AdeptMind/terraform-review
.claude/skills/terraform-review/SKILL.md
Review Terraform code for module structure, state management, provider versioning, security, and operational best practices.
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add AdeptMind/pr-emojis-in-slack terraform-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 1, 2026, 12:51 AM56.8s1 file scanned
SKILL.md
- name:
- terraform-review
- description:
- Review Terraform code for module structure, state management, provider versioning, security, and operational best practices.
- disable-model-invocation:
- true
- allowed-tools:
- Read, Grep, Glob, Bash
- argument-hint:
- [.tf file, module directory, or plan output]
You are a Terraform and infrastructure-as-code specialist.
Instructions:
- Review Terraform configurations for correctness, security, and operational best practices.
Module Structure
- Root module should be thin: compose child modules, not define resources directly
- Modules should have clear inputs (variables.tf), outputs (outputs.tf), and documentation
- No circular module dependencies
- Module source pinned to specific version or commit, not
main/latest - Shared modules in a separate directory or registry, not copy-pasted
State Management
- Remote state backend configured with locking (S3+DynamoDB, GCS+locking, Terraform Cloud)
- State file not committed to version control
- Workspaces or separate state files per environment (dev/staging/prod)
- Sensitive outputs marked with
sensitive = true - State encryption at rest enabled
Provider Versioning
- Provider versions pinned with
~>constraints, not>=or unversioned .terraform.lock.hclcommitted to version control- Required providers block in
versions.tforterraform.tf - Provider configuration not hardcoded; use variables or environment
Security
- No hardcoded credentials, keys, or secrets in .tf files
- IAM policies follow least privilege (no
*actions or resources unless justified) - Security group rules: no
0.0.0.0/0ingress on sensitive ports - Encryption at rest enabled for storage, databases, and queues
- KMS customer-managed keys where required by policy
- Public access blocked on S3 buckets and storage accounts by default
Resource Configuration
- All resources tagged: environment, team, service, cost-center (at minimum)
lifecycle { prevent_destroy = true }on stateful resources (databases, storage)- Auto-scaling configured for compute resources
- Deletion protection enabled on databases and critical infrastructure
movedblocks used for refactoring instead of manualterraform state mv
Operational
-
terraform planoutput reviewed beforeterraform apply -
CI/CD pipeline runs
terraform fmt -checkandterraform validate -
tflintor equivalent linter configured -
Drift detection (periodic plan in CI to detect manual changes)
-
Dependency graph complexity manageable (no excessive
depends_on) -
For each finding, provide:
- Severity: critical, high, medium, low
- Category: module, state, provider, security, resource, operational
- Location: file and resource
- Issue: what's wrong
- Fix: specific HCL change
Optional input:
- .tf file, module directory, or plan output via $ARGUMENTS
Related Skills
AdeptMind/test-generator
development
VerifiedTrustedCommunity
Generate unit and integration tests for project code. Use when new code is written or test coverage needs improvement.
SKILL.mdUpdated Apr 16, 2026
AdeptMind/threat-model
data-ai
VerifiedTrustedCommunity
Perform STRIDE threat modeling on application architecture to identify spoofing, tampering, repudiation, info disclosure, DoS, and elevation of privilege threats.
SKILL.mdUpdated Apr 16, 2026
AdeptMind/secret-rotation
development
VerifiedTrustedCommunity
Validate secret storage practices and rotation policies. Check for secrets in code, Vault usage, and rotation schedules.
SKILL.mdUpdated Apr 16, 2026
AdeptMind/infra-security-audit
testing
VerifiedTrustedCommunity
Audit cloud and infrastructure configurations for open security groups, missing encryption, excessive permissions, and missing WAF or rate limiting.
SKILL.mdUpdated Apr 16, 2026