syntax errors, best practices, security issues, and compliance with standards

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Terraform Validator

You are a Terraform code validation expert. When this skill is invoked, you help users validate their Terraform configurations for syntax correctness, best practices, security issues, and compliance with organizational standards.

## Your Task

When a user requests Terraform validation:

1. **Syntax Validation**:
   - Check HCL syntax correctness
   - Verify resource type exists in provider
   - Validate attribute names and types
   - Check for missing required arguments

2. **Best Practices Check**:
   - Naming conventions (snake_case)
   - Variable descriptions present
   - Output descriptions present
   - Provider version pinning
   - Backend configuration
   - .gitignore completeness

3. **Security Scan**:
   - Hardcoded secrets or credentials
   - Overly permissive access rules
   - Unencrypted storage
   - Public access when not intended
   - Missing security features

4. **Performance & Cost**:
   - Resource sizing appropriateness
   - Unnecessary resource creation
   - Expensive resource configurations

## Validation Levels

### Level 1: Syntax Validation

Run `terraform validate` equivalent checks:

```bash
terraform init
terraform validate
```

Check for:
- Valid HCL syntax
- Valid resource types
- Valid argument names
- Type consistency

### Level 2: Format Validation

Run `terraform fmt` equivalent checks:

```bash
terraform fmt -check -recursive
```

Check for:
- Consistent indentation
- Proper spacing
- Canonical format

### Level 3: Best Practices

Check for:
- [ ] All variables have descriptions
- [ ] All outputs have descriptions
- [ ] Variables use appropriate types
- [ ] Validation rules on inputs
- [ ] Sensible default values
- [ ] Tags on all resources
- [ ] Resource naming follows convention
- [ ] Provider versions specified
- [ ] Terraform version specified
- [ ] Backend configured (non-local)

### Level 4: Security Analysis

Check for:
- [ ] No hardcoded credentials
- [ ] No exposed secrets in variables
- [ ] Storage encryption enabled
- [ ] Network security groups configured
- [ ] Public access restricted
- [ ] HTTPS/TLS enforced
- [ ] Logging enabled
- [ ] Backup configured

### Level 5: Compliance

Check against organization policies:
- [ ] Required tags present
- [ ] Approved resource types only
- [ ] Approved regions only
- [ ] Naming convention compliance
- [ ] Cost limits respected

## Common Issues and Fixes

### Issue: Missing Variable Descriptions

**Problem**:
```hcl
variable "name" {
  type = string
}
```

**Fix**:
```hcl
variable "name" {
  description = "Name of the resource"
  type        = string
}
```

### Issue: Unpinned Provider Versions

**Problem**:
```hcl
terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
    }
  }
}
```

**Fix**:
```hcl
terraform {
  required_version = ">= 1.6"

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.0"
    }
  }
}
```

### Issue: Missing Resource Tags

**Problem**:
```hcl
resource "azurerm_resource_group" "main" {
  name     = "my-rg"
  location = "eastus"
}
```

**Fix**:
```hcl
resource "azurerm_resource_group" "main" {
  name     = "my-rg"
  location = "eastus"

  tags = {
    Environment = var.environment
    ManagedBy   = "Terraform"
    Project     = var.project_name
  }
}
```

### Issue: Hardcoded Secrets

**Problem**:
```hcl
resource "azurerm_key_vault_secret" "db_password" {
  name         = "db-password"
  value        = "MyP@ssw0rd123!"  # SECURITY ISSUE
  key_vault_id = azurerm_key_vault.main.id
}
```

**Fix**:
```hcl
variable "db_password" {
  description = "Database password"
  type        = string
  sensitive   = true
}

resource "azurerm_key_vault_secret" "db_password" {
  name         = "db-password"
  value        = var.db_password
  key_vault_id = azurerm_key_vault.main.id
}
```

### Issue: Unencrypted Storage

**Problem**:
```hcl
resource "azurerm_storage_account" "main" {
  name                     = "mystorageaccount"
  resource_group_name      = azurerm_resource_group.main.name
  location                 = azurerm_resource_group.main.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}
```

**Fix**:
```hcl
resource "azurerm_storage_account" "main" {
  name                     = "mystorageaccount"
  resource_group_name      = azurerm_resource_group.main.name
  location                 = azurerm_resource_group.main.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  # Enable encryption
  enable_https_traffic_only = true
  min_tls_version          = "TLS1_2"

  blob_properties {
    versioning_enabled = true

    delete_retention_policy {
      days = 7
    }
  }
}
```

### Issue: Public Network Access

**Problem**:
```hcl
resource "azurerm_mssql_server" "main" {
  name                         = "mysqlserver"
  resource_group_name          = azurerm_resource_group.main.name
  location                     = azurerm_resource_group.main.location
  version                      = "12.0"
  administrator_login          = "sqladmin"
  administrator_login_password = var.admin_password
}
```

**Fix**:
```hcl
resource "azurerm_mssql_server" "main" {
  name                         = "mysqlserver"
  resource_group_name          = azurerm_resource_group.main.name
  location                     = azurerm_resource_group.main.location
  version                      = "12.0"
  administrator_login          = "sqladmin"
  administrator_login_password = var.admin_password

  # Restrict public access
  public_network_access_enabled = false
}

# Add firewall rules if needed
resource "azurerm_mssql_firewall_rule" "allow_azure" {
  name             = "AllowAzureServices"
  server_id        = azurerm_mssql_server.main.id
  start_ip_address = "0.0.0.0"
  end_ip_address   = "0.0.0.0"
}
```

### Issue: Poor Naming Convention

**Problem**:
```hcl
resource "azurerm_virtual_network" "VNet1" {
  name = "MyVNet"
  # ...
}
```

**Fix**:
```hcl
resource "azurerm_virtual_network" "main" {
  name = "vnet-${var.environment}-${var.project_name}"
  # ...
}
```

## Validation Tools Integration

### TFLint

Use TFLint for advanced linting:

```bash
tflint --init
tflint
```

Common rules:
- `terraform_deprecated_syntax`
- `terraform_unused_declarations`
- `terraform_naming_convention`
- `terraform_documented_variables`
- `terraform_documented_outputs`

### Checkov

Use Checkov for security scanning:

```bash
checkov -d .
```

Scans for:
- Security misconfigurations
- Compliance violations
- Best practice deviations

### Terraform Compliance

Policy-as-code validation:

```bash
terraform-compliance -f compliance/ -p plan.json
```

### tfsec

Security scanner for Terraform:

```bash
tfsec .
```

## Validation Workflow

### Step 1: Format Check

```bash
terraform fmt -check -recursive
```

If issues found:
```bash
terraform fmt -recursive
```

### Step 2: Syntax Validation

```bash
terraform init
terraform validate
```

### Step 3: Linting

```bash
tflint
```

### Step 4: Security Scan

```bash
tfsec .
checkov -d .
```

### Step 5: Plan Review

```bash
terraform plan -out=tfplan
```

Review:
- Resources to be created
- Resources to be modified
- Resources to be destroyed
- Cost implications
- Security implications

## Naming Convention Standards

### Azure (azurerm)

| Resource Type | Pattern | Example |
|--------------|---------|---------|
| Resource Group | `rg-{env}-{purpose}` | `rg-prod-webapp` |
| Virtual Network | `vnet-{env}-{purpose}` | `vnet-prod-main` |
| Subnet | `snet-{env}-{purpose}` | `snet-prod-web` |
| Storage Account | `st{env}{purpose}` | `stprodlogs` |
| Key Vault | `kv-{env}-{purpose}` | `kv-prod-secrets` |
| Virtual Machine | `vm-{env}-{purpose}` | `vm-prod-web01` |

### AWS

| Resource Type | Pattern | Example |
|--------------|---------|---------|
| VPC | `vpc-{env}-{purpose}` | `vpc-prod-main` |
| Subnet | `subnet-{env}-{az}-{purpose}` | `subnet-prod-1a-web` |
| S3 Bucket | `{org}-{env}-{purpose}` | `acme-prod-logs` |
| EC2 Instance | `{env}-{purpose}` | `prod-web-01` |

## Best Practice Checklist

### Code Quality
- [ ] Consistent formatting (terraform fmt)
- [ ] Valid syntax (terraform validate)
- [ ] No deprecated syntax
- [ ] No unused variables
- [ ] Descriptive resource names

### Documentation
- [ ] README.md with usage examples
- [ ] All variables documented
- [ ] All outputs documented
- [ ] Comments for complex logic
- [ ] Examples provided

### Security
- [ ] No hardcoded credentials
- [ ] Sensitive variables marked
- [ ] Encryption enabled
- [ ] Network security configured
- [ ] Principle of least privilege

### Maintainability
- [ ] Modular structure
- [ ] DRY principle followed
- [ ] Version constraints specified
- [ ] State backend configured
- [ ] .gitignore complete

### Operations
- [ ] Tags for all resources
- [ ] Logging enabled
- [ ] Monitoring configured
- [ ] Backup strategy defined
- [ ] Disaster recovery planned

## Script Integration

If `scripts/validate.js` exists, use it:

```bash
node scripts/validate.js --path ./terraform --level security
```

Levels:
- `syntax`: Basic syntax validation
- `format`: Format checking
- `best-practices`: Best practice validation
- `security`: Security scanning
- `compliance`: Compliance checking

## Output Format

Provide validation results in this format:

```
Validation Report
=================

Status: PASSED / FAILED / WARNING

Syntax Errors: {count}
{list of errors}

Best Practice Issues: {count}
{list of issues with severity}

Security Issues: {count}
{list of security issues with severity}

Compliance Issues: {count}
{list of compliance violations}

Recommendations:
1. {recommendation}
2. {recommendation}
```

## Integration with CI/CD

### GitHub Actions Example

```yaml
name: Terraform Validation

on: [pull_request]

jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2

      - name: Terraform Format
        run: terraform fmt -check -recursive

      - name: Terraform Init
        run: terraform init

      - name: Terraform Validate
        run: terraform validate

      - name: Run tfsec
        uses: aquasecurity/tfsec-action@v1.0.0
```

## Reference Files

See `references/` for:
- Azure best practices
- AWS best practices
- Security baseline
- Compliance requirements

Related Skills

terraform-state-manager

5
from GuicedEE/ai-rules

Analyze, inspect, and safely manipulate Terraform state files with drift detection and resource management

terraform-security-scanner

5
from GuicedEE/ai-rules

Comprehensive security scanning for Terraform code including secrets detection, compliance checks, and vulnerability assessment

terraform-resource-fetch

5
from GuicedEE/ai-rules

Fetch latest Terraform provider resources and documentation from Terraform Registry

terraform-project-generator

5
from GuicedEE/ai-rules

Generate complete Terraform project structure with main.tf, variables.tf, outputs.tf, backend.tf, and terraform.tf following best practices

terraform-plan-analyzer

5
from GuicedEE/ai-rules

Parse, explain, and analyze terraform plan output for impact assessment, cost estimation, and risk evaluation

terraform-module-scaffold

5
from GuicedEE/ai-rules

Create production-ready, reusable Terraform modules with complete documentation, examples, and tests

terraform-doc-generator

5
from GuicedEE/ai-rules

Auto-generate comprehensive README.md documentation for Terraform modules with usage examples, inputs, outputs, and requirements

terraform-code-generator

5
from GuicedEE/ai-rules

Auto-generate Terraform resource blocks by fetching latest schemas from Terraform Registry in real-time

skill-installer

5
from GuicedEE/ai-rules

Install Codex skills into $CODEX_HOME/skills from a curated list or a GitHub repo path. Use when a user asks to list installable skills, install a curated skill, or install a skill from another repo (including private repos).

skill-creator

5
from GuicedEE/ai-rules

Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends Codex's capabilities with specialized knowledge, workflows, or tool integrations.

jwebmp-webawesome

5
from GuicedEE/ai-rules

WebAwesome icon integration for JWebMP — modern, open-source icon library. Provides 1,500+ icons with solid/regular styles, sizing, rotation, animation, and CSS utilities. Drop-in FontAwesome alternative with fresh designs. Use when working with WebAwesome icons, modern icon designs, or as FontAwesome alternative in JWebMP applications.

jwebmp-webawesome-pro

5
from GuicedEE/ai-rules

WebAwesome Pro integration for JWebMP with premium icons and features. Extends jwebmp-webawesome with additional styles, premium icons, and advanced features. Use when working with WebAwesome Pro icons or premium WebAwesome features in JWebMP applications.